Data brokers: the leak you're paying for

A US broker sent me a “free” sample on one of my clients: 47 predictive attributes, including estimated divorce risk within 24 months, calculated from Amazon purchase history and rideshare frequency.

The common trap

People think about data privacy threats in terms of hackers — external adversaries trying to break through defenses. The data brokerage industry is the opposite: a legal, regulated, multibillion-dollar ecosystem that systematically collects, enriches, and sells detailed profiles of essentially every adult in the US and most of the developed world. No breach required. No hacking. You’re in their databases because their business model is to put you there.

The common response when people learn about this is “I’ll opt out.” Opt-out is real but limited in ways that matter enormously. Understanding the actual scope of the industry — who these companies are, what they know, and how your data got there — is a prerequisite for making sensible decisions about what to do about it.

Who they actually are

The data broker industry has multiple tiers with different business models, data types, and relationships to individual consumers.

Tier 1: Data aggregators

The largest players. Acxiom, Experian (consumer data division, separate from its credit bureau), Oracle Data Cloud, LiveRamp, Epsilon, and Equifax (again, the data products division is distinct from credit reporting). These companies hold profiles on billions of individuals globally. Their core product is not selling data about specific individuals — it’s selling audience segments and targeting capabilities to advertisers, insurers, employers, landlords, and financial services firms.

Acxiom’s InfoBase product claims data on 2.5 billion individuals in 62 countries. Their attribute list for a typical US profile runs to hundreds of fields: address history, household composition, income estimates, net worth estimates, property ownership, vehicle ownership, purchasing behavior, political affiliation, religious affiliation, health interest categories (derived from purchasing patterns, not medical records), life event predictions, and behavioral scores.

Tier 2: People search engines

Spokeo, BeenVerified, Whitepages, Intelius, PeopleFinder, ZabaSearch. These are consumer-facing products — the sites that come up when you Google someone’s name. Their inventory is assembled from public records, aggregator data, and their own data collection. For $20-40, anyone can pull a report containing your current and historical addresses, phone numbers, email addresses, relatives’ names, neighbors, estimated property values, and court records.

These are the brokers most directly relevant to personal safety threats: stalkers, abusive ex-partners, private investigators hired by adversaries in litigation, and anyone who wants to show up at your door.

Tier 3: Specialized data providers

LexisNexis Risk Solutions, TransUnion (data products division), CoreLogic, Dun & Bradstreet. These focus on specific verticals: financial risk, background checks, real estate, commercial credit. LexisNexis Risk Solutions provides “risk scoring” products to insurers, landlords, and financial institutions — products that function as shadow credit scores and can affect your ability to rent an apartment or get certain insurance products, based on data you never consented to share and often can’t see.

What they actually know

The attribute depth is the thing that surprises people most. This isn’t just “name, address, age.” A mature data broker profile for a typical US adult includes:

Identity anchors: full name and variations, Social Security Number (in some categories of brokers), date of birth, current and historical addresses going back decades, phone numbers (current and historical), email addresses.

Household data: household composition, estimated ages of household members, relationship to head of household, estimated household income, discretionary income estimates, net worth estimates.

Behavioral data: purchasing history (from retail loyalty programs, credit card transaction data, opt-out-by-default retail data sharing), subscription services, media consumption patterns, travel patterns derived from location data.

Derived and inferred data: this is the layer that’s hardest to see and most consequential. Credit risk estimates. Insurance risk scores. Propensity-to-buy scores for hundreds of product categories. Life event predictions (likelihood of moving, likelihood of having a child, likelihood of a significant health event, likelihood of divorce). Political propensity. Religious affiliation estimates. Health condition inferences derived from purchasing patterns (someone who buys diabetes testing supplies, insulin-related products, and diabetic-friendly food is profiled as likely diabetic, without any access to medical records).

The FTC’s 2014 data broker report — still the most comprehensive public examination of the industry — documented brokers offering segments like “Diabetes Interest,” “Cholesterol Focus,” “Heart & Hypertension,” “Bible Lifestyle,” and “Expectant Parent” derived entirely from purchase behavior and consumer opt-in registrations.

How your data gets there

Understanding the acquisition channels clarifies why opt-out is so limited.

Loyalty and rewards programs. Every loyalty card, rewards program, and frequent buyer registration is a data collection mechanism. The purchase data you generate at a supermarket, pharmacy, or retailer is routinely sold or shared under data sharing agreements that appear in the terms of service as “sharing with partners to improve your experience.”

Mobile apps. Location permissions, contact access, and behavioral telemetry from apps are systematically sold to data brokers. This applies to free apps (where data is the product) but also to many paid apps that have secondary data monetization. Ad SDKs embedded in apps often have their own data collection policies that operate independently of the app’s own privacy policy.

ISP and telecom data. Internet service providers and mobile carriers collect browsing history (at the DNS level), location data, and usage patterns. In the US, Congress voted in 2017 to eliminate FCC rules that would have required opt-in consent for ISPs to sell this data. Carriers have been fined multiple times for selling real-time location data — and continued doing it.

Public records. Property records, court filings, Companies House equivalents, voter registration (where it’s public), professional license filings, business registrations. This is legitimate public information that brokers aggregate and cross-reference at scale.

Data sharing between brokers. Brokers buy data from each other. A record created by Acxiom in 2015 may have been sold to LiveRamp, who sold it to Epsilon, who combined it with other data and sold the enriched record to Spokeo. By the time you request opt-out from Spokeo, the upstream copies in Acxiom, LiveRamp, and Epsilon’s systems are untouched.

The regulatory framework

EU and UK GDPR. The strongest legal framework for individuals. In theory, data brokers processing EU/UK personal data must have a lawful basis, honor erasure requests, and respond to subject access requests. In practice, most large US-headquartered brokers claim “legitimate interest” as their lawful basis and fight erasure requests. Enforcement is real but slow and uneven.

CCPA and CPRA (California). California’s laws give residents the right to know what data is held, the right to opt out of sale and sharing, and — under CPRA — the right to correct inaccurate data. The California Privacy Protection Agency has enforcement authority. This is the strongest US-jurisdiction framework, and many brokers apply California rights nationally for operational simplicity.

Vermont Data Broker Registry. Vermont requires data brokers to register with the Secretary of State and provides basic consumer rights. The registry is publicly searchable and gives you a list of registered brokers to send opt-out requests to.

Most of the world. Outside the EU/UK and California, there is limited regulatory protection against data brokers. Australia, Canada, and some other jurisdictions have privacy frameworks, but enforcement against US brokers is practically difficult.

What opt-out services are actually worth

Several services — Incogni (Surfshark), DeleteMe, Optery, Privacy Duck, Mozilla Monitor Plus — offer to manage data broker opt-out requests on your behalf. Here’s an honest assessment.

What they do. They submit opt-out and deletion requests to a list of brokers on a recurring basis. They typically cover 100-300+ brokers. They provide dashboards showing request status. DeleteMe and Optery manually verify removals; Incogni relies more on automated submission.

What they actually achieve. For the consumer-facing people search engines (Spokeo, BeenVerified, Whitepages, etc.), opt-outs are generally honored within a few weeks. This is the most practically impactful result — it makes it harder for a casual searcher to pull up a current dossier on you from a $20 people search site.

What they don’t achieve. They can’t reach the Tier 1 aggregators’ internal systems in any meaningful way. They don’t touch LexisNexis Risk Solutions, Experian’s data products division, or the specialized financial/insurance data products. They don’t reach downstream buyers who already purchased your data. They don’t prevent new data from flowing in — opt-outs are re-submitted because new data keeps getting added.

Cost-benefit. At $10-15/month, these services are worth using as a baseline measure, primarily for the people search site suppression. Don’t expect them to fundamentally change your data broker exposure profile. Treat them as one layer in a broader operational approach, not as a solution.

Manual work that can’t be delegated

Some things require your direct action because they require identity verification or decisions that can’t be automated.

LexisNexis opt-out. Request your LexisNexis consumer file directly at opt-out.lexisnexis.com. This reaches LexisNexis’s consumer data products (not its risk solutions business fully). Worth doing.

Acxiom AboutTheData. Acxiom operates a consumer portal where you can view and edit some of the data they hold on you. It’s a fraction of their actual database, but it’s something.

ChexSystems and Early Warning Services. These are used by banks to screen applicants. If you’ve had banking problems (overdrafts, account closures) these are the systems that can prevent you from opening a new bank account. You can request your file and dispute inaccuracies.

CLUE report (insurance). Request your CLUE report from LexisNexis for your auto and home insurance history. You have a right to this data and a right to dispute inaccuracies.

Credit freeze. Not a data broker opt-out, but functionally important: freeze your credit file at all three major bureaus (Equifax, Experian, TransUnion) plus NCTUE, Innovis, and ChexSystems. This doesn’t affect data sharing but does prevent new accounts being opened in your name.

• N1 Google your own name and phone number to see which people search sites surface current information
• N2 Subscribe to one opt-out service (Incogni, DeleteMe, or Optery) and let it run for at least 3 months
• N2 Manually submit opt-out requests to LexisNexis consumer opt-out and Acxiom's consumer portal
• N2 Request your CLUE report and ChexSystems file and review for inaccuracies
• N2 Freeze your credit at all three major bureaus plus NCTUE, Innovis, and ChexSystems
• N2 Stop using loyalty cards that aren't worth the data cost — evaluate each one by what you actually get from it
• N3 Audit the location and contact permissions on every app on your phone; revoke what you're not actively using
• N3 Review what data your ISP and mobile carrier collect and sell, and opt out where the mechanism exists