What the FTC's 2024 Data Broker Report Means for Consumers
The FTC's 2024 report on data brokers found that 9 companies held over 3 billion records including health conditions, financial vulnerability data, and inferred sensitive attributes. This guide covers the findings, what has changed since, and practical steps for consumers.
In January 2024, the Federal Trade Commission released "Data Brokers in an Interconnected World: On the Margins of Consent and Competition" — a comprehensive report on the data broker industry based on compulsory orders sent to nine major data brokers requiring them to disclose their collection, sale, and use practices. The report's findings are disturbing and actionable. This guide covers what the FTC found and what it means for your personal privacy.
What the FTC's 2024 Report Found
The FTC ordered nine data brokers to provide detailed information about their operations. While the companies are identified only generically in the report to protect business confidentiality, the aggregate findings reveal the scale of the industry:
Scale of Collection
The nine companies in the study collectively held more than 3 billion data records on US and international individuals — an average of nearly 340 million records per company. These records included:
- Names and addresses
- Phone numbers and email addresses
- Social Security Numbers (partially or fully)
- Financial information — income, net worth, debt levels
- Medical and health conditions
- Location data — real-time and historical
- Sensitive demographic information — religion, political affiliation, race and ethnicity
- Behavioral data — purchasing history, web browsing, app usage
The Sale of Sensitive Data
The FTC found that data brokers are selling data categories that most Americans assume are private:
Health and medical data: Information about specific medical conditions — depression, anxiety, HIV status, pregnancy, cancer diagnosis — is being sold to marketers, insurance companies, and other buyers.
Financial vulnerability data: Lists of consumers with financial distress signals — low credit scores, recent missed payments, significant debt — are sold as targeting lists for predatory financial products.
Location data: Historical location data showing everywhere a person went over months or years is being sold for purposes ranging from advertising to background checks.
Inferred sensitive attributes: Even when brokers do not directly possess sensitive data, they infer it — inferring religion from shopping patterns, inferring political affiliation from media consumption, inferring health conditions from search behavior.
The Problem of "Public Records" as a Privacy Shield
The FTC report specifically criticized the industry's reliance on "public records" as a justification for data collection. The report notes:
"The 'public record' label does not resolve the privacy calculus. The combination of multiple public records to create a comprehensive profile reveals information that no individual public record discloses."
This is the aggregation problem: a voter registration record is public. A property record is public. A court filing is public. But the combination of these records — plus commercial behavioral data — creates a profile far more invasive than any individual source.
Lack of Consumer Notice and Control
The report found that most consumers have no idea that data brokers have compiled detailed profiles on them, and that opt-out mechanisms are:
- Difficult to find
- Require individual requests to dozens of separate companies
- Often don't work in practice (data reappears after removal)
- Don't cover all data types collected
The FTC's Recommendations
The FTC's 2024 report made several recommendations to Congress:
Federal data broker registry: A mandatory federal registry of all data brokers operating in the US, similar to California's state-level registry.
Universal opt-out mechanism: A single mechanism allowing consumers to opt out of all registered data brokers simultaneously (analogous to California's planned DROP platform).
Sensitive data restrictions: Prohibitions on selling health, financial vulnerability, and location data without meaningful consumer consent.
Private right of action: Allowing consumers to sue data brokers directly for violations without waiting for FTC enforcement.
As of June 2026, none of these recommendations have been enacted into federal law. The US still lacks comprehensive federal data broker legislation.
What This Means for You as a Consumer
The FTC report confirms several things that privacy advocates have argued for years:
Your profile is more detailed than you think. The companies in the study held data about medical conditions, financial vulnerability, and inferred sensitive attributes — categories most people assume are private.
The opt-out system is broken by design. Requiring individual consumers to opt out from dozens of companies individually is not a functional privacy mechanism. It benefits data brokers by ensuring that most people never complete the process.
Health and financial data is in play. If you have searched for information about a health condition online, purchased medication, or had financial difficulty, these signals are likely in data broker profiles and being sold.
The "public records" justification is misleading. Aggregated public records create profiles that reveal far more than any individual source — a point the FTC specifically made.
What Has Changed Since the 2024 Report
The 2024 FTC report was influential in accelerating state-level legislation:
- Multiple states passed or strengthened data broker legislation in 2024–2025 following the report's release
- California's Delete Act implementation timeline accelerated
- Several states launched data broker registries modeled on California's approach
- FTC enforcement activity against specific data broker practices increased, including actions against data brokers selling location data to law enforcement and insurance companies
How to Protect Yourself Now (Before Federal Legislation)
While waiting for federal action, the practical steps available today:
Use State Law Rights
If you are in California, Virginia, Texas, Colorado, Connecticut, or one of the growing number of states with privacy laws, you have statutory rights to demand deletion from data brokers. Cite your state's law in deletion requests.
Submit Opt-Out Requests Across the Ecosystem
Despite the FTC's finding that opt-out systems are broken by design, they do work for consumer-facing people-search sites. Removing your profiles from the 500+ consumer data brokers reduces your visibility for the most common threat scenarios.
OfflistMe handles this process across all 500+ sites in a single session. One-time pricing starts at $7.00. Start your removal here.
Opt Out of Advertising Data Collection
The FTC report identified behavioral advertising data as a major component of data broker profiles. Reduce your advertising data footprint:
- Opt out of interest-based advertising in your device settings (iOS: Settings > Privacy & Security > Apple Advertising; Android: Settings > Google > Ads)
- Use a browser with privacy defaults (Firefox with privacy settings, Brave)
- Limit app permissions for location, contacts, and activity tracking
The Industry Response to the 2024 Report
The data broker industry trade groups — primarily the Software & Information Industry Association (SIIA) and the Interactive Advertising Bureau (IAB) — responded to the FTC's 2024 report by arguing several key points:
The "context collapse" defense: Industry groups argued that the FTC's aggregation concern conflates information that is individually harmless. Their position is that combining public records does not constitute new privacy harm if each record was already public.
Voluntary compliance programs: Several major data brokers announced updated opt-out policies and consumer-facing deletion tools in the months following the report's release. Critics noted these announcements were substantively thin: existing opt-out processes were rebranded, not reformed.
The innovation argument: The industry argued that restricting data broker practices would impair fraud prevention, credit access for thin-file consumers, and legitimate marketing. The FTC's report specifically addressed this argument by noting that most harmful broker practices could be restricted without impeding the described legitimate use cases.
What actually changed: In practice, the industry response amounted to improved disclosure (more visible privacy pages, clearer opt-out links) rather than reduced data collection or sales. The sensitive data categories — health, financial vulnerability, inferred attributes — identified in the report remain for sale in 2026 largely as they were in 2024. The report's recommendations require Congressional action that has not materialized.
Understanding this context helps set realistic expectations: opt-out requests are consumer-exercised rights that work within the existing framework, not systemic reform. They are effective for removing your profile from consumer-facing people-search sites, which is the most direct personal exposure. They do not address the B2B data sales described in the FTC's report.
The FTC's Long-Term Enforcement Direction
The FTC has signaled increasingly aggressive enforcement against data brokers:
Location data enforcement: FTC actions against X-Mode Social and others who sold location data that could identify visits to sensitive locations (health clinics, religious sites) signal that selling sensitive location data will face FTC scrutiny.
Sensitive data restrictions: The FTC has indicated that selling health-inferred data without meaningful consent is likely to face enforcement action.
Technical standards: The FTC's guidance on "privacy by design" and the expectation that companies implement meaningful opt-out mechanisms will increasingly be used as a standard in enforcement actions.
Frequently Asked Questions
Does the FTC 2024 report mean data brokers are now illegal?
No. The report is a finding, not a regulation. It documents industry practices and recommends legislation, but it does not create new legal obligations for data brokers on its own. Current FTC enforcement actions use existing authority under Section 5 of the FTC Act (deceptive/unfair practices) rather than new data broker-specific law.
Can I use the FTC report to demand that a data broker delete my information?
You can reference the report in a deletion request letter to add context, but the report itself does not create a legal obligation for the broker to comply beyond what existing state law requires. For legally binding deletion rights, cite CCPA, VCDPA, or your applicable state law.
What is the FTC doing to enforce existing law against data brokers?
The FTC has pursued enforcement actions against data brokers using Section 5 of the FTC Act (unfair and deceptive practices), the FTC Act's prohibition on unfair methods of competition, and FCRA violations. Enforcement actions since 2024 have focused on location data sales, health data sales, and failures to honor consumer opt-out requests.
Where can I read the full FTC 2024 data broker report?
The report is available at ftc.gov in the reports and resources section. Searching "data brokers interconnected world FTC" will locate the current version.
Related Guides
Understand your privacy rights
Every removal request cites a specific statute. These plain-English explainers show what each law covers and how enforcement actually works.
Related Data Broker Removal Guides
Take back your privacy today
Remove your personal information from data brokers and platforms in seconds.
Remove Your Personal Data NowFrom $7.00 one-time · 500+ data brokers · No subscription