Data Broker & Privacy Statistics (2026)
A reference of the most important data-broker, identity-theft, breach, and enforcement statistics, with every figure cited to a primary source (FTC, Javelin, CPPA, IBM, ITRC, and others). Use it, quote it, or click through to verify. If a number here moves, the source link is how you check.
The one-sentence version
Identity-theft reports hit 1.13 million in 2024 and fraud losses reached $12.5 billion, while a ~$300 billion data-broker industry keeps reselling the personal information that fuels it, which is why the right to delete your data matters and why it's a problem that 43% of brokers ignore deletion requests.
Identity theft & fraud
How often identity theft and fraud happen, and what they cost victims.
1,135,270
2024
Identity-theft reports the FTC received in 2024, a 9.5% increase over the 1,036,845 reports in 2023.
$12.5 billion
2024
Total reported consumer fraud losses in 2024, up 25% from the prior year, per the FTC.
Source: FTC: New Data Show a Big Jump in Reported Losses to Fraud
38%
2024
Share of fraud reporters who said they lost money in 2024, up from 27% in 2023, nearly doubling the loss rate in a single year.
Source: FTC: New Data Show a Big Jump in Reported Losses to Fraud
$27.3 billion
2024
Total US identity-fraud losses in 2024, affecting 18 million victims, per Javelin's 2025 Identity Fraud Study.
Source: Javelin Strategy & Research, 2025 Identity Fraud Study: Breaking Barriers to Innovation
~22%
2021
Estimated share of Americans who experience some form of identity theft in their lifetime.
Source: Bureau of Justice Statistics, Victims of Identity Theft
The data broker industry
The size, scale, and structure of the industry that profits from your personal data.
~$300 billion
2025
Estimated annual revenue of the global data-broker industry.
545+
2026
Data brokers registered with California under the Delete Act as of early 2026.
Source: California Privacy Protection Agency (CPPA) Data Broker Registry
1 request → every broker
2026
California's DROP (Delete Request and Opt-out Platform) lets residents send a single deletion request that propagates to all registered brokers; consumers can submit from Jan 1, 2026 and brokers must begin processing by Aug 1, 2026.
$6,000
2026
Annual registration fee each data broker must pay California in 2026, funding the registry and DROP.
4,000+
2024
Estimated number of data-broker companies operating worldwide, far more than any single state registry captures.
Source: U.S. PIRG Education Fund analysis of the data-broker market
Breaches & exposure
How frequently personal data is exposed, and at what scale.
3,158
2024
Reported data compromises in the US in 2024, near the all-time high, per the Identity Theft Resource Center.
Source: Identity Theft Resource Center, Annual Data Breach Report
$9.36 million
2024
Average cost of a data breach in the United States, the highest of any country.
Source: IBM Cost of a Data Breach Report
147 million
2017
People whose data was exposed in the 2017 Equifax breach, a single data broker, leading to a settlement of up to $700 million.
Request friction & efficacy
How often companies actually honor deletion and access requests, and how well removal works.
43%
2024–2025
Share of California-registered data brokers that never responded to a verifiable consumer request in a UC Irvine study of all 543 registered brokers, a likely CCPA violation.
Source: UC Irvine: Probe into State Data Brokers (Bren School of ICS)
90.7%
2024–2025
Among the data brokers that did respond, the share that replied within the mandated 45-day window (half replied within 6 days), in the same UC Irvine study.
Source: UC Irvine: Probe into State Data Brokers (Bren School of ICS)
45 days
2026
Maximum window most US state privacy laws give a data broker to honor a verified deletion request (extendable once where allowed).
Enforcement
How regulators are responding, and the size of the penalties.
5+ location-data cases
2024
The FTC has brought a series of actions against location-data brokers, Kochava, X-Mode/Outlogic, InMarket, Gravy Analytics/Venntel, and Mobilewalla, for selling data tracking visits to sensitive sites.
$2.75 million
2026
CCPA settlement California reached with Disney in 2026 for failing to effectuate opt-out-of-sale requests, part of a growing enforcement wave.
Source: California Attorney General / CPPA enforcement actions
$1.2 million
2022
California's first public CCPA enforcement penalty, against Sephora in 2022, for selling personal information and ignoring Global Privacy Control signals.
€20M / 4%
2018
Maximum GDPR fine, the greater of €20 million or 4% of global annual revenue, the benchmark that set the modern privacy-penalty standard.
Global privacy laws
How privacy regulators and registries operate outside the US, where most data still flows through the same brokers.
€486.8 million
2025
Total sanctions issued by France's CNIL in 2025, up from ~€55M in 2024, led by Google (€325M) and Shein (€150M), making it the EU's most active fining authority.
Source: CNIL — sanctions and corrective measures: the CNIL's actions in 2025
~1.2 billion
2026
Records held by SCHUFA, Germany's dominant credit bureau, on roughly 69 million people and 6.6 million companies, answering ~232 million inquiries a year.
Source: SCHUFA
~700 million
2026
Residential and business records compiled by 192.com, the dominant UK people-search directory, from the open electoral register, Companies House, and Land Registry data.
Source: 192.com (sources & opt-out)
1,113
2024
Notifiable data breaches reported in Australia in 2024, the highest since the scheme began in 2018 and up 25% year over year.
Source: Office of the Australian Information Commissioner (OAIC)
£14 million
2025
The UK ICO's largest-ever settlement, reached with Capita in 2025 (reduced from a proposed £45M for early settlement), part of ~£19.6M across seven cases that year.
AUD $50M / 30%
2024
Top-tier maximum penalty for serious or repeated interference with privacy in Australia, the greater of AUD $50M, 30% of adjusted turnover, or 3× the benefit obtained.
Source: Privacy and Other Legislation Amendment Act 2024 (Norton Rose Fulbright)
From statistic to action
You are in the ~500+-broker dataset right now
The numbers above describe an industry built on your personal data. OfflistMe drafts CCPA/GDPR-compliant deletion emails you send from your own inbox, one flat fee, no subscription.
Request Removal NowOne-time from $7
How we source these numbers
Every figure on this page links to a primary source, a government agency (FTC, BJS, CPPA, California AG), an established research firm (Javelin, IBM, ITRC), or a regulator's own filing. We cite the data year, which can differ from the publication year. Where a figure is an estimate (industry revenue, lifetime risk), we mark it as approximate. We do not republish numbers we cannot trace to a source, and we re-check figures when we update the page. Spot a figure that has moved? Tell us and we will verify and correct it.