You’ve been planning on fixing your brakes and Googling auto repair shops. At the same time, you have been longing to buy butterscotch fudge ripple ice cream and searching for it on your Instacart app. Suddenly, you’re seeing ads for car repair and ice cream parlors. It may seem like a weird coincidence, but it’s actually a scheme cooked up by data brokers.
When you visit a website or use an app, you consent to specific data being used by that company. This can be purchased by ad auction companies, who compile that personal information into profiles, which can be used to display unique ads — refreshing ice cream in a waffle cone.
This is how data brokers operate. A data broker collects information about consumers’ personal lives and their financial information. The data broker industry, estimated by some to be worth $277 billion, is one in which your intel is sold, sometimes to reputable firms and sometimes not. Countries around the globe may purchase your information. If your data is an actor, think of a data broker as the agent. Except when they sell your information, they get all of the money, and you don’t.
Whether it matters depends on how comfortable you share your personal information with the world.
“Even if personal information doesn’t include highly sensitive details like Social Security numbers, data brokers can still use it to build surprisingly detailed profiles of individuals,” says Adwait Nadkarni, professor at the William & Mary Cybersecurity Center.
“By combining demographic details such as age, location, and gender with other data points, brokers and their clients can infer financial status, dietary habits, political leanings, and even certain health information, if not covered by HIPAA,” Nadkarni says.
What can we do to protect ourselves short of going completely off the grid?
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
How data brokers work
It isn’t as if there’s one big file on you, and the data brokers grab it and sell it. Data brokers compile the file. With the help of software and algorithms, they gather countless small pieces of data from different sources, piecing them together to create a detailed, holistic picture of — you.
Data brokers aren’t all alike. You can generally break them down into three categories:
Marketing data brokers: These companies build consumer profiles for targeted advertising and marketing campaigns.
Why they are in business: The more a marketing company knows about you, the more likely they can sell you something you want. You may welcome that — or prefer finding things to buy instead of retailers finding you.
People search sites: You probably have seen these websites on the internet; they aggregate public records and other information to create searchable profiles of individuals, often for a fee.
Why they are in business: To tell people or organizations all about you. This isn’t ominous if you’re the one paying to look for somebody and have pure reasons; maybe you’re searching for a long-lost cousin or want to learn more about the guy your daughter is dating (your daughter may think you’re crossing a line). However, it becomes a much more worrisome story if you’re on the receiving end of an unwanted search.
Risk mitigation brokers: These are companies that sell data to help businesses assess risk, such as for fraud prevention or identity verification.
Why they are in business: This can be a good thing. For instance, if somebody has stolen your identity, a company that uses a risk mitigation broker may learn that the thief isn’t actually you and refuse to, for instance, take out a loan in your name.
How do data brokers collect your data?
Data brokers hunt down your data in various ways, but there are three lanes they travel down the most.
Public records
Here, data brokers engage in a practice called web scraping, where they use software to scrape information about you from government and public databases, including:
Voter registration records
Property records (home ownership, taxes)
Birth and marriage certificates
Motor vehicle records
Court records (criminal history, bankruptcies)
Commercial sources
Some companies and brands you interact with on a daily basis sell your data.
Retailers and loyalty programs: Sure, you get deals with these programs, but your shopping habits, brand preferences, and purchases are valuable, and even if, for instance, your grocery store or favorite restaurant doesn’t sell your information, they can use it to try to get you to spend more money there. (But you may not care if they keep shoving coupons your way.)
Credit card companies and financial institutions: They collect data on your spending habits, income level and creditworthiness. Exactly how they sell it is often up for debate. Some companies insist they sell no individualized personal data but just information on what a certain demographic is buying. But there’s no doubt that credit cards, banks, credit unions and other financial institutions have a lot of valuable intel on their customers. Mastercard, for example, was caught selling its customer data to third parties.
Data from other companies: Many businesses sell customer lists or data to brokers as part of their business model. The credit bureaus Experian, Equifax and TransUnion all sell data and are some of the nation’s biggest data brokers. There are a lot of data brokers out there. Let’s put it this way: The nonprofit Privacy Rights Clearinghouse has a database of 750 registered data brokers.
Online activity
This is the third way that data brokers collect data — by analyzing your digital footprint. Practically speaking, the entire internet is one giant data brokerage.
Some of the ways that companies learn about you online, include:
Website tracking: Cookies, tracking pixels and web beacons follow your browsing history. Some cookies (text files sent from a website to your browser) make it easier to navigate the internet, and some simply track what you’re doing. Tracking pixels are similar to cookies but are images, and web beacons are invisible files. They all monitor what you’re doing on the internet.
Social media: Data brokers can scrape public information from social media profiles, compiling your likes, interests and connections.
Mobile apps: Many apps, from games to weather services, request extensive permissions from you. If you’re like most people, you’re going to sign whatever you’re asked, so you can play your games and learn whether it’s going to rain. Meanwhile, these apps are selling your location data and other information to brokers.
What type of personal information do data brokers collect?
Data brokers are interested in virtually everything about you, including:
Identity and demographics:
Your full name, current and past addresses, phone numbers, and email addresses.
Your age, gender, marital status, ethnicity and family members.
Your education level and occupation.
Behavioral and lifestyle:
Your shopping habits and purchase history.
Web browsing history and search queries.
Hobbies, interests, and political affiliations.
Location data (places you visit, commute patterns).
Financial and health:
Your income level, credit score, assets and debts.
Inferred health conditions based on purchases (e.g., pharmacy data) or online searches.
What do data brokers do with your information?
Once data brokers have a wealth of information on you, there’s virtually no limit to what it can do. Some of the ways it can make money off of you include:
Targeted advertising: Companies buy data to create particular ad campaigns. If you’ve researched “diabetes” online, for example, and suddenly you’re seeing pharmaceutical ads, promising medication that can help your condition.
People search sites and background checks: This data is compiled for sites where we can all look up each other’s personal details for a fee.
Risk assessment: Insurance and finance companies use the data to set premiums, assess creditworthiness, or detect fraud. That may sound fine, but there’s the potential for companies to make incorrect or unfair guesses about you. If you’re looking up anti-anxiety medicine online because you’ve had a bad day, your health insurer could assume you’re going to need counseling and raise your rates. Privacy experts worry about these types of hypotheticals.
Other uses: Then there are less common but significant uses, such as political campaigns micro-targeting voters. Government agencies can also know even more about you, if they want to pay to buy a file of your personal data.
It gets even more unsettling.
“Among the sensitive information gathered is names, addresses, Social Security numbers, employment information, family information and interests,” says Steven Weisman, a senior lecturer in law and taxation at Bentley University and owner of the website Scamicide.
“In the wrong hands this information can be used to make effective spear phishing emails and text messages that can lead to identity theft and fraud,” Weisman says.
It may sound alarmist, but Weisman points out that in 2020 and 2021, the Justice Department brought legal action against data brokers Epsilon LLC, Macromark Inc. and KBM.
“Epsilon sold private information of 30 million Americans to scammers,” Weisman says.
What are the biggest data brokers?
Some of the biggest data brokers you’ve likely heard of such as the three credit bureaus (Experian, Equifax and TransUnion).
Some other big players, some that you may or may not be familiar with, include:
LexisNexis
Nielsen
Oracle
Epsilon
Acxiom
Many of these data brokers have a niche. For instance, credit bureaus generally work with lenders; CoreLogic sells real estate data to brokers, investors, and agents. Spokeo and Intelius are consumer-facing “people search” sites.
Google, Amazon and Facebook aren’t technically data brokers, in case you were wondering, but, yes, they have a lot of data on their consumers, and some privacy critics have described them as modern-day data brokers.
How to protect your information from data brokers
If the idea of data brokers makes you squeamish, there are ways that you can protect yourself. Make no mistake — it’s not easy and not practical for most people to try to keep their personal information private.
Still, you can request that data brokers not collect your information and not sell it, and depending on the company and the laws governing where you live, they may have to comply.
If you don’t feel up to contacting data brokers individually, a strategy referred to as “manual opt-out,” you can pay for a data removal service. Numerous data removal services exist, with names like DeleteMe, Optery and EasyOptOuts. They come at a cost, though, with some charging over $100 and $200 a year.
But one of the advantages of working with a data removal service is that if you sign up for a subscription service, they’ll be able to continually ask data brokers that your personal data not be sold. If you ask a data broker to stop selling your information, they may stop – and then later, if the law allows it, continue selling it again.
You can also try to minimize your digital footprint, so a lot of your information doesn’t get out there in the first place. You may want to try the following:
Use a VPN and private browsers. It’s a smart way to keep hackers and cybercriminals from accessing your information.
Use the best antivirus software you can find and afford. Without it, you’re leaving yourself vulnerable to cybercriminals.
Be selective about the apps you download and the permissions you grant.
Read privacy policies and terms of service.
Decline marketing opt-ins and loyalty programs whenever possible.
Be mindful of what you post on social media and other public forums. We tend to think that only our family and good friends will see what we post, but there’s the potential for just about everyone to see it.
Try to avoid being scammed, obviously.
Protecting yourself from identity theft can only help you keep your information private.
The bottom line? You have a lot of valuable personal information, but you aren’t watching out for it. It really isn’t your own — it belongs to the data brokers.
