Incognito — July 2025: Data Brokers Aren’t Registering and Your Data Could Be Exposed

Welcome to the July 2025 issue of Incognito, your monthly dive into privacy and security with DeleteMe.

This month: 

• DeleteMe News: Wirecutter top pick and a new podcast!
• Hundreds of data broker companies skipped state registrations, even though it’s the law. 
• Must-reads, including an investigation into an airline data broker selling over 1 billion passenger records to Customs and Border Patrol and ICE.
• Q&A: What does “military-grade” encryption really mean? 

DeleteMe News…

And the Winner Is…DeleteMe!

The New York Times Wirecutter has named DeleteMe their Top Pick for Data Removal Services!

Read the NYT Wirecutter story featuring DeleteMe’s big win here. 

DeleteMe Has a Podcast!

Episode 209 of “What the Hack?” takes a deep dive into a secret army of cybercriminals funding North Korea’s nuclear ambitions. Listen here.

Have a true cybercrime story or privacy nightmare you want to tell? Get in touch with the pod’s host at wth@joindeleteme.com.

Does Your State Require Data Brokers to Register? 

Not unless you live in California, Texas, Oregon, or Vermont. Only these four require data brokers to annually register and publicly disclose their data collection practices.

If you live in one of these states, you can (in theory) visit your state’s online data broker registry to see which companies claim to have your data, and find instructions for opting out. But here’s the reality: Data broker registries are not working. 

A (Very) Slow Roll to Sign Up

Are data brokers ignoring registration rules? That certainly seems to be the case. 

A joint investigation by the Electronic Frontier Foundation (EFF) and Privacy Rights Clearinghouse found hundreds of brokers registered in at least one state’s registry, only to vanish from the lists of the remaining three.

The breakdown of companies missing from each state’s registry is alarming:

• Texas: 524 brokers registered elsewhere did not appear on the Texas list.
• Oregon: 475 were absent from the Oregon registry.
• Vermont: 309 went unregistered.
• California: 291 missing entries.

And these figures only account for brokers who registered in at least one state. They don’t even begin to cover the brokers who haven’t registered anywhere. For example, California only has about half the estimated data brokers on its registry, with a 4% bump in compliant brokers in the past two years.

What’s Keeping Data Brokers Off the List? 

Why are data brokers so reluctant to register? It’s not always malicious, but the outcomes are still concerning:

• Varying definitions: Each state defines “data broker” slightly differently, creating loopholes.
• Business model shifts: Some companies claim they’ve “pivoted” away from being pure data brokers, even if they still handle massive amounts of personal data.
• Spotty enforcement: States often lack the resources to audit hundreds of companies, and data brokers know it. This means many don’t bother to register because the risk of consequences is low.

While states are slowly taking action (such as Texas fining six brokers $100 a day for non-registration and California banning one for three years), progress is slow.

Why This Hurts Your Privacy

Data brokers collect your purchases, browsing history, and social connections, and sell this detailed dossier about you to marketing companies, landlords, insurers, employers, and other interested parties, including potentially threat actors (A.K.A. criminals). 

Without a data broker registry:

• You can’t see which companies may have your data. 
• You can’t act (opt out, delete, correct) without a hassle.
• You can’t trust that states are enforcing their own privacy laws.

Simply put: Non-registration is a big problem. 

Registration Isn’t Enough

Requiring brokers to identify themselves is a crucial first step, but it doesn’t solve the underlying privacy abuses. 

As privacy expert Justin Sherman told CyberScoop last year, “Making transparency and self‑regulation the biggest focal points are data broker lobbying strategies to keep the burden on consumers.” 

Without stronger enforcement, clearer definitions, and more robust consumer rights, too many data brokers will continue trading in our data, leaving our privacy at risk.

What Can You Do To Fight Back?

Minimize the amount of information that data brokers can collect about you.

This is easier said than done, of course. Our data moves constantly, so what was private just ten minutes ago can pop up on a data broker site or a marketing list, which is why you should do what you can to minimize what’s available.

• Opt out of tracking cookies.
• Use ad blockers.
• Enable privacy settings on all your connected devices.
• Turn on browser privacy signals whenever possible, such as the Global Privacy Control (GPC). 
• Consider using a VPN.

And of course, it’s a great idea to use a service like DeleteMe. 

The next best thing you can do is advocate for stronger privacy protections:

• Support privacy advocates. Donate to or volunteer with groups like the Electronic Frontier Foundation, Privacy Rights Clearinghouse, or local consumer‑rights organizations.
  
• Contact your representatives. Privacy is a bipartisan issue. Urge your representatives to back bills that strengthen data broker transparency and empower enforcement agencies.
  
• Raise awareness. Share news stories or host community workshops so that your friends and neighbors understand what data brokers are and how they impact our collective privacy. 

Share Your DeleteMe Love!

We’re creating customer testimonial videos about the impact of privacy protection and would love to feature your story.

We Want to Hear:

• Why you chose DeleteMe.
• How DeleteMe protects your data.
• The benefits and peace of mind you’ve gained.

Interested?

Email marketing@joindeleteme.com. If selected, we’ll schedule a 30-45 minute video call. Your story helps others protect their privacy! You may be compensated for your time.

We’d Love to Hear from You!

Do you have any privacy stories you’d like to share, or ideas for what you’d like to see in Incognito going forward? We’d love to hear them!

Drop a line to Laura Martisiute at laura.martisiute@joindeleteme.com. She’s also keen to hear any feedback you have about this newsletter.

Recommended Reads

Murder Suspect Used Data Brokers to Stalk and Target Minnesota Lawmakers

An FBI affidavit revealed that the individual accused of murdering Rep. Melissa Hortman and her husband possessed a list of 11 data broker sites, complete with pricing and data requirements, and had gathered information on over 45 officials. Experts are calling this the first definitive link between readily available brokered data and the targeted killing of public officials.

Airline Data Broker Sold 1B+ Passenger Records to CBP and ICE

An investigation by 404 Media reported that the Airlines Reporting Corporation, a data broker owned by major carriers, sold over a billion domestic travel records—including names, itineraries, and payment details—to CBP and ICE. The broker obscured its involvement, effectively enabling law enforcement to bypass Fourth Amendment warrant requirements.

Nebraska Sues GM & OnStar Over Secret Driving Data Sales

Nebraska’s Attorney General is suing General Motors and OnStar, accusing them of secretly collecting and selling Nebraskans’ driving data via in-car telematics systems without proper disclosure or consent. The lawsuit alleges that GM misled buyers into OnStar enrollment, incentivized dealer sign-ups, and sold “driving scores” to insurers. The state is seeking fines, restitution, and an injunction.

Texas Amends Data Broker Rule

Effective September 1, 2025, Texas expands the definition of “data broker” to nearly any company that handles personal data that wasn’t collected directly, but only entities earning more than 50% of their revenue (or more than $50,000 from data not collected directly from individuals) have to register with the state. Registered brokers will be required to post clear notices explaining how consumers can exercise their Texas privacy rights.

You Asked, We Answered

Q: Cars apparently collect a lot of data about us, but how do they do it? And for what? 

A: Great question.

We’ve touched on this briefly before when another Incognito reader asked us about car privacy, and at length on our podcast, “What the Hack?”. While there are privacy policies, they stink. 

There are several ways cars collect information about drivers. 

The three main ones, according to The Surveillance Technology Project (S.T.O.P.), are the following:

• Event Data Recorders (“black boxes”) capture and locally store a rolling thirty-second window of vehicle and driver information around a crash (such as speed, braking, and seat-belt use). Due to limited storage, black boxes continuously overwrite their memory until an abrupt “event” (such as rapid deceleration) occurs, which is when they store those final data points for recovery. 
• Telematics modules are onboard modems that continuously transmit rich diagnostics (including fault codes and fuel usage), precise location, and driving habit data (such as speed), and even biometric inputs (which may include facial measurements and weight) to automakers, insurers, and telematics companies. 
• Infotainment systems locally store everything a connected smartphone does in the car (such as calls, texts, social media, navigation history, and voice commands). This data may be shared with vehicle manufacturers, infotainment providers, rental companies, and app companies in accordance with their business policies. Deleting this data fully is very difficult. 

As for why this data is collected… There are many reasons, including totally legitimate ones (from the perspective of a consumer interested in privacy), like supporting in-vehicle services used by the car owner and helping emergency responders respond more quickly. 

And then there are the less legitimate reasons, such as selling your data to data brokers who create “risk profiles”. The Mozilla Foundation has an interesting article on this.

As the Mozilla Foundation says, it’s really hard to know who a car manufacturer shares data with because their privacy policies are so vague. 

Q: Security and privacy products often advertise their “military-grade encryption” as a selling point. What is military grade encryption? 

A: It’s mostly used as a marketing term.

When companies advertise “military-grade encryption,” they’re hoping you’ll think of top-level security. 

Usually, it means that the company uses Advanced Encryption Standard (AES) with a 256-bit key length, known as AES-256.

This encryption standard was established by the U.S. National Institute of Standards and Technology (NIST) in 2001 and is widely used by government, military, and commercial organizations to protect sensitive data.

The term “military-grade” comes from the fact that AES-256 is approved by the U.S. government for protecting “Top Secret” classified information, while AES-128 is used for unclassified or less sensitive data.

Calling it “military-grade” doesn’t change the fact that it’s a commercial standard anyone can implement.

The real test is whether the provider uses a proven algorithm and backs it up with proper implementation, certification, and audits.

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.