Data brokers: Who is selling your data? What can you do about it?
Have you heard about the two billion data broker industry? Learn about data brokers, the entities that collect and sell personal information by aggregating data from various sources, highlighting the importance of safeguarding your privacy online.
What are data brokers?
The data brokerage industry is estimated to be worth $200 billion per year. The data brokers such as Experian, Equifax and Acxiom collect and sell your unique sensitive information, including financial, personal, behavior and interests, for profit. This often happens without your direct consent or without you fully realizing that you’ve given this consent.
Buying data like this allows companies to target advertisements at specific people, with the aim of reaching people more likely to buy their products or services. For example, an insurance company could ask for a list of a thousand New Yorkers under 30 with a credit score of 700+, allowing them to tailor their advertising to the particular needs and pain points of that demographic.
Data brokers amass data from browsing history, social media, purchase histories, and public records. The entire industry is extremely profitable and growing, while at the same time faces criticism for privacy concerns and the potential misuse of sensitive information.
How do data brokers collect information?
Data brokers collect information through various means, both online and offline. Here are the primary methods they use:
Web tracking technologies:
- Cookies: Small data files stored on your device that track browsing history and user preferences.
- Browser fingerprinting: Techniques that identify users based on their browser settings, device type, and other unique characteristics.
- Web beacons: Tiny, invisible images embedded in web pages or emails that track user activity and interactions.
- IP address tracking: Tracks the geographic location and online activities of users through their IP addresses.
Public records:
- Voter registrations
- Birth certificates
- Marriage licenses
- Property deeds
- Court records
Commercial sources:
- Loyalty programs
- Warranty registrations
- Subscription services
- Ecommerce sites
Data scraping: Automated tools extract information from websites and databases, and other publicly available sources.
Purchasing data: Data brokers may buy data from other companies that collect user information.With this information, data brokers build comprehensive and detailed profiles of individuals, which they then sell to businesses for marketing, credit scoring, and other purposes. For example, credit bureau companies serve you with financial credit score guides and tips, while also selling the data they scraped about you. Talk about double dipping!
Your consent: When you agree to terms and conditions on various websites, you may be giving consent for your data to be shared. You might see this as a positive thing, for example, when you want to get targeted offerings for a specific product that you’re looking to buy. However, it’s important to be aware what you’re agreeing to by doing this.
What information do data brokers collect?
Data brokers collect a wide range of personal information to create detailed profiles of individuals. This data comes from various sources and provides a comprehensive view of a person’s life and habits. Here are the types of data they commonly gather:
Basic identifiers:
- Full name
- Date of birth
- Gender
- Social Security number
Contact information:
- Current and previous addresses
- Phone numbers
- Email addresses
Demographic details:
- Marital status
- Family composition, including the presence and ages of children
- Education levels
- Occupation
Financial information:
- Income levels
- Credit scores
- Purchase history and spending habits
- Assets and property ownership
Online activity:
- Browsing history
- Search queries
- Social media activity
- Online purchases and interactions
Health information:
- Medical conditions and history
- Prescription drug usage
- Health insurance details
Lifestyle and interests:
- Hobbies and interests
- Likes and dislikes
- Political affiliations
- Religious beliefs
- Memberships and affiliations with various organizations
Other sensitive information:
- Physical address
- Criminal records
This categorized information allows data brokers to build detailed profiles, such as identifying individuals as “new parents,” “fitness enthusiasts,” or “frequent travelers.” These profiles are then sold to businesses for targeted advertising, personalized marketing, and other commercial uses, often without the individuals’ explicit knowledge or consent.
How is your data used?
Data collected by brokers is used in various ways, often without individuals’ explicit knowledge or consent.
Targeted advertising:
Companies use data to create personalized marketing campaigns. By understanding your interests and behaviors, they can deliver ads that are more likely to appeal to you.
Credit scoring and risk assessment:
Financial institutions use data to evaluate creditworthiness. This information helps determine loan approvals, interest rates, and insurance premiums.
Health insurance:
Insurers assess health-related data to decide coverage options and pricing. They may use your medical history and prescription data to evaluate risk.
People search services:
Websites offering people search services use data to provide detailed reports on individuals, including contact information and addresses, which are often sold to interested parties.
Fraud detection and prevention:
Businesses use data to detect fraudulent activities by ensuring that the information provided by consumers matches known records.
Political campaigns:
Political parties use data to target specific voter groups with tailored campaign messages.
Financial institutions:
Beyond credit scoring, financial institutions use data to assess the suitability of potential clients for various financial products.
Landlords and prospective employers:
These entities use data to screen potential tenants and job candidates, assessing their suitability based on financial and personal history.
How to protect yourself from data brokers
Protecting yourself from data brokers requires proactive steps to minimize the amount of personal information they can access and distribute.
First, opt-out of data collection whenever possible. Many data brokers offer opt-out options on their websites, allowing you to request the removal of your information from their databases. Although this process can be time-consuming, it effectively reduces your digital footprint.
Additionally, use privacy tools to block tracking technologies. Browser extensions and software designed to block cookies, web beacons, and other tracking mechanisms can prevent data brokers from collecting your online activities.
Limiting the information you share online is also crucial. Be cautious about posting sensitive details on social media and refrain from participating in online quizzes or surveys that request personal information. When signing up for online services or loyalty programs, only provide the necessary information and be mindful of privacy policies.
Using a VPN (Virtual Private Network) can further enhance your online privacy by encrypting your internet connection and masking your IP address, making it more difficult for data brokers to track your activities. Additionally, consider using a Tor browser for enhanced anonymity online. The Tor browser routes your internet traffic through multiple servers, hiding your IP address and making it much harder for data brokers to track your online activities.
By taking these steps, you can significantly reduce the amount of personal information that data brokers can access and distribute.
Here are the key points to remember:
- Opt-out of data collection on broker websites.
- Use privacy tools to block tracking technologies.
- Limit the information you share online.
- Use a VPN to enhance online privacy.
- Consider using a Tor browser for increased anonymity.
- Use services to help remove your information from data broker lists.
Are data brokers legal?
Data brokers are legal in the US, but regulations vary by state. California, Vermont, Texas, and Oregon have specific laws governing data brokers. California’s Delete Act updates a prior law, Vermont’s act started in 2018, and Texas and Oregon implemented their laws in September 2023 and January 2024.
In the United States, there is no comprehensive federal law regulating data brokers. Instead, individual states have implemented their own regulations. California’s Consumer Privacy Act (CCPA) allows consumers to see what data has been collected about them, request its deletion, and opt-out of the sale of their data. Vermont’s law requires data brokers to register with the state and adhere to certain data security standards. Texas and Oregon have also implemented regulations to increase transparency and control over personal data. These state-level laws aim to provide more rights and protections for consumers, but the lack of a federal framework results in inconsistent oversight and enforcement across the country.
It’s important to note that by US law, data brokers must comply with your data removal requests. However, after 90 days they’re legally able to start collecting your data again or work with another company to obtain your data.
In contrast, the European Union’s General Data Protection Regulation (GDPR) provides a more comprehensive approach to data privacy. GDPR requires companies to obtain explicit consent from individuals before collecting their data, and grants individuals the right to request data deletion. It also imposes strict requirements on data security and transparency, offering more robust protection for consumers. Other countries have similar laws inspired by GDPR, which ensures a higher level of data privacy and security.
The disparity between the US and EU regulations highlights the need for more consistent and comprehensive data privacy laws to address growing concerns over data brokerage practices.
What are the largest data brokers?
The data brokerage industry is dominated by several large companies that manage and sell vast amounts of personal information. These companies operate globally and are well-known for their extensive data collection and analysis capabilities. Here are some of the largest data broker sites:
Experian: One of the major credit reporting agencies with a $5B annual revenue, Experian collects data on millions of consumers worldwide. Its databases include financial information, credit scores, purchasing behaviors, and personal demographics, which it sells to businesses for credit risk assessment, marketing, and more.
Equifax: Another leading credit reporting agency, Equifax gathers a wide range of consumer data, including credit history, employment information, and financial transactions. It uses this data to provide insights for credit scoring, fraud detection, and targeted marketing.
Acxiom: A global leader in data management and analytics, Acxiom has information on billions of consumers. It collects data from public records, surveys, and online activities to create detailed consumer profiles that are sold for marketing and advertising purposes.
Epsilon: Specializing in data-driven marketing and has a massive database of consumer information, Epsilon compiles data from various sources, including online activities and purchase histories, to help businesses target their advertising more effectively.
CoreLogic: CoreLogic focuses on property-related information, collecting data on real estate transactions, property values, and homeowner demographics. Its data is used by real estate professionals, mortgage lenders, and insurance companies for risk assessment and market analysis.
Oracle Data Cloud (formerly Datalogix): Oracle Data Cloud aggregates consumer data from online and offline sources, including purchase behavior and demographic information. Its data is used for targeted advertising and measuring the effectiveness of marketing campaigns.
TransUnion: Like Experian and Equifax, TransUnion is a major credit reporting agency that collects extensive consumer data. It provides insights for credit scoring, identity verification and fraud prevention.
These companies play a significant role in the data brokerage industry, using sophisticated technologies and vast databases to collect, analyze, and sell personal information. Their practices raise important questions about privacy and the ethical use of data, highlighting the need for stronger regulations and greater transparency.
First-party vs. third-party data brokers
Data brokers can be categorized into first-party and third-party brokers, each with distinct methods of data collection and usage.
First-party data brokers:
First-party data brokers collect data directly from their interactions with consumers. These entities typically include companies that offer free services, such as social media platforms, search engines, and e-commerce websites. By providing these services, they gather data on user behavior, preferences, and demographics. First-party data brokers use this information to enhance their services, tailor user experiences, and often sell targeted advertising opportunities to third-party companies. Examples include companies like Google, Facebook, and Amazon, which use their extensive data collection capabilities to improve their offerings and generate revenue through advertising.
Third-party data brokers:
Third-party data brokers, on the other hand, do not have a direct relationship with consumers. Instead, they collect data from various indirect sources, including public records, online tracking tools, purchase histories, and other commercial data providers. These brokers aggregate, analyze, and sell data to other businesses that use it for marketing, risk assessment, and other purposes. Third-party data brokers purchase data from first-party brokers and other sources, compile it into comprehensive profiles, and sell it to interested parties. Prominent third-party data brokers include companies like Experian, Equifax, Acxiom, and Epsilon. Sadly, like all organizations, these companies are also subject to data breaches. In September of 2017, Equifax fell victim to a data breach that exposed the personal information of 140M+ people.
The key difference between first-party and third-party data brokers lies in their relationship with the consumer. First-party brokers collect data through direct interaction with users, often with some level of consent or awareness, while third-party brokers collect data from a wide range of indirect sources, usually without the direct knowledge of the individuals whose data they are collecting and selling. This distinction raises important privacy and ethical considerations, as third-party data brokers operate in a more opaque manner, making it challenging for consumers to know what information is being collected and how it is being used. More importantly, it is more challenging to have your data removed from third-party data brokers.
Related articles:
What is personally identifiable information?