An analytical reference on the data broker industry in 2026 — the companies collecting your information, the data they sell, the consumer harms it enables, and the practical landscape of opting out.
The data broker industry generates approximately $267 billion in annual global revenue with virtually no consumer awareness of its existence. Most Americans cannot name a single data broker by name, yet roughly 4,000-7,000 companies actively collect, package, and sell personal information about U.S. consumers. The largest data brokers maintain detailed profiles on 95%+ of American adults.
The industry operates almost entirely outside consumer view. Data brokers don't market to consumers — they market to businesses, advertisers, debt collectors, insurance companies, employers, law enforcement, political campaigns, and increasingly, fraud operations. The companies you've heard of (Google, Facebook, Amazon) collect data primarily about their own users. The data broker industry collects data about everyone — including people who never agreed to any terms of service with any of these companies.
The data assembled in typical broker profiles is substantially more comprehensive than most consumers imagine:
| Data Category | Specific Elements Commonly Included |
|---|---|
| Identity | Full name, aliases, current and previous addresses, dates of birth, partial SSN, phone numbers, email addresses |
| Financial | Estimated income, credit score range, bankruptcy history, property ownership, vehicle ownership, mortgage details |
| Family | Spouse name, children's names and ages, relatives and household members, marital status history |
| Employment | Current and past employers, job titles, occupation classifications, professional licenses |
| Health proxies | Inferred health conditions from purchase patterns, OTC medications purchased, gym memberships, fitness app data |
| Behavioral | Shopping patterns, brand preferences, political affiliations inferred, religious affiliation inferred, hobby interests |
| Location | Movement patterns from mobile apps, places of work and residence, frequent visit locations |
| Online behavior | Websites visited, search queries (in some cases), social media activity, app usage patterns |
| Demographic inferences | Estimated race/ethnicity, sexual orientation, education level, language preferences |
A standard "consumer profile" from one of the major brokers includes 500-1,500 individual data points per person. The largest brokers (Acxiom, Epsilon, Experian, LexisNexis Risk Solutions, Oracle Data Cloud) maintain profiles on hundreds of millions of Americans.
Critical to understanding the industry: the data isn't necessarily accurate. Inferred attributes (estimated income, inferred political affiliation, inferred sexual orientation) may be wrong but are still sold and acted upon by buyers. Consumers have no practical mechanism to verify or correct the data being sold about them.
The industry has multiple tiers of operators, each with different business models and consumer exposure:
| Category | Representative Companies | Primary Buyers |
|---|---|---|
| Marketing data brokers | Acxiom, Epsilon, Oracle Data Cloud, Experian Marketing Services | Advertisers, marketers |
| People-search sites | Spokeo, BeenVerified, Whitepages, TruePeopleSearch, Intelius | Consumers, investigators, fraudsters |
| Risk and identity verification | LexisNexis Risk Solutions, TransUnion, Innovis | Insurers, lenders, employers |
| Health data brokers | IQVIA, IMS Health, Symphony Health | Pharmaceutical companies |
| Location data brokers | SafeGraph, Foursquare, Cuebiq, Veraset | Real estate, retail, government |
| Public records aggregators | PublicRecordsNow, Radaris, MyLife | Various B2B and consumer |
| Credit-adjacent brokers | Equifax (consumer marketing services), CoreLogic, FICO | Lenders, insurers |
The largest companies (Acxiom alone has profiles on 2.5 billion individuals globally) operate primarily B2B and most consumers have never heard their names. The people-search sites are more visible because they're sometimes encountered by consumers searching themselves — but they represent a small fraction of the total industry.
The data broker industry's information sources span legitimate, gray-area, and outright problematic channels:
| Source | Legality | Consumer Awareness |
|---|---|---|
| Public records (deeds, court filings, voter rolls) | Legal | Moderate |
| Direct purchase from companies you transact with | Legal (per most ToS) | Low |
| Mobile app data sales | Legal (per most ToS) | Low |
| Browser cookie / pixel tracking | Legal (with consent banners) | Low |
| Loyalty program data | Legal (per program terms) | Moderate |
| Survey and registration data | Legal | High |
| Data sharing among broker networks | Legal | Very low |
| Cross-broker enrichment partnerships | Legal | Very low |
| Inferred data from algorithmic analysis | Legal | Very low |
| Data breach compilations (resold by some brokers) | Gray area | Very low |
The "direct purchase from companies you transact with" category deserves particular attention. Most consumer-facing companies sell or share customer data with brokers as a standard business practice, disclosed in privacy policies that almost no one reads. Your supermarket loyalty program, your fitness app, your weather app, your sleep tracker, and your fast-food drive-through app all likely contribute data to the broker ecosystem.
The data broker industry serves diverse buyers with varying purposes:
| Buyer | Typical Use | Consumer Impact |
|---|---|---|
| Advertisers | Targeted advertising, audience segmentation | Personalized ads, sometimes discriminatory targeting |
| Insurers | Risk assessment, premium pricing | Higher premiums for certain demographics |
| Employers | Background checks, employment screening | Hiring decisions, sometimes unlawfully |
| Lenders | Loan underwriting, marketing | Loan terms, credit availability |
| Debt collectors | Asset and contact information for collections | Aggressive collection activity |
| Political campaigns | Voter targeting, persuasion modeling | Microtargeted political messaging |
| Law enforcement | Investigation, surveillance | Privacy implications, sometimes warrantless |
| Fraud operations | Victim selection, social engineering | Direct enablement of fraud |
| Stalkers / abusers | Locating victims | Direct physical safety threats |
| Researchers and journalists | Various legitimate research | Generally neutral to positive |
The "fraud operations" category is particularly relevant to the broader fraud landscape. Data broker information is regularly purchased by criminal organizations to enable targeted scams. The pig butchering operations in Southeast Asian compounds, for example, frequently use purchased consumer data to identify high-value targets (older, financially comfortable, geographically isolated) before initiating contact.
The "stalkers and abusers" category represents a genuine safety crisis. Domestic violence survivors regularly find their addresses available through people-search sites within hours of relocating. The industry's response to these cases is typically slow or non-responsive.
The harms enabled by the data broker industry span multiple categories:
Discriminatory pricing. Consumers in certain demographics receive systematically higher prices for the same products and services. ProPublica analyses have documented insurance premium variations based on race-correlated data even when state law prohibits racial discrimination in pricing. The discrimination is laundered through proxy variables (zip code, name patterns, browsing behavior).
Employment discrimination. Data broker information used in background checks can include inferred attributes (estimated political affiliation, suspected sexual orientation, religious affiliation) that aren't legally usable in hiring decisions but influence them regardless. Documenting the discrimination is nearly impossible because the decision pathway is opaque.
Fraud victimization enabled. Detailed consumer profiles enable highly personalized fraud attempts. The same data used for legitimate marketing personalization enables fraud operations to construct emotionally precise scam scripts that defeat traditional consumer skepticism.
Stalking and harassment. Domestic abuse survivors, public figures, journalists, abortion clinic workers, election officials, and other vulnerable individuals find their locations and family information available through people-search sites. Removal processes are slow and ineffective.
Identity theft preparation. Aggregated profile data substantially reduces the friction for identity theft. Information that would have required individual research can be purchased in bulk.
Psychological harm. The persistent feeling of being watched and categorized affects mental health, particularly for individuals from marginalized groups whose data is used in disproportionately harmful ways.
Democratic harm. Microtargeted political messaging based on broker data enables manipulation tactics that exploit individual psychological vulnerabilities, undermining informed democratic participation.
The data broker industry operates under a patchwork of regulations that vary substantially by jurisdiction:
| Jurisdiction | Framework | Effectiveness |
|---|---|---|
| Federal U.S. | No comprehensive federal privacy law | Minimal protection |
| California (CCPA/CPRA) | Strongest U.S. state law, right to deletion, opt-out | Moderate |
| Virginia (CDPA) | Right to access, deletion, opt-out | Limited |
| Colorado (CPA) | Similar to Virginia | Limited |
| Connecticut, Utah, others | Various state-level frameworks | Limited |
| European Union (GDPR) | Strong rights, right to be forgotten, consent requirements | Substantial |
| Canada (PIPEDA) | Privacy commissioner oversight | Moderate |
| State data broker registries (CA, VT, OR) | Required registration of brokers | Limited transparency benefit |
The patchwork creates practical problems. A consumer in California has substantially more rights than a consumer in Texas. A consumer in the EU has the most comprehensive rights globally. The industry's response has been to maintain compliance with the strongest applicable framework while continuing operations elsewhere with minimal protections.
Federal U.S. privacy legislation has been proposed repeatedly (American Privacy Rights Act 2024, predecessor bills) but has not passed. Industry lobbying against comprehensive federal regulation has been substantial — the data broker industry's lobbying expenditures exceed those of many other industries facing regulatory pressure.
Despite the difficulty, several concrete actions reduce data broker exposure:
Opt out from major brokers individually. Most large brokers have opt-out processes, though they're deliberately difficult. Companies offering bulk opt-out services exist (Optery, DeleteMe, Privacy Bee, others) and charge $100-500 annually to manage opt-outs across hundreds of brokers. Effectiveness varies — some brokers re-add removed individuals after a few months.
State data deletion requests where applicable. California residents can submit CCPA deletion requests to any business handling their data. Other state residents have similar rights under their state laws. These can be sent to the largest brokers individually.
Limit data generation at source. The most effective protection is preventing data from reaching brokers in the first place. Practical actions: using cash for purchases that don't require loyalty programs, avoiding apps with extensive data collection (especially "free" apps), reading privacy policies before signing up for services, using privacy-focused browsers and search engines.
Phone number and email hygiene. Using a separate email address for commercial accounts, separate phone number for loyalty programs, and disposable email addresses for one-time signups dramatically reduces data broker profile completeness.
People-search site specific removal. Spokeo, BeenVerified, Whitepages, and similar consumer-facing search sites each have removal processes. These can be done manually (free, time-consuming) or via removal services. Periodic re-checking is necessary because removed entries sometimes return.
Address protection (for high-risk situations). Address Confidentiality Programs (ACPs) exist in 39 U.S. states for domestic violence survivors, witnesses, and others requiring address protection. ACPs replace residential addresses with state-managed proxy addresses in public records, substantially reducing data broker access.
Several trajectories will likely shape the data broker landscape over the next 2-3 years:
Federal U.S. privacy legislation will continue to advance but likely won't pass. Industry lobbying combined with political polarization makes comprehensive federal privacy law unlikely before 2027-2028. State-level frameworks will continue expanding in the interim.
FTC enforcement will increase. The FTC has been increasingly active on data broker issues — recent settlements with major brokers (X-Mode Social, InMarket Media, Mobilewalla) have established precedents around sensitive location data. Expect continued enforcement actions through 2026-2027.
AI training data lawsuits will affect the industry. Lawsuits alleging unauthorized use of personal data in AI model training (Clearview AI cases, various lawsuits against major AI companies) will likely produce new legal frameworks affecting data brokers' AI-related sales.
Industry consolidation will continue. The largest brokers are acquiring smaller competitors. Acxiom's various corporate parent changes (now part of Interpublic Group), Oracle's various acquisitions, and LexisNexis's continued expansion reflect industry consolidation that concentrates more data under fewer corporate umbrellas.
Cross-border data flow restrictions will affect operations. EU-U.S. data transfer frameworks (Privacy Shield successor agreements) have been repeatedly challenged. Expect continued instability in transatlantic data flows affecting U.S. broker operations.
Consumer awareness will grow slowly. Media coverage of data broker harms is increasing. High-profile incidents (the 2023 Cambridge Analytica retrospective coverage, ongoing AI training data lawsuits) drive periodic awareness spikes. Sustained mainstream awareness remains low but is trending upward.
The aggregate analytical conclusion: the data broker industry is structurally durable due to network effects, regulatory fragmentation, and consumer awareness gaps. Individual consumer action can reduce exposure but cannot eliminate it. Meaningful industry change requires regulatory action that hasn't materialized despite years of public discussion. The trajectory is gradual improvement through state-level regulation and FTC enforcement, not revolutionary change.
A data broker is a company that collects, packages, and sells personal information about consumers, typically without those consumers' direct interaction or explicit consent for that specific purpose. The industry includes approximately 4,000-7,000 companies globally, generating $267 billion in annual revenue. Major data brokers maintain detailed profiles on 95%+ of American adults, with profiles typically containing 500-1,500 individual data points per person.
Major data brokers by category: Marketing data — Acxiom, Epsilon, Oracle Data Cloud, Experian Marketing Services. People-search — Spokeo, BeenVerified, Whitepages, TruePeopleSearch, Intelius. Risk and identity verification — LexisNexis Risk Solutions, TransUnion. Health data — IQVIA, IMS Health, Symphony Health. Location data — SafeGraph, Foursquare, Cuebiq, Veraset. Acxiom alone maintains profiles on approximately 2.5 billion individuals globally.
Typical broker profiles include: identity (name, addresses, phones, partial SSN), financial (estimated income, credit score range, property ownership), family (spouse, children, household members), employment (current and past employers), inferred health information from purchase patterns, behavioral patterns (shopping, brand preferences, political affiliations), location patterns from mobile apps, online behavior, and demographic inferences (race, sexual orientation, education). A single profile typically contains 500-1,500 individual data points.
Multiple sources: public records (deeds, court filings, voter rolls), direct purchase from companies you transact with, mobile app data sales, browser cookie tracking, loyalty program data, survey data, broker network sharing, cross-broker partnerships, and algorithmic inference. Most consumer-facing companies sell or share customer data with brokers as standard business practice. The 'direct purchase from companies you transact with' category is particularly significant — your loyalty programs, apps, and online accounts likely contribute data to the broker ecosystem.
Largely yes, depending on state. The U.S. has no comprehensive federal privacy law. California (CCPA/CPRA) provides the strongest state protections including right to deletion and opt-out. Virginia, Colorado, Connecticut, Utah, and several other states have similar but less comprehensive frameworks. Most states have minimal protections. The European Union's GDPR is the strongest globally. Federal privacy legislation has been proposed repeatedly but hasn't passed, largely due to industry lobbying and political polarization.
Fraud operations regularly purchase consumer data to identify high-value targets and construct emotionally precise scam scripts. Pig butchering operations in Southeast Asian compounds use purchased data to identify older, financially comfortable, geographically isolated targets. Tax season fraud operations use employer information to construct convincing IRS impersonation scripts. The same personalization that enables legitimate marketing enables fraud personalization that defeats traditional consumer skepticism.
Partially. California residents can submit CCPA deletion requests to any business. Residents of Virginia, Colorado, Connecticut, Utah, and several other states have similar rights under state laws. Major brokers have opt-out processes, though they're deliberately difficult. Bulk opt-out services (Optery, DeleteMe, Privacy Bee, others) manage opt-outs across hundreds of brokers for $100-500 annually. Complete removal isn't practical because brokers re-add removed individuals from new data sources within months.
People-search sites aggregate public records, broker data, and social media information into searchable consumer profiles. They typically display partial information for free and full reports for fees. Each major site has removal processes, but removal requires individual submission to each site. Removed entries sometimes return weeks or months later as data refreshes. Active maintenance is required to keep profiles suppressed. Domestic violence survivors and other high-risk individuals face particular challenges because address information is regularly available within hours of relocation.
Most effective approach combines multiple strategies: limit data generation at source (use cash for non-loyalty purchases, avoid 'free' apps with extensive data collection, use privacy-focused browsers and search engines), use separate email addresses and phone numbers for commercial accounts, submit CCPA/state deletion requests to the largest brokers (Acxiom, Epsilon, LexisNexis), maintain people-search site removals via periodic re-checking, and use bulk opt-out services for comprehensive coverage. Complete elimination isn't achievable; the goal is meaningful exposure reduction.
For most consumers, yes. Services like Optery, DeleteMe, and Privacy Bee charge $100-500 annually to manage opt-out requests across 100-500+ data brokers continuously. Manual opt-out for the same coverage would require 40-80 hours of work annually. The economic value depends on how much you value your time and exposure reduction. For domestic violence survivors and other high-risk individuals, paid services are typically essential because of the continuous re-emergence of data after individual opt-outs.
Unlikely before 2027-2028 based on current political dynamics. The American Privacy Rights Act 2024 and predecessor bills have been proposed repeatedly without passage. Industry lobbying expenditures against comprehensive federal legislation are substantial. Political polarization on technology issues further complicates passage. Meaningful federal change appears more likely through FTC enforcement actions (recent settlements with X-Mode Social, InMarket Media, Mobilewalla establish precedents) than through comprehensive legislation in the near term.
Documented harms span: discriminatory pricing (ProPublica analyses of insurance premium variations), employment discrimination through inferred attributes that aren't legally usable in hiring, fraud victimization enabled by detailed profile data, stalking and harassment of domestic violence survivors and other vulnerable individuals (locations available within hours of relocation), identity theft preparation, microtargeted political messaging exploiting psychological vulnerabilities, and proxy-discrimination using zip codes and name patterns to bypass legal protections against direct discrimination. The aggregation problem makes individual data points harmless but combined profiles substantially revealing and dangerous.