You may not know who data brokers are, but they know you. Thousands of data brokers buy and sell consumer data every day, collecting a staggering amount of information about everyone, including you. Read on to learn about the companies that sell your information to third parties — and how Avast BreachGuard can help you take back control of your personal data.
This article contains:
Data brokers keep an enormous amount of information about you. Their user data collection ranges from the mundane (your likes and dislikes, recent purchases, the city you live in) to the sensitive (your health issues, marital status, arrest record, income level, physical address).
Once they’ve collected all of that information, data brokers sort you into a category that gets sold to advertisers or other interested third parties.
It’s important to note that the information data brokers collect on you isn’t necessarily accurate. Have you recently searched for gifts like baby clothes for a friend, dog toys for your brother’s pet, or a cycling jersey for your coworker? You could easily be misclassified as a pregnant, dog-owning cycling enthusiast.
But often, the intimate information gleaned through your internet searches, social media profiles, and public records does paint a usefully accurate picture of you.
Data brokers collect information from a variety of sources, both online and off. Their offline sources include publicly available information, such as marriage licenses, arrest records, property sales, and even the sensitive personal information you submit to the department of motor vehicles, which includes your date of birth and address.
Data brokers collect even more information online, and their techniques can be quite sneaky.
Data brokers collect a variety of information about your interests, behavior, and purchases, from both online and offline sources.
Here are some of the forms of online tracking that enable data collection:
Tracking cookies: Cookies are small packets of data that are often required to make websites work. But tracking cookies exist to do just that — follow you around the web and log your activity.
Browser fingerprinting: More insidious than tracking cookies, browser fingerprinting uses invisible website scripts to identify you based on your browser, device, time zone, preferred language, video and audio equipment, and even more granular details. Paired with cross-site tracking, fingerprinting can follow you around the web even when you’re not logged in or are using Incognito mode.
Web and email beacons: Web beacons are tiny, single-pixel images that track your behavior on websites, emails, and elsewhere. They can track things like the products you click on but don’t buy, the emails you open, the links you click, and more. Beacons are often how you get “retargeted,” or shown ads for items you recently searched for.
IP address tracking: Your IP address identifies you on the internet. It’s like a home address to make sure the data you request — searches, emails, and more — gets delivered to your device. Websites track the geographic location of their visitors and identify repeat visitors and their preferences using IP addresses.
Ecommerce sites: Ecommerce sites track your preferences because (clearly) they want to sell as much as possible to you. Many ecommerce sites use customer data platforms (CDPs), specific software designed to help businesses mine data and turn it into sales. When you get an email reminding you of a product still left in your shopping cart, that’s likely an automated email from a CDP.
There are different types of data collection and web tracking. Many websites and apps offer their products and services for free in exchange for collecting your data. These are known as first-party data brokers, because they have a direct relationship with you as their customer. If you don’t want to shell out cash to use a social network, search engine, or messaging service, then you’ll be serving up your data instead.
Most first-party data brokers promise that they don’t “sell” your data — but that doesn’t necessarily stop them from selling “access” to it. And many do offer packages like “audience targeting,” where advertisers can pay to target users based on their behavior or preferences.
It’s a good idea to look carefully at the free online services you use and see what their data collection policies are.
Unlike first-party data brokers, third-party data brokers don’t have a direct relationship to you. Instead, they buy, repackage, and sell data from and to other brokers and advertisers. When people talk about data brokers and selling data to third parties, they usually mean third-party data brokers.
Unsurprisingly, data brokers make money by selling your data: ka-ching! The information-selling business ranges from consumer categories (a pre-packaged customer bundle, for example) to specific profiles of individuals (found, say, on people search or White Pages sites).
While some brokers technically “rent” or “license” data, it’s essentially the same as a sale. Data brokers usually sell aggregated data to:
Other data brokers.
Advertisers, who buy “market insights” to target potential customers.
Political campaigns, who buy data to target their campaign messages.
Data brokers also sell data on individuals to:
Financial institutions that want information about a specific person before granting them a loan.
Landlords who want to check up on potential tenants.
Prospective employers looking into job candidates.
Doxxers, who harass people by discovering their sensitive personal information and publishing it online.
Anyone who has $20 and wants to learn your secrets.
When data brokers get compromised in a data breach, hackers can benefit quite a bit. They can use stolen credentials to commit identity fraud, monetary theft, and other cybercrimes. They can also sell stolen credentials (usernames, passwords, bank account numbers, etc.) on the dark web. Considering how much sensitive information data brokers have, the thought of cybercriminals getting that info after a data breach is disturbing, to say the least.
The monetary value of one person’s data varies. Some suggest it’s worth more than $240 per year. Your email alone can retail for about $89. Or you may be on a list of names that sells for 79 bucks. People search sites provide information for free or all the way up to $30 monthly subscriptions or $40 for a single report.
As an industry, data brokerage garners $156 billion annually — that’s twice as much as the US government’s intelligence budget!
Data brokers can generally be categorized into one of four types: marketing and advertising, financial information, people search, and health information.
Targeted advertising, “personalized” marketing, suspiciously relevant Google ads, or other ads for products you’ve clicked on before: these all happen because of marketing and advertising brokers and the use of online tracking.
Have you ever been denied for a loan or a credit card, or been offered strangely high interest rates from a mortgage company? Financial info brokers, also called fraud detection or risk mitigation brokers, trade in personal financial information like your credit score and perceived financial “riskiness.” They also sometimes help prevent fraud by verifying real identities.
Feeling curious about your upcoming Tinder date? Need to verify if the long-lost “relative” on social media really is who they say they are? People search brokers and White Pages sites offer up specialized data reports on individual people — and you’re surely on their lists too.
How would you feel if your insurance rates suddenly went up? Health information brokers compile your perceived health issues (based on what you search for online, such as symptoms, therapies, etc.) with your offline purchases (such as the prescription and over-the-counter drugs you purchase using a pharmacy’s loyalty card) to build a profile about you.
Insurance companies can purchase these data sets and use them to raise your rates or even refuse to insure you. When you consider that the data might not even be valid (you could be searching for your husband’s symptoms or buying meds for your grandma), health information brokerage may be one of the most unfair brokerage practices around.
There are thousands of data brokers out there. Let’s take a look at some of the largest data broker companies currently operating.
Equifax, Experian, and TransUnion are the three largest credit bureaus, or consumer reporting agencies. They collect information about your credit history and credit score, and then provide that to creditors and lenders who want to assess your trustworthiness. The credit bureaus get their information from credit card companies, loan histories, debt collection agencies, and other sources.
While it’s understandable that a bank would want to assess your creditworthiness before giving you a loan, data breaches from these agencies can leave your personal information exposed.
In 2017, Equifax suffered a massive breach that exposed the private information of 143 million Americans. The leaked data included credit card numbers, social security numbers, birth dates, physical addresses, driver’s license numbers, and more — with that type of info, criminals can open new bank accounts or lines of credit in someone else’s name. The beach itself was bad enough, but Equifax waited six weeks to come clean about the breach, giving cybercriminals a huge head start.
Experian, which collects data on more than one billion people and businesses, was breached in 2020. The Experian breach exposed the personal data of 24 million South Africans and 800,000 businesses. An earlier Experian breach in 2015 leaked the sensitive data of 15 million Americans.
The TransUnion breach in 2019 was less massive but still significant, exposing the personal data of 37,000 Canadians.
One of the biggest data selling companies, Acxiom LLC “enables people-based marketing everywhere.” Acxiom has been collecting data on hundreds of millions of people since 1969 — that’s right, data brokerage predates the internet. Acxiom collects most of their data from public records, consumer surveys, magazine subscriber lists, summary reports about retail purchases, and online tracking. What does that look like in practice? 23,000 servers constantly collecting, collating, and analyzing more than 50 trillion unique data transactions every year.
Acxiom has profiles on 700 million consumers, including 96% of American households, with up to 1,500 specific traits on each individual. These traits can be as granular as your weight, your handedness, and the breed of your cat. And Acxiom sells this info to credit card issuers, banks, telecom companies, and insurers.
CoreLogic relies on data collection — including property, mortgage, and financial data — to operate its business. They provide property analytics, rental screening, mortgage fraud management, location intelligence, and offer various data-informed tech products.
Critics of CoreLogic point out that they use automated tactics — such as their screens to determine who can rent or buy a home — that remove the human element from personal decisions. Erroneous CoreLogic data can prevent people from securing housing — as it did in the case of a recovering coma-sufferer trying to rent a more disability-friendly place.
PeekYou is a people search site that lets you “find and contact anyone online.” PeekYou helps six million monthly visitors track people down, from old friends to long-lost classmates. While that may seem like a reasonable proposition, they take it several steps further.
PeekYou practices information scraping, which involves combing the web to collect all kinds of tiny scraps of info about people, including info from job sites, social media, online forums, and message boards. PeekYou has even applied for a patent for their special technique of matching “people’s real names to pseudonyms they use on blogs, Twitter, and online forums.” That’s in addition to the more straightforward info they offer, like your full name, most recent address, address history, phone number, date of birth, and known relatives.
Datalogix, owned by Oracle, primarily deals in tracking behavioral patterns to increase sales. The broker collects data from consumers’ online and offline purchases, among other places.
Datalogix enjoyed a comfortable six-year relationship with Facebook, during which it helped track which users bought products based on Facebook ads. Facebook eventually ended the partnership due to increased scrutiny over third-party data mishandling. But that hasn’t stopped Datalogix from developing other questionable relationships across the data brokerage industry, including partnerships with Acxiom, Experian, and other major players.
The legality of data brokerage and the laws on selling personal information vary from country to country. The European Union, with its General Data Protection Regulation (GDPR), has some of the strictest data privacy laws — but data brokers still find ways to operate.
In the US, data brokerage laws vary by state. In general, data brokers operate in the dark, skirting laws and regulations and maneuvering in legal grey areas. Like with many 21st-century cybercrimes, laws often lag behind technological advances. And many players — from shady cybercriminals to large data broker companies — stay ahead with unethical, if not actually illegal, practices.
Many data brokers operate in legal grey areas.
Data brokers are regulated differently depending on the jurisdiction they operate in. In general, though, data broker regulations tend to be fairly weak. In the EU, the GDPR requires companies to obtain user consent when using online surveillance tools like tracking cookies. And while the EU attempted to tighten regulations on data brokers in April 2019, the data broker industry is still alive and well in Europe.
The US has even fewer regulations surrounding data brokers. Back in 2014, the Federal Trade Commission (FTC) published a report on the industry (“Data Brokers: A Call for Transparency and Accountability”), but there are still no federal regulations governing data brokers. The Fair Credit Reporting Act does ensure that credit reporting agencies let you view and correct errors in your credit report, but the law applies only to that specific type of data broker. In other words, it doesn’t apply to all the other types of brokers out there, like marketing and health information brokers.
Only California and Vermont have state laws governing data brokers. California’s Consumer Privacy Act and Vermont’s Data Broker Law both require data brokers to register with the state and pay an annual fee. These laws contain consumer protections and serve to bring shadowy data brokers out into the light — but the protections extend only to residents of the respective states. It remains to be seen if more states will emulate these laws and try to increase transparency and consumer protection throughout the country.
Opting out of data broker lists or getting your info removed from personal information databases is possible — but it’s not easy. You can take one of three approaches: contact data brokers yourself, try to stay off databases in the first place, or use a data protection service.
Unfortunately, there are thousands of data brokers, and they certainly don’t make it easy for you to contact them and get your data removed. It would take significant time and effort for you to issue removal requests to all data brokers and follow up with them to make sure your data doesn’t reappear on their lists.
One step in the right direction is to limit the data that companies can collect on you. While some information, like public records, can’t be hidden, you can reel in other sources.
Don’t sign up for in-store loyalty programs. Yes, that means missing out on discounts. But it might be worth it to keep your buying habits hidden.
Make all your social media accounts private. We’re not crazy enough to tell you to delete your social media accounts (though it would certainly help!), but you can at least tighten up your privacy. For starters, make sure you’re using secure settings on Facebook, make your Instagram private, and try to lock down your other accounts.
Use robust anti-tracking technology. Strong anti-tracking software camouflages your browser fingerprint to prevent advertisers and others from logging your activity online. Avast AntiTrack’s advanced anti-fingerprinting technology keeps your identity safe by blocking trackers on every site you visit.
Use a secure browser. Not only is online tracking is one of the most common ways that companies mine your data, but using Incognito mode won’t hide you from sophisticated online surveillance tools like tracking cookies and device fingerprinting. A dedicated anti-tracking browser, such as Avast Secure Browser, uses advanced anti-fingerprinting technology so you can browse privately and keep your info out of data brokers’ hands.
These are great privacy habits to adopt. But if you’ve been using the internet for years, you’re already in thousands of personal information databases. To make removal easy, consider using a service like Avast BreachGuard to handle it for you. Avast BreachGuard will send automated removal requests on your behalf so you can take back control of your data. Plus, you’ll get 24/7 privacy risk monitoring.