Data Brokers: Who Is Selling Your Personal Information in 2026

Every time you sign up for a newsletter, install a mobile app, or browse a shopping site, invisible companies are taking notes. These companies, known as data brokers, have built a multibillion-dollar industry around buying, packaging, and selling your personal information — often without your direct knowledge or meaningful consent. This guide explains who data brokers are, what they know about you, who buys their data, and exactly what you can do to limit their reach.

What Are Data Brokers?

Data brokers are companies that collect personal information about individuals from public, commercial, and online sources, then sell or license that information to other businesses. Unlike companies you knowingly interact with, data brokers usually have no direct relationship with you — yet they may hold hundreds or even thousands of data points on your habits, finances, health, and family.

The industry is enormous. Globally, the data broker market is estimated to be worth more than $300 billion and includes well-known players such as Acxiom, Experian, Epsilon, Oracle Data Cloud, LexisNexis, CoreLogic, and Spokeo, along with thousands of smaller specialty firms.

Three Main Categories of Data Brokers

Marketing and advertising brokers — sell consumer profiles to advertisers and brands for targeted campaigns.
Risk mitigation and identity verification brokers — provide data to banks, insurers, and employers for fraud detection and background checks.
People-search sites — display personal records (addresses, phone numbers, relatives) directly to the public, often for a fee.

How Data Brokers Collect Your Personal Information

Data brokers rarely collect information by asking you. Instead, they aggregate it from dozens of streams, then cross-reference and enrich it to build a unified profile tied to your name, email, device, or household.

Common Data Sources

Public records: court filings, property deeds, voter registrations, marriage licenses, business registrations.
Commercial transactions: warranty cards, loyalty programs, magazine subscriptions, retailer purchase histories.
Online tracking: cookies, pixel trackers, fingerprinting scripts, and software development kits (SDKs) embedded in apps.
Social media: public posts, profile fields, friend networks, likes, and check-ins.
Mobile location data: harvested from weather, gaming, navigation, and utility apps that request GPS access.
Data partnerships: companies sharing or selling customer lists to each other under privacy policies users never read.
Data breaches: leaked credentials and personal information that resurface on secondary markets.

What Information Do Data Brokers Actually Have?

A single broker profile can include shockingly granular details. Investigations by regulators and journalists have found dossiers containing thousands of attributes per person.

Category	Examples of Data Points
Identity	Full name, aliases, date of birth, government ID numbers, photos
Contact	Current and past addresses, phone numbers, personal and work emails
Financial	Estimated income, credit tier, mortgage balance, debt indicators
Household	Relatives, roommates, marital status, number and ages of children
Behavioral	Shopping preferences, brand loyalty, hobbies, charitable giving
Health	Inferred conditions, prescription patterns, fitness app activity
Location	Daily commute, frequented businesses, travel patterns
Political	Party affiliation, donation history, issue interests
Digital	Devices owned, IP addresses, browser fingerprint, app inventory

These attributes are typically organized into audience segments with labels like "financially stressed seniors," "new parents in suburban ZIP codes," or "frequent travelers with premium credit cards." The more specific the segment, the higher the price advertisers will pay.

Who Is Buying Your Personal Information?

Data broker customers span nearly every industry. While many use cases are legal and even useful, others raise serious ethical and safety concerns.

Typical Buyers

Advertisers and marketers looking for precise audience targeting across web, mobile, and connected TV.
Banks and lenders evaluating creditworthiness or detecting application fraud.
Insurance companies pricing policies based on lifestyle inferences.
Employers and landlords conducting background screening.
Political campaigns microtargeting voters with tailored messaging.
Law enforcement and government agencies purchasing data they might otherwise need a warrant to obtain.
Debt collectors and litigation firms locating individuals.
Scammers and fraudsters who buy leaked or loosely vetted records to craft convincing phishing attacks.

Why Data Brokers Are a Privacy and Security Problem

Even if you trust most companies to use data responsibly, the broker ecosystem creates risks that individuals can't easily control.

Key Risks

Targeted scams. Fraudsters use detailed profiles to impersonate banks, government agencies, or family members.
Stalking and harassment. People-search sites publish home addresses and relatives' names, endangering domestic abuse survivors, journalists, and public officials.
Discrimination. Inferred attributes can be used to exclude people from housing, jobs, or credit in ways that are hard to detect or challenge.
Surveillance creep. Governments increasingly buy commercial data to bypass legal limits on direct collection.
Cascading breaches. When a broker is hacked, hundreds of millions of profiles can spill at once — as seen in the 2024 National Public Data breach.
Identity theft. Combined data points make it easier to answer security questions and impersonate victims.

How Laws Regulate Data Brokers Around the World

Regulation is patchy and rapidly evolving. The strictest frameworks give individuals the right to see, correct, and delete data held about them, but enforcement varies widely.

Region	Key Law	What It Means for Data Brokers
European Union / UK	GDPR / UK GDPR	Requires lawful basis, transparency, and honors deletion requests for nearly all personal data.
California, USA	CCPA / CPRA + Delete Act	Brokers must register with the state and, by 2026, honor one-stop deletion requests.
Other US states	Vermont, Texas, Oregon broker registries	Brokers must publicly register; consumers gain limited opt-out rights.
Brazil	LGPD	Mirrors GDPR; gives consumers access and deletion rights.
Canada	PIPEDA (and forthcoming CPPA)	Requires consent for collection and use of personal information.
Australia	Privacy Act 1988 (under reform)	Strengthening rights to erasure and direct marketing opt-outs.

How to Find Out What Data Brokers Know About You

Before you can clean up your digital footprint, you need to map it. The process is tedious but manageable if you tackle it in phases.

Search yourself. Run searches for your full name, email addresses, phone numbers, and old usernames on major search engines.
Check people-search sites. Visit Spokeo, BeenVerified, Whitepages, Radaris, PeopleFinders, MyLife, and similar sites to see your public listings.
Use breach lookup tools. Services like Have I Been Pwned reveal which leaks exposed your credentials.
Submit data subject access requests (DSARs). Under GDPR, CCPA, and similar laws, you can require brokers to disclose what they hold.
Review broker registries. California, Vermont, Texas, and Oregon publish lists of registered brokers — a useful starting point even outside the US.

How to Remove Yourself from Data Broker Databases

Opt-out is a legal right in many jurisdictions and a courtesy elsewhere. Expect the process to take weeks and to require periodic re-checks, because brokers re-acquire data from new sources.

Step-by-Step Removal Process

Build a tracking spreadsheet with broker name, opt-out URL, submission date, and confirmation status.
Submit opt-out forms on each broker's site. Most require email confirmation; some demand a photo ID (you may redact sensitive details).
Send written DSAR or deletion requests citing the relevant law (e.g., "This is a deletion request under CCPA § 1798.105").
Follow up after 30–45 days. Re-submit if your record reappears.
Consider a paid removal service such as DeleteMe, Kanary, Optery, or Incogni if manual cleanup is too time-consuming.
Re-audit every 3–6 months. New profiles will appear as brokers ingest fresh data feeds.

How to Reduce What Data Brokers Can Collect Going Forward

Removal is reactive. To shrink your future data footprint, you also need to change how you share information day to day.

Practical Habits That Limit Data Collection

Use email aliases. Services like Apple Hide My Email, Firefox Relay, and SimpleLogin let you create unique addresses for every signup so brokers can't easily link your accounts.
Adopt a privacy-focused browser. Brave, Firefox with strict tracking protection, and Safari block many third-party trackers by default.
Switch to encrypted DNS. Providers like Cloudflare 1.1.1.1, Quad9, and NextDNS prevent your internet provider from logging and monetizing your browsing history.
Limit app permissions. Deny location, contacts, and microphone access unless an app genuinely needs them; revisit settings monthly.
Opt out of ad personalization on Google, Meta, Microsoft, Apple, and TikTok accounts.
Use a secondary phone number for forms and loyalty programs.
Shorten and mask links you share. When promoting content on social platforms, a privacy-respecting shortener such as Lunyb lets you share clean, branded links without leaking referral metadata to third-party analytics networks. You can read more in our honest review of Lunyb.
Freeze your credit. A credit freeze with Experian, Equifax, and TransUnion blocks many identity-verification brokers from selling your file.
Be selective with loyalty cards. Each one feeds purchase history into broker pipelines.
Read privacy policies for "sale" and "share" clauses. Many large retailers now offer a Do Not Sell or Share My Personal Information link at the bottom of their websites.

Choosing Privacy-Respecting Tools

Not all online tools are equal when it comes to telemetry. When you evaluate apps, browsers, link shorteners, or analytics platforms, look for clear answers to four questions:

Does the company sell or share data with third parties?
How long is data retained, and can you delete it?
Are click and visitor logs anonymized or aggregated?
Is the company subject to a strong privacy law in its jurisdiction?

For link sharing specifically, our 2026 buyer's guide to URL shorteners compares major providers on privacy, analytics depth, and pricing. If you're weighing established brands, our Rebrandly review is also a useful reference.

The Future of the Data Broker Industry

Several forces are reshaping the industry in 2026 and beyond:

State-level deletion laws like California's Delete Act create one-stop opt-out mechanisms that could become national templates.
Browser changes phasing out third-party cookies push brokers toward server-side and identity-graph tracking — often less visible but no less invasive.
AI training markets create new demand for personal data, especially text, voice, and behavioral signals.
Litigation pressure from class actions and FTC enforcement actions is forcing some brokers to restrict the sale of sensitive categories like precise location and health data.

Expect the trend toward consumer rights to continue, but also expect brokers to evolve their techniques. Ongoing vigilance — not a one-time cleanup — is the realistic path forward.

Frequently Asked Questions

Are data brokers legal?

Yes, in most countries data brokers operate legally as long as they comply with applicable privacy laws. Their collection of public records and commercial data is generally permitted, but laws like GDPR, CCPA, and LGPD impose transparency, consent, and deletion requirements that many brokers struggle to meet fully.

How do data brokers make money?

Data brokers earn revenue by licensing or selling consumer profiles, audience segments, and identity-verification services to advertisers, financial institutions, insurers, political campaigns, government agencies, and people-search subscribers. Pricing ranges from fractions of a cent per record for advertising segments to hundreds of dollars for detailed background reports.

Can I really delete all my information from data brokers?

You can dramatically reduce your exposure, but complete deletion is unrealistic because brokers constantly re-acquire data from public records and new commercial feeds. Plan to opt out of major brokers, then re-audit every three to six months. Paid services automate this ongoing maintenance.

How long does it take to remove personal information from data brokers?

Individual opt-out requests typically take 7 to 45 days to process. Completing requests across dozens of brokers manually can take 20 to 40 hours spread over several months. Subscription removal services usually achieve initial cleanup within 60 to 90 days and then maintain it continuously.

Do free online tools or browser extensions stop data brokers?

Tracker-blocking browsers, encrypted DNS, ad-personalization opt-outs, and email aliases significantly reduce the data brokers can collect about your future activity, but none of them remove existing profiles. A combined strategy — block new collection while actively opting out of existing records — produces the best results.

Final Thoughts

The data broker industry thrives on opacity. Most people have no idea how many companies hold profiles on them, who buys those profiles, or what decisions get made because of them. The good news is that growing legal protections, better privacy tools, and a few hours of deliberate cleanup can meaningfully shrink your footprint. Treat privacy as ongoing hygiene: limit what you share, use tools that minimize telemetry, opt out where you can, and revisit your exposure every few months. Your data is valuable — make sure you're the one deciding who gets to use it.