Skip to main content
Privacy Education
12 min read

What Are Data Brokers? How They Collect and Sell Your Personal Information

Data brokers compile 1,000+ data points on you and sell it without your consent. Here's what they know, where they get it, and what you can do about it.

Rahul Kandoriya
Written byRahul Kandoriya·Last updated July 7, 2026
What Are Data Brokers? How They Collect and Sell Your Personal Information
What Are Data Brokers? How They Collect and Sell Your Personal Information

Search your name on Google. If the results include your home address, phone number, or the names of your family members, a data broker put them there.

Data brokers are companies that collect, package, and sell personal information about individuals, typically without those individuals' knowledge or direct consent. They operate at scale, maintaining profiles on hundreds of millions of people, and they sell access to those profiles to marketers, background check companies, lenders, insurers, recruiters, and anyone else who pays.

This guide explains how the industry works, the four main types of data brokers and what each one does, how they build profiles on you specifically, and what legal rights you have to stop them.

Key Takeaways

  • Data brokers are companies whose primary product is your personal data: you are not their customer, you are the inventory.
  • Privacy researchers at EPIC estimate over 4,000 data brokers operate globally; California's own registry independently counted 575+ registered brokers as of February 2026, up from 459 mid-2025.
  • The four main categories are people-search sites, background check services, marketing data aggregators, and B2B lead generation databases: each with distinct harms.
  • Brokers collect from public government records (voter rolls, property deeds, court filings), commercial transactions, social media scraping, and even purchased data breach records.
  • California's Delete Act deletion portal (DROP) is live, since January 1, 2026, one request reaches all 575+ registered brokers at once; over 242,000 residents signed up in the first 48 hours, and Connecticut has enacted a similar law slated for 2028.

The Definition

A data broker is a company whose core business involves collecting personal information from external sources, aggregating it into consumer profiles, and selling access to those profiles to third parties.

This distinguishes data brokers from:

  • Credit bureaus (Equifax, Experian, TransUnion), regulated under the FCRA, have direct relationships with lenders, are subject to consumer dispute rights
  • Social media platforms: collect data about you for advertising, but their primary business is the platform, not selling raw data to third parties
  • Retailers: collect your data as a byproduct of commerce

Data brokers' primary product is the data itself. The consumers whose information they trade are not their customers, they are the inventory.


The Four Main Categories

1. People-Search Sites

The most visible category. Sites like Whitepages, Spokeo, TruePeopleSearch, BeenVerified, Radaris, and FastPeopleSearch aggregate public records into searchable directories. Anyone can search your name and find your home address, phone number, relatives, age, and previous addresses, for free or a few dollars.

These sites rank prominently in Google because they are specifically designed to rank for name searches. When someone searches "John Smith Dallas Texas," the people-search site result is often the first or second non-social-media result.

Primary harm: Physical address exposure enabling doxxing, stalking, and targeted scams. Also the primary pipeline feeding robocall operations (they purchase phone lists from these sites).

2. Background Check Services

Sites like Instant Checkmate, TruthFinder, Intelius, and CheckPeople present as background check services and charge for detailed reports that include criminal history, court records, property records, and contact information.

While these are used by landlords and employers, they are equally accessible to anyone. The data is drawn from the same public record sources as people-search sites, but presented in a more comprehensive "report" format.

Primary harm: Incorrect or outdated criminal records being misattributed. Arrest records appearing even when charges were dropped or records were expunged.

3. Marketing Data Aggregators

The large-scale commercial layer: Acxiom, Epsilon, Oracle Data Cloud, Experian Marketing Services, and similar companies. These are not consumer-facing, most people have never heard of them. But they are among the largest holders of consumer data in the world.

Acxiom alone claims to have data on over 2.5 billion consumers globally. These companies sell segmented consumer lists to advertisers, direct mailers, and financial services companies: "adults aged 35–55 in Texas with estimated household income over $80K, homeowners, interested in outdoor recreation."

Primary harm: Unsolicited marketing (direct mail, phone calls, email). Less visible but meaningful: their data feeds into insurance pricing, credit decisions, and employment screening through downstream buyers.

4. B2B Lead Generation Databases

ZoomInfo, Apollo.io, Lusha, RocketReach, and similar services target businesses, not consumers. They compile professional profiles: job titles, work email addresses, direct dial phone numbers, employer history, and LinkedIn data.

The harm is that these profiles often include personal mobile numbers and personal email addresses that professionals never intended to make available for cold outreach. They are a primary driver of unsolicited recruiter calls and sales outreach to personal devices.

Primary harm: Professional identity exposure for targeting by cold callers and spammers. Also a vector for spear-phishing: knowing someone's employer, job title, and direct phone number makes social engineering attacks significantly more credible.


How They Build Your Profile

Data brokers do not hack accounts. They collect from sources that are technically accessible, the harm is in the aggregation and republication at scale.

Public Government Records

In most US states, a wide range of records are publicly accessible:

  • Voter registration: Name, address, date of birth, party affiliation, voting history
  • Property records: Owner name, purchase price, deed, assessed value, from county assessor and recorder offices
  • Court records: Civil lawsuits, criminal charges, bankruptcies, evictions, divorces, restraining orders
  • Business registrations: LLC and corporation filings listing organizer names and addresses
  • Professional licenses: Doctor, lawyer, contractor, real estate agent licensing with identifying information
  • Marriage and divorce records: Depending on state, include names, addresses, and ages

Data brokers systematically purchase or scrape these databases at the county, state, and federal level.

Commercial Transaction Data

Every commercial relationship you enter potentially feeds the data broker ecosystem:

  • Retail loyalty programs: Your purchase history is a commercial asset that retailers sell to data aggregators
  • Warranty registrations: Product registration cards and online forms are primarily data collection mechanisms
  • Sweepstakes and contests: Entering promotional sweepstakes is one of the most efficient ways to enter marketing databases
  • Mortgage and loan inquiries: Hard credit inquiries trigger "trigger lead" sales by credit bureaus to competing lenders

Digital Sources

  • Social media scraping: Public LinkedIn profiles, Facebook posts, Twitter/X bios
  • Mobile app location data: Weather apps, fitness trackers, retail apps, location permissions are frequently monetized
  • Website tracking: Third-party tracking pixels collect browsing behavior and feed advertising data brokers
  • Data breaches: Breached personal data is purchased by data brokers to enrich existing profiles

What Your Profile Contains

A typical consumer profile maintained by a major people-search aggregator includes:

Data pointSource
Full name and aliasesPublic records, commercial data
Current and previous addresses (10+ years)Property records, voter rolls, utilities
All known phone numbersCommercial databases, reverse-phone data
Email addressesCommercial data, social media
Date of birthVoter registration, commercial data
Relatives and household membersProperty records, commercial inference
Estimated household incomeCensus, property value, commercial modeling
Political party affiliationVoter registration
Criminal and court historyPublic court records
Property ownershipCounty assessor records

The Scale of the Problem

The Electronic Privacy Information Center (EPIC) estimates over 4,000 data broker firms operate globally. The one place that number has been independently verified against a legal registry is California, where 575+ data brokers were registered with the CPPA as of February 2026, up from 459 just eight months earlier. Industry analysts estimate the global data brokerage industry generates hundreds of billions of dollars in annual revenue. The largest individual companies, Acxiom, Experian, LexisNexis, each process data on billions of consumers.

The industry is also consolidating fast at the top: Omnicom's 2025 acquisition of Interpublic Group brought Acxiom under its roof, and Publicis Groupe agreed in May 2026 to acquire LiveRamp for $2.2 billion, concentrating consumer identity data further inside a handful of advertising holding companies.

Vermont became the first US state to require data broker registration in 2019. The Vermont Secretary of State's registry has recorded hundreds of registered brokers, and these are only the ones large enough to reach Vermont's registration threshold.

California's Delete Act (2023) goes further: it created a single-opt-out platform (DROP), live since January 1, 2026, where California residents can request deletion from all registered brokers simultaneously, over 242,000 residents signed up in the first 48 hours. Registered brokers must start processing DROP requests by August 1, 2026, or face fines of $200/day per unfulfilled request. Connecticut passed a similar law in May 2026 (registration by Jan 1, 2027, portal by July 2028), and this "single-portal" model is quickly becoming the multi-state norm.


Your Legal Rights

California (CCPA/CPRA/Delete Act): The strongest US consumer privacy framework. Right to deletion, right to opt out of data sales, and a single-click deletion portal (DROP) that has been live since January 2026. Applies to any company doing business with California consumers.

23 states now have comprehensive privacy laws as of mid-2026 (Oklahoma, Alabama, Louisiana, and Vermont all enacted laws in spring 2026), each with deletion and opt-out rights broadly comparable to CCPA, though thresholds and enforcement mechanisms vary: Alabama's law, for example, applies to businesses processing as few as 25,000 consumers' data.

GDPR (EU residents): Article 17 Right to Erasure applies to any company processing EU residents' data regardless of company location.

Practical coverage: Most major data brokers apply CCPA-style compliance nationwide because managing state-by-state restrictions is administratively complex.


How to Remove Your Data

Every data broker subject to US privacy law must provide a free opt-out mechanism. Three approaches:

  1. DIY manual opt-outs: Free, takes 40–80 hours for a comprehensive pass. See the complete free removal guide.
  1. OfflistMe first-party requests: Generates legally structured opt-out emails for 500+ brokers sent from your own inbox. No ID required, no subscription. First-party requests achieve faster compliance than commercial agent filings.
  1. Subscription services: Incogni ($95.88/year), Optery ($39–$249/year), DeleteMe ($129/year). Ongoing automated monitoring and re-submission. Consumer Reports ranked Optery as most effective (68% removal rate in 4 months).

Remove your data from 500+ brokers →


Frequently Asked Questions

How do data brokers get my information without my permission?

Data brokers collect information from publicly available sources, voter registration files, property deed records, court filings, DMV records (in some states), social media public posts, phone directories, and commercial transaction data. None of this requires your permission because it is either public record or covered under broad commercial data-sharing agreements.

Can I permanently stop data brokers from having my information?

Not completely. As long as you generate public records (paying taxes, registering to vote, owning property, filing in court), that data will be indexed by data brokers. The practical goal is to remove what is currently published and submit opt-outs on a schedule that keeps profiles from staying up long enough to be useful to bad actors.

How many data broker companies exist?

Estimates range from 3,000 to 5,000 distinct data broker businesses globally. In the US, there are approximately 500 major and mid-tier consumer-facing people-search and data services companies. OfflistMe covers 500+ of the highest-impact sites for US consumers.


The 2025–2026 Regulatory Crackdown on Data Brokers

The data broker industry is undergoing its most significant regulatory disruption in its history. Several developments in 2025–2026 have materially changed what consumers can do and what brokers must do:

California DROP Platform (January 2026):

California's Delete Request and Opt-Out Platform opened January 1, 2026. California residents can submit a single deletion request to all registered data brokers, with mandatory 45-day suppression cycles. Starting August 1, 2026, brokers must delete data within 90 days and maintain suppression lists. Over 500 brokers are registered. Source: California Privacy Protection Agency.

FTC Enforcement Actions (2025–2026):

The Federal Trade Commission brought enforcement actions against multiple major data brokers for selling sensitive location data and tracking consumers without proper consent. Gravy Analytics, a major location data broker, faced FTC action after a significant data breach exposing consumer location data. The FTC characterized these as violations of Section 5 of the FTC Act (unfair or deceptive practices).

19 States Now Have Consumer Privacy Laws:

As of 2026, 19 US states have passed consumer privacy laws with deletion rights comparable to CCPA. This has expanded the legal protection available to most US consumers, even without a federal privacy law.

What has not changed:

No federal data broker regulation has passed as of June 2026. The American Data Privacy and Protection Act (ADPPA) and subsequent federal proposals have stalled in Congress. Consumers in states without privacy laws still rely on broker voluntary compliance policies rather than enforceable rights for most brokers.


How Data Brokers Affect Your Daily Life

Beyond the obvious harms (doxxing, identity theft), data broker profiles affect decisions you may not be aware of:

Insurance pricing: Several insurance companies use data broker inputs, estimated income, location, purchasing behavior, vehicle history, in their pricing models. Your data broker profile can affect the insurance rates you are quoted, even though you never agreed to have your personal data used for this purpose.

Employment screening: While FCRA-regulated background check companies must follow strict rules, some employers use non-FCRA data broker reports informally before formal background checks. An arrest record on PeopleFinders (even if charges were dropped) may influence a hiring decision before the formal FCRA process begins.

Financial services: Marketing data aggregators sell consumer segmentation lists used by banks and lenders for preapproval campaigns. Your data broker profile influences which financial offers you receive, which credit cards you are preapproved for, and which loan terms you are offered initially.

Healthcare targeting: Data brokers sell health-inferred consumer segments (people likely to have diabetes, chronic back pain, or mental health diagnoses, inferred from purchase history and search behavior) to pharmaceutical and healthcare marketers. This data is not protected by HIPAA because it was not collected in a healthcare context.

Spam and robocalls: The data broker industry is the primary infrastructure behind the US robocall epidemic. Phone number databases purchased from people-search sites and B2B data brokers are systematically dialed by auto-dialers for scam calls, political calls, and unsolicited sales. The YouMail Robocall Index counted 52.8 billion robocalls in the US in 2024 alone.


A Map of the Data Broker Ecosystem

The data broker industry is not monolithic: it is a layered ecosystem where different types of companies serve different buyers:

```

Raw public records (government databases)

Tier 1 Aggregators (Acxiom, LexisNexis, Experian Marketing)

  • Collect from raw sources at scale
  • Sell to Tier 2 and directly to enterprises

Tier 2 Consumer Services (Whitepages, Spokeo, BeenVerified, Intelius)

  • Buy from Tier 1 and build searchable products
  • Generate revenue from ad-supported free searches and paid reports

Tier 3 Re-Publishers (hundreds of smaller sites)

  • Scrape Tier 2 and re-publish data with slight reformatting
  • Often have no direct data collection, just scraped republication

End Users (individuals, landlords, employers, scammers)

```

Understanding this structure matters for your removal strategy: opting out of Tier 2 (people-search sites) without addressing Tier 1 (aggregators) means new data will continue flowing from Tier 1 to Tier 2 over time. Acxiom, LexisNexis, and Experian Marketing offer opt-out mechanisms that cut the primary feed: these should be part of any comprehensive removal strategy.


Related Guides

Take back your privacy today

Remove your personal information from data brokers and platforms in seconds.

Remove Your Personal Data Now

From $7.00 one-time · 546 data brokers · No subscription