Data Brokers Explained: How They Collect and Sell Your Personal Information
Data Brokers Explained: How They Collect and Sell Your Personal Information
TL;DR — Quick Answer
4 min readData brokers operate a $200 billion industry collecting and selling personal information, with over 4,000 companies holding up to 1,500 data points on individual Americans -- largely outside regulatory oversight.
Most of us have experienced that unsettling moment when our devices seem to know too much -- when an offhand search leads to days of related ads following us across the internet. Targeted ads are not just annoying; they can be actively harmful to democracy, mental health, and personal privacy. They have been used to target by race with election disinformation and to recruit for churches through geofencing.
What Are Data Brokers?
Big Tech companies deserve scrutiny for privacy violations, but some companies operate almost entirely outside the spotlight, beyond most regulations, and below most internet users' awareness.
These companies are known as data brokers.
In Europe, privacy laws offer meaningful protections. In the US, the regulatory landscape is far less restrictive, and data brokers can accumulate up to 1,500 data points on the average American citizen.
Data brokers (also called "data suppliers," "information brokers," or "data providers") either collect personal data directly or purchase it from social media platforms, credit card companies, and any website that harvests or shares user data. This is a $200 billion industry with over 4,000 companies, and it continues to grow rapidly.
These companies range from credit reporting agencies like Equifax, Experian, and TransUnion, to people-search sites like PeekYou, Pipl, and Instant Checkmate, to lesser-known entities like Acxiom, Cuebiq, CoreLogic, LiveRamp, and Epsilon. What they all share is the practice of collecting personal information and reselling or sharing it with other companies.
As a WIRED reporter described them, data brokers are "the unchecked middlemen of surveillance capitalism" and a "threat to democracy."
While most data brokers trade relatively innocuous lists like "Formula 1 enthusiast" or "expectant parent," some have allegedly sold lists categorized as "rape sufferer," "alcoholic," and "erectile dysfunction sufferer."
How Do Data Brokers Operate?
In the digital realm, most data collection occurs through third-party cookies and tracking scripts. Companies other than the website you are visiting set cookies to monitor your behavior and sell that information.
Not all third-party scripts are malicious, and not all cookies are harmful. Many websites legitimately need cookies for login functionality. The critical difference is that tracking scripts from data brokers follow you not just within a single site but from site to site across most of the internet.
Consider the scale: the New York Times carries 10 ad trackers and 17 third-party cookies. Adobe's site has 21 ad trackers and 34 third-party cookies. Even Surfshark, a VPN that markets itself as privacy-focused, has 9 ad trackers and 3 third-party cookies. You can test any site using The Markup's Blacklight tool.
Data brokers collect points like IP addresses (which reveal physical location), device information, and browsing interests. They combine this with other data they have on you, group you with similar profiles ("vegan, living in Los Angeles, income $65k-90k, single"), and sell those lists to advertisers.
The especially invasive lists -- people with specific medical conditions, sexual preferences, religious views, or political affiliations -- can be sold to virtually anyone. Medical information searched online is not protected by HIPAA. HIPAA only covers information shared with physicians. Searching for "abortion," "cancer treatments," or "therapist in Seattle" online generates data that is completely unprotected.
Mobile apps can also leak data to third parties and brokers without users' knowledge, including free flashlight apps that quietly transmit location data.
Legal Gray Areas
Data broker companies operate in legal gray zones. In countries with strict privacy laws, their practices may be technically illegal but persist nonetheless. Most data brokers bury consent to share data deep within terms of service and small print.
Despite marketing their practices as perfectly legal, data brokers regularly face legal consequences. In 2021, Epsilon was sued by the Department of Justice for $150 million for facilitating elderly fraud schemes over nearly a decade.
SafeGraph, an ironically named location data broker, only recently stopped enabling purchases of data showing how many people visited Planned Parenthood locations. They have also sold fully disaggregated data to the American government.
Life360, used by over 35 million people as a family safety app, was exposed for generating significant revenue by selling precise location data -- including data on children -- to dozens of data brokers.
Claims of de-identification ring hollow. One study found that 99.98% of Americans could be re-identified using any dataset of at least 15 demographic attributes. The more data collected, the easier individuals can be singled out.
Why You Should Care
Even if you feel you have nothing to hide, not everyone has the privilege of being indifferent. Stalker victims, domestic violence survivors, and many others have urgent reasons to keep their data from being bought and sold. Yet in many jurisdictions, there are no federal laws requiring data brokers to remove data upon request.
This data ecosystem also gives governments a legal loophole around warrant requirements. Rather than obtaining a judicial warrant for surveillance data, agencies can simply purchase it from data brokers -- completely legally and without the subject's knowledge.
Protecting Yourself
Several steps can reduce your exposure: use privacy-focused browsers like Brave or Firefox, employ VPNs, decline cookie consents where possible, and adjust mobile device settings that allow apps to track activity.
But the burden should not fall solely on individuals. Digital privacy should be protected by default through legislation and enforcement. In the EU, GDPR mandates legal bases for data processing, though enforcement remains imperfect. Even GDPR consent banners often use dark patterns that make opting out deliberately difficult.
Website owners can take immediate action by removing third-party tracking scripts that send data to brokers and switching to privacy-focused analytics tools that collect only anonymized, aggregate data.
According to Pew Research Center, roughly six in ten Americans believe it is impossible to go through daily life without having data collected by companies and governments.
The economy of the modern internet runs on this data brokerage model. This is why so many popular websites and social networks are free: they generate billions from user data. The more people understand how this system works, the more pressure can be applied for better federal regulation and protection of digital privacy rights.
Was this article helpful?
Let us know what you think!
Before you go...
Related Articles
Google Expands Digital Fingerprinting to Smart TVs, Consoles, and Connected Devices
Google is expanding digital tracking beyond browsers to smart TVs, gaming consoles, and connected devices using fingerprinting techniques it once condemned. Learn about the privacy implications and regulatory response.
How Google Analytics Collects Data: Methods, Identifiers, and Privacy Implications
A detailed look at how Google Analytics collects data through JavaScript tracking, cookies, and identifiers, and why this creates GDPR compliance challenges for every website using it.
What Does Google Know About You? A Complete Breakdown
Google collects search history, browsing data, emails, location, voice recordings, and more across its ecosystem. Here's exactly what they know and how to reduce it.