Chapter 02: Data Brokers- They Sold You for a Penny
Inside the Hidden Industry That Knows Your Secrets, Sells Your Identity, and Answers to No One
Right now, as you read this sentence, a company you have never heard of owns a file on you. That file contains your home address, your phone number, your Social Security number, your estimated income, your medical concerns, your religious affiliation, your political leanings, and a detailed record of everywhere your phone has traveled in the past year. That company did not ask your permission to collect any of it. And sometime today, that company will sell your file to a stranger for less than a dollar.
This is not a hypothetical. This is not something that could happen in the future. This is happening to you, to your parents, to your kids, and to roughly 250 million American adults every single day of the year.
The companies doing this are called data brokers. Most Americans have never heard that term. Most Americans do not know these companies exist. And that is exactly how data brokers want it, because the less you know, the more money they make. We are talking about a $300 billion global industry built on one foundational principle: your most personal information can be collected without your knowledge, packaged without your consent, and sold to anyone with a credit card. Advertisers buy it. Insurance companies buy it. Scammers buy it. Stalkers buy it. Foreign governments buy it. Your own government buys it, sometimes to avoid the hassle of getting a warrant.
In this chapter, I am going to show you exactly how this industry works, who the major players are, what they know about you, and what it costs to buy your life story. I am going to tell you about real people who were harmed, and in some cases killed, because a data broker sold their personal information to the wrong person. I am going to walk you through the strongest law in the country designed to fight back, California's Delete Act, and show you the tools that exist right now to start taking your privacy back. And I am going to explain why, despite everything you are about to read, almost everything the data broker industry does remains perfectly legal under federal law.
That last part should make you angry. By the time you finish this chapter, you will understand exactly why it should.
The Middlemen Who Know Everything
A data broker is a company that collects personal information about people it has no relationship with and sells that information to third parties. Think of it this way. You have never signed up for anything with Acxiom. You have never visited the Epsilon website. You have probably never typed the words "LexisNexis Risk Solutions" into a search bar. And yet each of these companies maintains a detailed profile on you that would make your closest friends uncomfortable.
California law defines a data broker as a business that knowingly collects and sells personal information about consumers with whom it has no direct relationship. That definition matters because it captures the core of the problem. These are not companies you chose to do business with. These are companies that built a business around you without ever telling you.
The data broker business model has three steps. First, collection. Brokers pull your information from public records like court filings, property deeds, voter registration, and DMV records. They scrape social media. They buy purchase histories from retailers, credit card transaction data, loyalty program records, and survey responses. They collect data from the invisible software tucked inside your phone apps. And they harvest enormous volumes of personal data from the online advertising system itself, which broadcasts your information to thousands of companies every time a web page loads on your screen or an ad appears in your app.
Second, aggregation. Brokers take all of these scattered data points and stitch them together into a single profile tied to your identity. They match records using your email address, your phone number, your Social Security number, and your physical address. They use algorithms that infer when two different data points belong to the same person, even when no shared identifier exists. Companies like LiveRamp maintain identity graphs that connect your online cookies, your device IDs, your email accounts, and your home address into one unified picture of who you are.
Third, sale. Once the profile is built, brokers sell it. They sell through subscriptions, through per-search pricing, through bulk data feeds, and through cloud marketplaces where buyers can browse available datasets the way you browse products on Amazon.
The scale is staggering. Acxiom, now owned by Omnicom through its $13 billion acquisition of IPG, maintains data on approximately 260 million Americans across 162 million households, with up to 10,000 attributes per person. Epsilon, owned by Publicis Groupe after a $4.4 billion acquisition, claims to hold data on every marketable household in the United States and processes 50 trillion data transactions annually. Experian holds records on 1.4 billion people worldwide. LexisNexis Risk Solutions sits on more than 78 billion records drawn from over 10,000 sources. Spokeo alone claims 6 billion consumer records.
How many data brokers are there? California's official registry lists 545 registered brokers as of January 2026. Vermont's registry shows 257. The Privacy Rights Clearinghouse and the Electronic Frontier Foundation built a combined database in 2025, cross referencing five state registries, and found more than 750 unique data broker groups. Hundreds of companies registered in one state had not registered in others, which suggests massive noncompliance with the law. Industry estimates put the global total at 4,000 or more. The global data broker market was valued between $270 billion and $323 billion in 2024, with the American share alone estimated at $131.7 billion.
Your Social Security Number Costs Less Than a Cup of Coffee
The depth of what data brokers know about you is difficult to overstate. A single broker examined by the Federal Trade Commission in 2014 maintained 3,000 data segments on nearly every American consumer, spanning 44 categories of health conditions. Acxiom currently advertises more than 1,500 attributes per person through its InfoBase product. With integrated partner data, that number climbs above 10,000. These are not vague generalities. The categories documented by federal investigations, academic research, and investigative journalism include Social Security numbers, income and net worth estimates, credit scores and bankruptcy status, specific health conditions including depression, anxiety, cancer, diabetes, erectile dysfunction, and pregnancy status, medications, religious affiliation, political party registration and voting history, sexual orientation, ethnicity, daily location patterns, purchasing habits, and web browsing history.
The labels brokers assign to the people in their databases are revealing in ways that should disturb every American. Documented marketing segment names include "Suffering Seniors," "Rural and Barely Making It," "Ethnic Second City Strugglers," "Retiring on Empty: Singles," and "Paycheck to Paycheck Consumers." In Congressional testimony, the World Privacy Forum documented lists of people with HIV/AIDS, people undergoing cancer treatment, people dealing with drug and alcohol addictions, and seniors suffering from dementia, all available for purchase. A leaked spreadsheet from Microsoft's ad platform Xandr, obtained by The Markup in 2023, revealed 650,000 audience segments including "Heavy Purchasers of Pregnancy Tests," "Depression Prone," and "Brain Tumor" interest categories, supplied by 93 different data companies.
And the price. The price is what makes the entire system possible, because personal data is almost unbelievably cheap. A Duke University study published in November 2023 purchased data on nearly 50,000 active duty military service members, including names, home addresses, health conditions, financial data, children's names, and religious affiliations, for approximately $10,000. That works out to somewhere between twelve cents and thirty two cents per person. Larger purchases dropped the per person cost to a single penny. The World Privacy Forum documented a list of "Rape Sufferers" available for purchase at seven point nine cents per name. Mental health data costs as little as five and a half cents per record. Researchers at Duke found that 11 of 37 data brokers they contacted agreed to sell mental health records, covering depression, anxiety, ADHD, bipolar disorder, and PTSD, with almost no vetting of who was buying. In May 2022, a journalist purchased a full week of location data covering more than 600 Planned Parenthood locations across the country for just over $160.
So who is buying? Advertisers represent the largest buyer category, using broker data for targeted advertising and what the Federal Trade Commission calls "surveillance pricing," which means adjusting what you pay for a product based on your personal data profile. Insurance companies buy data to inform underwriting and premium decisions. Employers and landlords run background checks powered by broker data. Political campaigns use commercially available data for voter targeting. Law enforcement agencies buy location data to track people without getting a warrant. Scammers buy lists of elderly and vulnerable Americans to run fraud schemes. Anti abortion organizations have purchased data showing which phones visited reproductive health clinics. Foreign entities have purchased detailed records on American military personnel. The Duke researchers found that purchasing data using an Asian domain name and a Singaporean IP address triggered virtually no additional screening from the brokers, which tells you exactly how easily a foreign adversary could exploit this system.
When a Data Broker Becomes an Accomplice
The cost of this industry is measured in human lives. On October 15, 1999, a man named Liam Youens drove to the workplace of Amy Boyer, a 20 year old dental hygiene student in Nashua, New Hampshire. He called her name so she would look up. Then he shot her through her car window and killed himself. Youens had been stalking Boyer since the eighth grade. He paid a data broker called Docusearch.com $45 for her Social Security number and $109 for her workplace address, which Docusearch obtained by making pretextual phone calls. Youens himself had written on his personal website: "It's actually obscene what you can find out about a person on the Internet." The New Hampshire Supreme Court later ruled that an investigator who obtains someone's work address through deception and sells it to a third party can be held liable for the harms that follow.
Twenty one years later, in July 2020, a self proclaimed anti feminist attorney named Roy Den Hollander appeared at the home of United States District Judge Esther Salas disguised as a FedEx driver and opened fire, killing her 20 year old son Daniel and critically wounding her husband Mark. The FBI found that Hollander kept detailed files on judicial targets. Their home addresses, as Judge Salas later testified, could "be purchased online for just a few dollars, including photos of our homes and the license plates on our vehicles." Congress eventually responded with the Daniel Anderl Judicial Security and Privacy Act in December 2022, specifically prohibiting data brokers from selling judges' personal information.
Then came the most devastating case yet. On June 14, 2025, a man named Vance Luther Boelter, 57 years old, wearing body armor and a silicone face mask, went to the home of Minnesota State Representative Melissa Hortman and assassinated her and her husband Mark. He then drove to the home of State Senator John Hoffman and shot him nine times and his wife Yvette eight times. Both survived. FBI agents found notebooks listing 45 elected officials, all from one political party, with home addresses, family members' names, and tactical surveillance notes. A separate list documented 11 different people search and data broker websites, with notations about which sites offered free trials and how to obtain home addresses from each one. Senator Ron Wyden responded publicly: "Every single American's safety is at risk until Congress cracks down on this sleazy industry."
Financial devastation runs parallel to the physical violence. Epsilon Data Management, one of the world's largest marketing companies, paid $150 million in 2021 to settle federal charges for knowingly selling data on more than 30 million Americans to scammers running fraudulent mass mailing schemes that targeted elderly victims from 2008 to 2017. A single fraudster client used Epsilon's lists to defraud more than 218,000 people out of $23.7 million. Epsilon's own internal records showed that more than 12,000 victims were defrauded more than 20 times each by this one scheme. Two Epsilon executives went to prison, one for ten years and the other for four.
And then there was the National Public Data breach of 2024, which exposed just how fragile the entire system is. National Public Data was a background check company that most Americans had never heard of. It was run by a single person, Salvatore Verini Jr., from a home office with two desktop computers, a laptop, and five Dell servers. When hackers broke in, they extracted 2.9 billion records, including 272 million unique Social Security numbers, which amounts to roughly 60 percent of all Social Security numbers ever issued in the United States. The stolen database, 277 gigabytes in size, was initially offered on the dark web for $3.5 million. Then it was released for free. National Public Data filed for bankruptcy with total assets between $25,000 and $75,000. One person, operating from a home office, had collected the most sensitive data on hundreds of millions of Americans. That person had no meaningful security infrastructure, no ability to notify victims, and no resources to face the resulting lawsuits.
California Fights Back and the Country Is Watching
On October 10, 2023, Governor Gavin Newsom signed Senate Bill 362, authored by Senator Josh Becker. It is called the California Delete Act, and it represents the most ambitious data broker regulation ever enacted in the United States. The law requires every data broker operating in California to register annually with the California Privacy Protection Agency, known as CalPrivacy. Registration costs $6,000 per year. And those fees fund something that has never existed before: a centralized system that lets you delete your data from every registered data broker in the state with a single request.
That system is called the Delete Request and Opt Out Platform, or DROP. It launched on January 1, 2026, right on schedule. CalPrivacy built it in partnership with the California Department of Technology at a cost of approximately $4.4 million. Here is how it works. If you are a California resident, you go to the DROP website, verify your identity through the state's Identity Gateway or Login.gov, provide your name, email, phone number, ZIP code, and optionally your mobile advertising ID or vehicle identification number, and hit submit. The entire process takes less than ten minutes. Your deletion request then goes out simultaneously to all 545 registered data brokers.
Starting August 1, 2026, brokers must pull the hashed consumer identifier lists from DROP at least every 45 days, process deletion requests within 45 days of retrieval, and report back with a status for each request. The possible responses are "Deleted," "Exempt," "Opted Out," or "Record Not Found." And here is the part that makes this law different from everything that came before it. After your initial deletion goes through, brokers must continue deleting any new data they collect about you every 45 days going forward. They are banned from selling new information about you after you submit your request.
Early results have exceeded expectations. CalPrivacy Executive Director Tom Kemp reported more than 215,000 consumer registrations by mid February 2026, with an average of roughly 7,000 new signups every day.
The enforcement structure gives this law real teeth. Failure to register as a data broker carries a penalty of $200 per day. Failure to process a deletion request carries $200 per request, per day. A broker that ignores one million pending deletion requests faces theoretical exposure of $200 million for every 45 day cycle. CalPrivacy launched a Data Broker Enforcement Strike Force in November 2025 and has brought at least nine enforcement actions against noncompliant brokers. One of those actions hit S&P Global with a $62,600 fine for 313 days of failing to register. Another required a company called Datamasters to stop selling all Californians' personal data after investigators found Datamasters was selling names, addresses, and phone numbers of millions of people with Alzheimer's disease, drug addiction, bladder incontinence, and other health conditions.
In October 2025, Governor Newsom signed SB 361, the Defending Californians' Data Act, which expanded the Delete Act's requirements even further. Brokers must now disclose whether they collect data on sexual orientation, union membership, citizenship or immigration status, biometric identifiers, and government issued IDs. They must also disclose whether they have sold data to foreign actors, to U.S. government or law enforcement agencies, or to developers of generative AI systems.
No formal legal challenge to the Delete Act has been filed as of March 2026, and the early enrollment numbers suggest that consumers are ready for this kind of tool. The question now is whether other states will follow California's lead.
What You Can Do Right Now to Start Taking Your Privacy Back
Before the DROP platform existed, the burden of opting out of data brokers fell entirely on you. And it was crushing. Multiple estimates put the time required for a full manual opt out at 100 hours or more per year, because each of the 500 plus known broker websites has its own verification procedures, its own confusing interfaces, and its own deliberately misleading design patterns meant to keep you from completing the process. CalPrivacy Executive Director Tom Kemp estimated 20 to 30 minutes of interaction with each individual broker, adding up to what he described as "as much as 10 days' worth of work." Even after you did all of that, the results were temporary. Research shows that 73 percent of data brokers re add consumer information within 90 days of removal, with an average re listing time of just 23 days. The people search site Spokeo reportedly re adds data in 89 percent of cases within 60 days.
A growing number of commercial data removal services have entered the market to take on this burden for you. Here are the leading options as of early 2026. Optery, priced between $3 and $20 per month depending on the tier, was the top performer in Consumer Reports' 2024 study, achieving a 68 percent removal rate after four months across 13 tested people search sites. It also provides before and after screenshot proof of removals. EasyOptOuts, at $19.99 per year, achieved a 65 percent removal rate and is the cheapest option tested. Incogni by Surfshark, at $7.99 per month, covers more than 420 brokers with automated recurring requests and has been verified by a Deloitte audit. DeleteMe, at $129 per year, is the oldest service in the space with more than 15 years of operation and combines automation with human privacy experts, though it achieved only about 27 percent removal in the Consumer Reports study. Kanary, Privacy Bee, and Privacy Duck round out the market at various price points, with Privacy Duck offering a white glove, fully human approach at $197.50 per year.
If you live in California, the DROP platform is your best starting point, and it is free. For everyone else, four states currently maintain data broker registries. California has 545 registered brokers with a $6,000 annual fee. Vermont has 257 active registrants with a $100 fee and was the first state in the nation to create a registry back in 2018. Texas imposes $500 per day penalties for nonregistration and sent warning letters to more than 100 companies in June 2024. Oregon's registry took effect in January 2024 with $500 penalties capped at $10,000 annually. New Jersey, Delaware, Michigan, and Alaska have passed data broker registration bills at various stages of implementation. Nineteen states now have some form of comprehensive data privacy law that includes data broker implications, with Indiana, Kentucky, and Rhode Island laws taking effect in 2026. And Montana became the first state to explicitly prohibit law enforcement from purchasing citizens' data from brokers when they would otherwise need a warrant.
The structural challenge remains real. Data brokers refresh their databases every two to four weeks using public records, social media, purchase data, and partnerships with other brokers. You can delete your information today and find it back online within a month. California's Delete Act addresses this through its ongoing deletion obligation, requiring brokers to re check the suppression list every 45 days and maintain it permanently. For the rest of the country, the choice is between paid commercial services with modest success rates and a manual process so time consuming it amounts to a second job.
Legal Does Not Mean Right
Here is the hardest truth in this entire chapter: almost everything the data broker industry does is technically legal under current federal law. The United States has no comprehensive federal privacy statute. The laws we do have, the Fair Credit Reporting Act for credit data, HIPAA for health provider data, the Gramm Leach Bliley Act for financial institution data, were written for specific sectors and leave enormous gaps. Data brokers that collect health related information from your location data, your app usage, or your purchasing behavior fall outside HIPAA's reach. Brokers that claim they are not producing "consumer reports" for credit, employment, or insurance purposes argue they fall outside the Fair Credit Reporting Act's scope. The Federal Trade Commission's authority to go after "unfair or deceptive practices" has been useful in individual enforcement actions, and even FTC Chair Andrew Ferguson has acknowledged that his agency's authority "is not a comprehensive privacy law."
Federal legislative efforts to close this gap have failed repeatedly. The American Privacy Rights Act, introduced in April 2024 by the chairs of both the Senate Commerce Committee and the House Energy and Commerce Committee, would have created data minimization requirements, established individual rights to access and delete data, and specifically defined data brokers under federal law. It collapsed after a contentious markup in June 2024 and died when the 118th Congress ended in January 2025 without being reintroduced. The Fourth Amendment Is Not For Sale Act, which would have stopped government agencies from buying data they would otherwise need a warrant to obtain, passed the House 219 to 199 in April 2024 and then died in the Senate. The only data broker related federal law that actually made it across the finish line was the Protecting Americans' Data from Foreign Adversaries Act, signed in April 2024 as part of the TikTok legislation. That law prohibits data brokers from selling sensitive data to China, Russia, Iran, North Korea, Cuba, and Venezuela. It does nothing about the sale of that same data within the United States.
The Consumer Financial Protection Bureau tried a different approach. In December 2024, Director Rohit Chopra proposed a rule that would have brought data brokers under the Fair Credit Reporting Act by redefining key terms in the statute. The rule would have required accuracy standards, consumer access rights, and limits on what data could be used for. Acting Director Russell Vought withdrew the rule on May 15, 2025, stating that "rulemaking is not necessary or appropriate at this time." That withdrawal was part of a broader pullback at the agency that included rescinding more than 60 regulatory guidance documents and reducing staff from over 1,600 to approximately 300.
The Department of Justice's Bulk Data Rule, implementing a February 2024 executive order, took effect in April 2025 and represents the most significant new federal restriction. It broadly prohibits data brokerage transactions involving countries of concern, including China, Russia, Iran, North Korea, Cuba, and Venezuela. It covers bulk sensitive data including geolocation from 1,000 or more devices, personal identifiers for 100,000 or more persons, health data, financial data, and biometric identifiers. The rule stayed in place under the current administration. Its scope, though, is limited to transactions involving foreign adversaries. Domestic data brokerage remains entirely unaffected.
The European Union treats this differently. Under the GDPR, the General Data Protection Regulation, any processing of personal data requires a lawful basis, typically informed and freely given consent. There are no carve outs for third party collectors. Fines reach 20 million euros or 4 percent of global annual revenue. The EU treats privacy as a fundamental human right. The United States treats personal data as a commercial asset that anyone can collect unless a specific law says otherwise.
Sit with this for a moment. The federal government recognized that the sale of Americans' bulk personal data is so dangerous to national security that it banned the practice when foreign adversaries are the buyers. The same data remains freely available to domestic scammers targeting people with Alzheimer's, stalkers tracking domestic violence survivors, and government agencies buying information they cannot constitutionally compel through a warrant. The danger is the same. The legality is completely different depending on who is writing the check.
Your Tax Dollars Are Buying Your Own Surveillance
The connection between data brokers and government surveillance represents one of the most constitutionally significant issues of our time. Federal agencies have systematically purchased Americans' personal data, especially location records, from commercial data brokers as a way to get around the Fourth Amendment's warrant requirement. A declassified report from the Office of the Director of National Intelligence, released in June 2023, stated this plainly: "The government would never have been permitted to compel billions of people to carry location tracking devices on their persons at all times, to log and track most of their social interactions, or to keep flawless records of all their reading habits. Yet smartphone and internet technologies have had this effect without government action."
Read that again. The intelligence community itself admitted that the surveillance apparatus now running through commercial data brokers is something the government could never have legally built on its own.
The purchasing is well documented. Immigration and Customs Enforcement has held a $9.75 million contract with LexisNexis and in 2025 resumed buying location data through a no bid contract with the surveillance company PenLink. Customs and Border Protection spent more than $2 million on Venntel contracts in 2019 and 2020. A report from the Department of Homeland Security Inspector General found that CBP, ICE, and the Secret Service all violated federal law through warrantless data purchases. The FBI purchased location data from Venntel and renegotiated its contract around the time of the 2020 Black Lives Matter protests. The Centers for Disease Control spent $420,000 on location data to track people's movement during COVID. Defense contractors purchased location data harvested from Muslim prayer and dating apps and sold it to the U.S. military. As of March 2026, more than 70 members of Congress have written to the DHS Inspector General demanding an investigation into ICE's warrantless location data purchases.
The advertising ecosystem is the pipeline that makes all of this possible. Every time a web page loads or an app shows you an ad, your personal data is broadcast through a system called real time bidding to thousands of companies simultaneously. The Irish Council for Civil Liberties calculated that this system shares the intimate characteristics of internet users 178 trillion times per year across the United States and Europe. A typical American's data is broadcast 747 times per day. Google alone allows 4,698 companies to receive this data. Only one advertiser wins each auction. Every company that participates receives the personal information in the bid request. Surveillance companies have exploited this by pretending to be advertisers, harvesting the data from the bidding stream, and reselling it as tracking tools to governments around the world. The Belgian Data Protection Authority called the real time bidding system "the biggest data breach ever recorded. And it is repeated every day."
Consumer awareness remains dangerously low. Pew Research Center found that 67 percent of Americans say they understand "little to nothing" about what companies do with their personal data. Only 6 percent of American adults have ever used a data removal service. About 40 percent had no idea that data brokers sometimes sell information to the United States government. And in one study that perfectly captures the absurdity of the "notice and consent" model we all live under, 98 percent of survey respondents agreed to a fake consent form that included language granting naming rights to their firstborn child.
This Is Not About Having Something to Hide
I want to leave you with something that cuts through the noise, because I know this chapter has thrown a lot at you.
The data broker industry has a body count. From Amy Boyer in 1999 to Representative Melissa Hortman in 2025, the same failure has repeated itself for over a quarter century: the unrestricted sale of home addresses through people search sites, available to anyone for a few dollars, with no meaningful federal law to stop it.
The industry's scale is almost impossible to wrap your mind around. Profiles with thousands of attributes on 250 million Americans. Sold for fractions of a penny. Regenerating within weeks of deletion. Feeding a surveillance system that the government itself uses to sidestep constitutional protections it would otherwise be required to respect.
California's Delete Act and the DROP platform represent the first serious attempt to shift the burden from you, the individual, to the institutions that profit from your data. The early results, more than 215,000 enrollments in the first six weeks, active enforcement with meaningful financial penalties, suggest the model works. Other states need to follow. And we need a federal law.
This is not about having something to hide. This is about whether you get to decide who knows the most personal details of your life. It is about whether a company you have never heard of gets to sell your Social Security number for a penny. It is about whether your government gets to buy a record of everywhere your phone has been without asking a judge for permission. It is about your kids growing up in a country where their most private information was collected before they could spell the word privacy.
I am asking you to do three things. First, if you live in California, register for DROP today. It is free and it takes ten minutes. If you do not live in California, look at the data removal services listed in this chapter and pick one. Second, check whether your state has a data broker registry or a comprehensive privacy law. If it does not, call your state representative and ask why. Third, share what you have learned. Tell your family. Tell your friends. Tell the people you love.
The data broker industry survives on one thing above all else: your silence. The moment you understand what is happening, the moment you start talking about it and taking action, their business model starts to crack. You deserve to control your own information. Your family deserves it. And our democracy depends on it.