Well, what are data brokers? They are organizations that know your phone number, political affiliations, and dating preferences. They also know when you move houses, start a new job, and get a divorce.
Data brokers are companies that sell your personal information to complete strangers.
According to estimates from a few years ago, there are at least 4,000 data brokers in operation today. Some well-known data brokers include Equifax, LexisNexis, and Oracle.
In 2020, Acxiom, one of the largest data brokers, had information on more than 250 million people and about 167 million households in the U.S. These numbers have undoubtedly increased since.
An average data broker possesses about 1,500 data points about a single individual, everything from their name and home address to family member information and net worth.
It’s surprisingly easy for an individual or organization to buy access to this data.
Several years ago, researcher Joanna Moll bought 1 million online dating profiles for less than $150 from the data broker USDate. The profiles included almost 5 million photos and personal information like email addresses, usernames, sexual orientation, physical characteristics, and even personality traits.
Speaking to the Financial Times, Moll said that the whole process “was like buying a T-shirt on Amazon, and you can buy it anywhere in the world.”
The good news is that many data brokers give you the option to opt out of being included in their databases.
We discuss the exact processes for doing that below.
But first, what exactly are data brokers, where do they get your data, and what do they know about you? Perhaps most importantly, are they even legal? Read on to find out.
What are Data Brokers?
Data brokers (sometimes also called “information brokers”) are companies that aggregate personally identifiable information from various sources to create individual profiles or listings.
They then sell these profiles to third parties, including advertisers, marketers, insurance companies, data mining corporations, financial institutions, government agencies, political consultants, etc.
Some data brokers screen and monitor the individuals or organizations buying data from them.
For example, they may request to meet or speak with clients or ask them to fill out a credentialing questionnaire. However, few data brokers review how their clients use their products after the transaction is completed.
According to the Federal Trade Commission, depending on the type of data they collect and sell, data brokers typically fall within one of three categories:
- People search sites.
- Marketing data brokers
- Risk mitigation data brokers.
Let’s take a quick look at each one in turn.
People search sites
People search sites make it possible for individuals to find and connect with lost friends.
As long as you know someone’s name (or other personal information, like a phone number or email address), you can quickly find more details about them using a people search site.
Sometimes, you might be able to access that information for free. Other times, you may need to pay a small fee.
People search sites don’t usually screen or monitor their clients. This means people can use them for more nefarious purposes, like finding information about someone to steal their identity or stalking/doxxing.
Examples of people search sites include PeopleFinders, Intelius, and Spokeo.
Marketing data brokers
Marketing data brokers develop detailed consumer profiles to help other companies sell to customers.
Thanks to these data brokers, businesses can buy information about their customers’ interests, habits, and past purchases for marketing purposes.
Risk mitigation data brokers
Risk mitigation data brokers help organizations verify identities and detect fraud.
For example, a lender might use a risk mitigation data broker to ensure that a person looking to open an account with them is indeed who they say they are.
The Problem with Data Brokers
Data brokers are not all bad. In fact, consumers can benefit from some of the purposes that data brokers collect their information for, like preventing fraud.
At the same time, data brokers increase certain risks for consumers. They also violate people’s privacy.
Most individuals are unaware that the personal data they share in their day-to-day lives (for example, when visiting a website, voting, shopping at a grocery store, using a mobile phone, or posting on a forum) is being harvested and sold by third parties for profit.
“None of these people know that their records have been procured and sold, and that their privacy has been invaded. They did not have the opportunity to consent to this activity.” – Hon. Ed Whitfield.
Although some data brokers claim that the sensitive data they collect, store and sell is anonymized, studies show that de-anonymizing data is scarily easy.
Due to a lack of regulation, there’s no way to know where our personal data ends up or who uses it. This can lead to individuals being unintentionally harmed because their data is available through data brokers.
For example, information on a data broker website could lead to someone being rejected for a job or mortgage without them knowing why or understanding how to make sure this doesn’t happen again.
Data brokers can’t usually control how the data they share or sell to third parties ends up being used.
Another risk is that due to the amount of personal data they collect and store, data brokers are likely to get hacked or inadvertently expose people’s personal information.
This has happened before. Just a few years ago, Social Data, a data broker that scraped public social media profiles of companies, accidentally exposed 235 million social media accounts.
Acxiom, Epsilon, and Experian have been hacked.
As the information security professional Daniel Miessler wrote a few years ago, “most people falsely believe that the real danger to their privacy comes from hackers in basements, when it actually comes from big companies with parking lots, coffee budgets, and health benefits for their employees.”
The Impact of the Data Brokerage Industry On Business Cybersecurity
The information on data brokers and people search sites also carries risks for businesses, whether in the form of executive threats or cybersecurity risks.
Due to their position within a company, executives are often targeted by activists, disgruntled ex-employees, unhappy customers, and other bad actors.
It’s not unusual for executives to be subject to risks like harassment, doxxing, stalking, reputational attacks, and identity theft.
Whereas in the past, bad actors might have had to go to significant lengths to find out an executive’s email address or where they lived, today, this information is easily findable online. This is thanks to the numerous data brokers and people search sites out there.
We often find a higher degree of PII exposure for C-level executives (between 15% and 25%) compared to the average employee.
That being said, other high-profile employees and board members, as well as high-risk professionals (law enforcement, journalists, etc.), are at an increased risk of personalized attacks from malicious individuals, as well.
The personal data that exists about employees and executives on the open web can fuel cyber threats like social engineering and make attack techniques like credential stuffing easier.
For example, if a threat actor can personalize a phishing email to a specific employee, their success rate will be much higher than if they were to send a generic message.
Learn more: OSINT: how cybercriminals use open source intelligence for social engineering
We know from ContiLeaks that ransomware groups use data brokers to find targets to spearphish and contacts they can “name drop” within emails to make them seem more believable.
Similarly, if a hacker knows enough information about an employee, they can more easily guess passwords and security questions for professional and even personal accounts (from which they can leapfrog into corporate networks).
Learn more: The link between weak passwords, data breaches, and data brokers
Having multi-factor authentication (MFA) won’t necessarily keep bad actors out. Many MFA solutions can be circumvented via SIM swap or phishing attacks, as we’ve seen with Uber.
Who Uses Data Brokers?
It’s not just marketers who want to better tailor their ads or long-lost friends who want to reconnect that use data brokers and people finder sites.
Other groups and people that use data brokers include:
- Law enforcement agencies
- Educational institutions and financial aid providers
- Foreign governments/domestic terror organizations
- Identity thieves
- Insurance agencies
- Credit card companies
- Scammers and other criminals.
Even tech giants like Facebook and Google use data brokers (or at least were data brokers’ customers in the past).
How Do Data Brokers Get Data?
Data brokers use public records, commercial sources, and online tracking data to gather data about individuals.
Public records include census records, real estate records, DMVs, marriage certificate records, bankruptcy records, business listings, state professional and recreational license records, and voter registration records.
Commercial sources generally include purchase history from retailers, employment registration, credit information, membership data, loyalty card data, warranty registration, and subscriptions.
Online tracking data includes user data from social media profiles, web browser cookies, forum posts, mobile apps, web browsing activity, device data, metadata, and IP fingerprints.
Most of these sources provide only one or two data elements (i.e., a name or phone number) for any individual person. But by piecing them together and guessing the rest, data brokers can build a comprehensive picture of who you are.
For example, data brokers can guess whether you have any health conditions based on what you buy or search for online.
The majority of data brokers also obtain information from one another.
What Do Data Brokers Know About You?
Data brokers know a lot about you, including your:
- Phone number
- Sexual orientation
- Education level
- Net worth
- Marital status
- Presence of children
- Political affiliations.
They may also know your medical history, interests, dating preferences, credit-driven data, real-time location data, Social Security number, and significant life events such as births, divorce, and deaths.
Many data brokers also put people into specific categories.
For example, if you have a dog, you might be placed within a “Dog Owner” category. If you’re a single man over the age of 66 with a low educational level, you may be classed as “Rural Everlasting.”
Other categories include “Libertarian Voters,” “Seasonal Donors with Deep Pockets,” and “Conservative Investors with IRA’s and 401s.”
Learn more: What exactly do data brokers know about you?
Some categories used by data brokers, such as “Cholesterol Focus,” “Erectile Dysfunction Sufferers,” “Rape Sufferers,” and “Police Officers and Troopers at Home,” are incredibly sensitive and have been referred to as highly problematic in testimony to US Congress.
Other data broker categories characterize individuals’ economic status. For example, the category “American Royalty” is described by Experian as “[w]ealthy, influential and successful couples and families living in prestigious suburbs.’’
There’s also “X-tra Needy,” “Meager Metro Means,” and “Small Town Shallow Pockets.”
Here’s the thing, though: some of the information data brokers host is false. That’s because data broker data sets are made up of two kinds of data:
- Observed data. Genuine information about an individual.
- Inferred data. Information that is deduced from observed data. For example, if you visit a website about treating high cholesterol, a data broker might assume that you suffer from high cholesterol, even though you might have looked up the information for a friend or family member.
Since it’s hard to tell what information in a data broker profile is observed and what data is inferred, this can lead to potentially negative outcomes for individuals.
Incorrect information on data broker websites can cause real harm to individuals.
Here are some real-world examples:
In 2011, a man named Thomas Robins took the people search site Spokeo to court because the data they had on him was erroneous.
Spokeo claimed that Robins was in his 50s, married with children, and working in a professional or technical field. As a result, Robins, who was out of employment at the time, might have missed job opportunities. Robins said Spokeo should have double-checked that the information about him was correct before selling it to third parties.
In another example, a man known as Jesse T. had his mugshot posted on mugshots.com, a site that publicizes arrest information, even though he was never charged with a crime.
Unsurprisingly, he found it incredibly difficult to find a job.
According to the NATO Strategic Communications Center of Excellence, just 50-60% of data broker information is accurate. But very few data brokers allow individuals to correct inaccurate information.
Are Data Brokers Legal?
Most people have no idea that the data broker industry exists, let alone that data brokers are selling their personal information. However, that doesn’t make data brokerage illegal.
Because the information data brokers trade-in is publicly available, they’re not technically breaking the law.
Some states have passed legislation that restricts data brokers. Both California and Vermont now regulate data brokers and require that they register with the state.
Vermont’s data broker privacy law (enacted in 2018, the first such law in the country) stipulates that data brokers must maintain minimum data security standards and be more transparent about the type of data they collect.
It also prohibits anyone from buying brokered personal data through fraudulent means or with the goal of fraud, harassment, stalking, or discrimination.
Similarly, the California Consumer Privacy Act sets down that consumers have the right to know what information is being collected about them and to whom it’s being sold to. Under this law, individuals have the right to opt-out or have their data deleted. The law also prohibits selling data about users under 16 years old.
Some state laws also prohibit the use of particular information, like voter registration records, for non-election and/or commercial purposes.
There’s no federal law protecting consumers’ right to control how information about them is being bought and sold.
However, federal regulations protect certain sensitive data:
- The Health Insurance Portability and Accountability Act (HIPAA) protects your conversations with your doctor and your medical records.
- The federal Driver’s Privacy Protection Act (DPPA) forbids the disclosure of motor vehicle and driving record information, except for specific purposes, like insurance, fraud detection, and law enforcement.
Similarly, the Fair Credit Reporting Act (FCRA) applies to data brokers that sell consumer data to third parties that use it for particular, enumerated eligibility decisions, including employment and credit.
In the European Union, there’s the General Data Protection Regulation (GDPR), a data privacy law that affects any organization collecting consumer information.
The GDPR stipulates that consumers must consent before their data is collected. Under the GDPR, consumers also have the right to ask organizations to delete any information organizations might have about them.
How Can You Remove Your Data From Data Brokers?
Some (but not all) data brokers and people search sites allow people to opt out of their databases.
Opt out of data brokers yourself
You can opt out of data brokers yourself. Just be prepared to invest a lot of time in the process.
Data brokers don’t make opting out easy. To remove your profile from a people finder site or data broker database, you might have to:
- Fill out a lengthy online form.
- Make your request via the phone.
- Send an email.
- Send information by mail.
- Submit your request several times.
However, not all sites give users an option to opt out.
Some data brokers allow you to control your information but not delete it. And those that supposedly give you the option to opt out don’t always honor your request.
Learn more: Our comprehensive data broker opt-out guide
Some data brokers also request that you submit personally identifiable information before they remove you from their database.
This can deter some people from requesting an opt-out. That’s particularly true if the service seems sketchy — you don’t want to give them any more personal information than they already have.
Opting out is not a one-time thing, either. In most cases, you can’t just opt out of a data broker site once.
To stay off data broker sites, you must repeat the opt-out process every few months. Because most data collection processes are automated, your profile will reappear as soon as the data broker receives information from another source.
When opting out, it’s important that you provide all possible variations of your name. As pointed out by the FTC, if a “Jonathan Doe” doesn’t also submit a removal request for his shortened name “Jon Doe,” then his personal information will still likely be findable via data brokers.
Another thing to note is that just because you opt out of a data broker doesn’t mean all traces of you will disappear from their database.
Your name and other information might still appear in another person’s records (for example, your spouse, parent, etc.) For this reason, it’s a good idea to take the time to opt out family members from data broker sources too.
Professional data broker removal services
If you’re stuck for time but want the peace of mind that comes with having your personal information off of data brokers and people search sites, you can enlist the help of a professional opt-out service.
There are several data broker removal services to choose from. Some specialize in data broker removal, while others offer data removal as part of a larger offering (for example, online reputation).
Learn more: Best companies and tools to remove personal information from the internet
When choosing a data broker removal service, check their:
- Service availability. Does the service do removals for individuals based in the US only, or do they also cover other countries? Depending on where you live, this can be very important.
- Data removal scope. What kind of personal information does the service remove from data broker sources? And do they cover the biggest data brokers that show up on the first page of Google?
- Company track record. Has the service been around long? What kind of reviews do they get? What’s their Better Business Bureau rating?
- Customer support. If you need help quickly, how easy are they to reach?
- Pricing and plans. How much does the service charge for personal data removal? Do they have family and business plans?
How to Stop Data Brokers from Collecting and Selling Your Data
Because data brokers collect data from numerous online and offline sources, it is impossible to completely stop them from collecting your personal information.
That being said, there are certain steps you can take to reduce your digital footprint and minimize the amount of information data brokers can find about you.
- Not oversharing on social media, online forums, blogs, and other online spaces.
- Using a private web browser.
- Ditching Google for a privacy-focused search engine.
- Uninstalling any apps you don’t actively use on your phone.
- Thinking twice before you sign up for a loyalty program.
Data brokers are a threat to our privacy, but we are not totally helpless against them. By opting out of their databases and being mindful of how and where we share our data, we can significantly improve our privacy.