How Do Data Brokers Work?

When we started EasyOptOuts in 2020, we had no idea how much we didn't know about data brokers. We knew they collected information about people and sold it. But as we scraped their sites, studied their opt-out processes, and watched how data flows between them, we realized the industry is far more complex and interconnected than most people imagine.

Data brokers exist on a minimally-regulated legal frontier that most Americans don't know about. They're the reason your home address shows up on Google. They're why you get pre-approved credit card offers, or why you get rejected for a loan. They help insurance companies decide what to charge you. They influence what you buy with incessant targeted ads. And for the most part, they operate in the shadows.

To protect your privacy, we think it's important to understand how data brokers actually work. Where do they get your information? How do they make money? Why would your data keep reappearing even after you remove it? And why does this industry exist with minimal regulation?

What Is a Data Broker?

Data brokers collect information about people or businesses for the purpose of selling or sharing it.

Most data brokers are companies you've never heard of and will never interact with. You've never signed up for an account with Acxiom or LexisNexis or Epsilon, but they probably have extensive files on you anyway.

The industry is massive, exceeding $300 billion in annual revenue. In addition to the companies above, major players include credit agencies like Experian and TransUnion, and other companies like Oracle Data Cloud, along with thousands of smaller brokers operating in various niches. Many companies are data brokers even if much of their revenue comes from other sources.

Most of the time, you're their product, not their customer. They make money from businesses that want to target you with ads, assess your creditworthiness, screen you for employment, sell you insurance, or repackage and resell your data. You'll only interact with a data broker directly if you look someone up and want to buy a report on them.

The world of data brokers breaks down into several major categories:

1. Marketing data brokers: These tend to be companies that most people have never heard of, like Acxiom, Epsilon, Oracle Data Cloud, and LiveRamp. They sell data to advertisers and marketers to help them reach their target audiences more effectively.
2. Risk assessment brokers: These credit bureaus and background check companies may only cross consumers' paths whenever you need a credit report, but they're often working in the background to help financial companies evaluate the risk in financial transactions. Experian, Equifax, TransUnion, and LexisNexis make most of their money by selling data to lenders, insurers, employers, and landlords.
3. Government data providers: Companies like Palantir, Flock, Clearview, and LexisNexis maintain repositories of data solely to sell to the government for law enforcement and investigations.
4. People search sites: These show up in Google search results. Websites like Spokeo, WhitePages, BeenVerified, Radaris, and PeopleFinders display and sell information including your address, phone number, age, and relatives.

All types of data brokers feed each other. Data flows between them constantly.

Where do data brokers get your information?

The short answer is everywhere, basically. They mine your data from government records, business transactions with retailers, app usage, your employer, your landlord, USPS, the DMV, your car, your credit cards, banks, and loans, and via relationships with other brokers. They even pull in the contents of data breaches.

The longer answer requires breaking down the major sources. Some are places you'd expect, but other sources will surprise you.

Government records

Public governmental records are the bedrock of the data broker industry. While these records have always been technically "public," before the internet you had to physically go to a courthouse or DMV to access them. Now that there's digital access, data brokers have changed everything by scraping all these scattered records and making them searchable in one place.

Some of the top culprits include:

• County property records: If you own property, most of the time, your name and address are public through the county assessor's office. Data brokers scrape all the counties' data and aggregate it into searchable databases. Within weeks of buying a house, your name will be tied to your new address on people search sites.
• DMV records: In most states, the Department of Motor Vehicles (or equivalent) sells driver information to data brokers. According to a 2024 investigative report, the 23 states that responded to a public records request received $282 million for selling personal information from driver's licenses and vehicle registrations to data brokers and private investigators. This includes names, addresses, dates of birth, and sometimes even physical descriptions.
• Voter registration: Most US states make voter registration information available to third parties, including names, addresses, birth years, phone numbers, and party affiliation. Some states sell this data. Others make it freely crawlable. Ballotpedia has a summary for each state.
• Court records: Lawsuits, divorces, criminal records, bankruptcies, and traffic tickets are all public and can be scraped by data brokers. Even if charges were dropped or you were found not guilty in a criminal proceeding, arrest records often remain public forever.
• Professional licenses: Doctors, lawyers, real estate agents, contractors, nurses, and teachers all hold professional licenses that make their name, address, and license numbers public and searchable in many jursidictions.
• USPS: When you submit a permanent change of address to tell USPS to forward your mail, they sell your new address to hundreds of companies for marketing, resale, and third-party address updates.

While no single public record tells the whole story, data brokers combine all these sources to to build a complete profile.

Business transactions and subscriptions

Every time you interact with a business, you generate data. And most of the time, buried in a long, cryptic privacy policy most people don't bother to read, there's language that gives companies the right to sell or share that data. Some businesses share more than others, but you can expect many of the businesses you interact with to share at least some of your data:

• Retailers and loyalty programs: Your grocery store loyalty card tracks every purchase you make. Pharmacies know what medications you take. These companies sell or share this data with data brokers, often in an "anonymized" form that still contains enough information for brokers to attribute it to you later. Data sales were 35% of Kroger's net income in 2024.
• Online purchases: Many ecommerce sites sell your name, address, email, phone number, and purchase history to data brokers. Check out the privacy policy next time you're buying something online.
• Warranty registrations and surveys: Ever fill out a warranty card? That data gets sold. Enter a contest or giveaway? Sold. Take an online quiz? Sold.
• Newsletter signups and account creation: Every time you create an account or sign up for emails, you're adding yourself to more databases that can be shared, sold, or lost in a data breach.

Data breaches and the dark web

When companies get hacked, customer databases end up on the dark web. These breaches contain detailed information, including names, addresses, Social Security numbers, passwords, credit card details, and answers to security questions. When a company like a credit agency or a health provider is hacked, the information can be even more sensitive.

Data brokers buy this information or download it for free from sites dedicated to sharing breached data. Then they match it up with existing profiles of people and add it to their databases. According to a 2025 study by the Identity Theft Resource Center, there were 3,322 publicly disclosed data breaches exposing 279 million people in the previous year.

Here are a few notable breaches that fed the data broker ecosystem:

• National Public Data (2024): 2.9 billion records including Social Security numbers, addresses, and relatives
• ADT (2026): Millions of names, phones, and addresses stolen
• Equifax (2017): 147 million Americans' Social Security numbers, birth dates, and addresses

Sometimes, companies aren't breached. Instead, they make their data public, free to be scraped in mass. In 2021, 700 million scraped LinkedIn user profiles were put up for sale. The same year, 530 million scraped Facebook profiles were shared online.

Even when companies claim data was "anonymized," it's often trivial to identify individuals by cross-referencing with other databases.

USPS change of address forms

We mentioned this in our Remove Yourself From Google guide, but it bears repeating: when you file a permanent change of address with USPS, they will sell that information to marketers and data brokers.

In 2013, Forbes found that USPS made $8 million selling change-of-address data through its National Change of Address Licensing program. The result is your new address appearing on people-search sites within weeks.

Payroll data from your employer

Sadly, your employer is probably as bad at reading privacy policies as you are. As a result, they're likely to use payroll and other financial vendors who share your data with brokers.

For example, Intuit (which makes TurboTax and QuickBooks) quietly changed its terms of service in 2021 to allow it to share payroll data with Equifax. The change applied to 1.4 million small businesses, exposing income and employment data for millions of employees.

Why would Equifax want this information? Its "Work Number" service collects employment and income data on over 130 million US workers. Employers share payroll information with Equifax, which then sells verification services to lenders, landlords, and other businesses.

This isn't just about ads. This data affects whether you get approved for a loan, what interest rate you're offered, whether you get an apartment or a mortgage, and how much you pay for insurance.

Phone apps

Modern smartphones are tracking goldmines for data brokers because they can share your usage and location data in addition to personal information. Their persistent, globally-unique advertising IDs tie your data together for data brokers to de-anonymize later.

Any app with location permissions can track everywhere you go. Weather apps, games, and social media all collect this data. A 2018 New York Times investigation found that at least 75 companies receive anonymous, precise location data from smartphone apps. In 2019, another smaller study found that 79% of health and medicine apps share information with third parties.

This user data is then sold to data brokers, who aggregate it and sell it to advertisers, retailers, hedge funds, governmental agencies, and even the general public. They can see where you live, where you work, where you shop, which protests you attended, and which churches you visit.

Modern cars track your location and driving habits, too. A 2024 Mozilla Foundation report found that many car manufacturers sell your car's data to data brokers, who then sell it to insurance companies to adjust your rates based on your driving behavior.

Social media harvesting

While many of your actions involuntarily share data with brokers, many of us share reams of data willingly with our favorite social media apps. Even if your profile is set to "private," data brokers can still get your social media data.

What they scrape:

• Public profiles (bio, profile picture, listed location)
• Posts, comments, and likes on public content
• Friend/follower lists (used to infer relationships)
• Location check-ins and tagged photos
• Employer and education information from LinkedIn

Scraping is rampant. In 2021, data on 533 million Facebook users was found for sale on a hacking forum, scraped from profiles using Facebook's "search by phone number" feature. In this case, strong European privacy laws led to hundreds of millions of dollars in fines for Facebook. But the law isn't always on your side.

Broker-to-broker sharing

Even if you're cautious about how much you expose, the portions that get out are exchanged by data brokers who buy and sell data with each other.

For example, a small broker might specialize in scraping county property records. They sell that to a larger broker, who combines it with data from other sources and sells it to people search sites. Those sites display some of it publicly and sell the rest to yet other brokers.

That's why our top-rated data removal service makes sure to cover the sites supplying data to the broader people-search site network. Remove yourself from those, and you'll have an easier time handling and staying off the rest.

How do data brokers make money?

If you want to know why this industry is so hard to regulate and why your data keeps reappearing, it helps to start with the business model of data brokers. The industry rakes in hundreds of billions a year, and it's growing fast.

Here's how they do it:

1) Selling data to other businesses

The biggest revenue source comes from marketing and advertising-related activities. Businesses pay data brokers to identify the right audience for their product and narrowly target ads to the right people (while using narrowly-tailored messaging). Acxiom alone maintains data on over 2.5 billion people worldwide and generates hundreds of millions in annual revenue selling personal data to marketers.

To make money, data brokers sell data in a number of different formats:

• Email lists segmented by demographics, interests, and behavior
• "Lookalike audiences" for Facebook or Google ads
• Direct mail lists for catalogs and promotions
• Phone lists for telemarketing

Brokers often sell data for other purposes, too. They include:

• Insurance and lending: Insurance companies buy data to assess risk and set premiums. Lenders buy data to determine creditworthiness. A 2025 Consumer Reports guide to telematics showed that auto insurers increasingly use data from brokers about driving habits, neighborhood, and even shopping behavior to set rates. Some of this use isn't totally nefarious because it allows consumers to opt in to discount programs based on monitoring. But drivers aren't always aware they're being monitored.
• Background checks: Employers, landlords, and businesses rely on background reports for many facets of their businesses. LexisNexis, Experian, and specialized brokers sell comprehensive reports that include employment history, criminal records, credit information, and more.
• Hedge funds and financial services: This development is relatively new, but data brokers now sell location and spending data to hedge funds, who use this "alternative data" to predict things like retail sales, consumer trends, and stock performance.
• Data enrichment services: Some brokers specialize in filling in the gaps when a business only has partial data. You give them an email address, they give you back a name, age, address, and phone number. These "data enrichment" services are popular with businesses trying to learn more about customers or leads, as well as sales teams looking for new ways to reach customers.

Prices for data can vary wildly. A single email address might sell for $0.01. A full consumer profile with financial data might sell for $10 to $50. Bulk data sales to major corporations can be worth millions.

2) Selling reports to individuals

People search sites like Spokeo, BeenVerified, and White Pages make money by selling reports to individuals searching for someone. When you find your information online, it's often listed on these types of people-search sites. Usually some data (enough to personally identify someone) is available publicly, but users have to pay for a report to access the full file.

These sites want everyone's information to be discoverable, so they invest heavily in search engine optimization to rank high when you Google someone. The higher they rank, the more reports they sell.

To effectively remove yourself from people-search sites, you have to opt out of hundreds of sites.

Why your data keeps coming back

Even after you opt out, your data often reappears. Here's why:

• Constant re-scraping: Data brokers continuously scrape public records. If you bought a house last year and then deleted yourself from people-search sites, they'll rediscover you the next time they scrape government databases. Tip: if you opt yourself out of a given site, we recommend using suppressions (options like "don't show my data") over outright deletions. If your record is completely removed, data brokers may have no way to know you previously opted out when they re-scrape your data.
• The network effect: As your data circulates through the network, it can boomerang back onto sites you thought you'd taken care of. You remove yourself from Site A, but Site B still has you. Site B sells your information to Site C. Site C sells it back to Site A. And so on.
• New data sources: New data enters the system constantly when you do something like filing a change of address, registering to vote, renewing your license, purchasing from a new retailer, or publishing an update on LinkedIn.
• Data breaches: Old breaches continue to circulate. The National Public Data breach from 2024 will be feeding data brokers for years.
• Poor data matching: When a broker imports new data, they don't always recognize that it belongs to you. They might publish a brand new record containing much of the same information.

The only solution is to be vigilant about double-checking the sites you've opted out of. Once it's out there, your personal data is kind of like a weed. It will keep popping up, and if you don't keep it mowed down, it will spread.

How the network of data brokers operates

This is where it gets complicated. Data brokers don't operate in isolation. They form a web that allows data to flow in many directions.

Upstream brokers scrape and collect raw data. They might specialize in one or two forms of data collection, like:

• Scraping county property records nationwide
• Monitoring court filings and public records
• Buying USPS change-of-address data
• Purchasing data from retailers and apps

Midstream brokers are good at aggregating and enriching data. They combine data from multiple upstream sources, fill in gaps, and create comprehensive profiles. Companies like Acxiom and Epsilon operate in this part of the network.

Downstream brokers sell to end users. People-search and background-check sites which make data public in order to sell it are downstream. Their customers are consumers and business owners who want to know more about people in their orbit.

The hidden connections

Many people search sites are actually owned by the same companies operating under different names. For example, we've observed that Radaris appears to operate a family of related sites. When Radaris recently re-added everyone who'd ever opted out, several related sites added the same data simultaneously.

Brokers do this to:

• Appear to offer "choice" when it's all the same company
• Create an SEO advantage, since more sites means more Google results they control
• Avoid backlash. If one site gets bad press, the others will be unaffected
• Make it harder to remove your data, and as a result, deprive them of the opportunity to sell it.
• Disincentivize opt-outs by making the process overwhelming
• Legitimize the industry, making it appear bigger than it is.

This practice makes opt-outs harder because you might remove yourself from "Site A" not realizing it's essentially the same as "Site B," "Site C," and "Site D."

There have even been a couple data broker removals services tied to companies operating data brokers. OneRep's CEO founded dozens of people-search sites. And dataseal.io was launched by the then-owners of thatsthem.com.

Why this industry exists (and how it's legal)

If this all sounds dystopian and invasive, you're right. In fact, we were so bothered by it that we started this company!

So why is it legal?

The United States has no comprehensive privacy law

Unlike the European Union's GDPR or California's CCPA, the US has no federal privacy law that comprehensively regulates data collection and sale.

Instead, we have:

• Sector-specific laws like HIPAA for health, FCRA for credit, and FERPA for education
• State-level laws in California, Virginia, Colorado, and others
• Industry self-regulation, which is mostly voluntary and unenforced

The status quo didn't come about by mistake. The data broker industry (and the tech titans that live alongside it) has spent millions lobbying against comprehensive privacy legislation, arguing that restrictions would harm innovation and economic growth.

To be fair, some historic justifications made a lot of sense before the internet. It's not hard to argue that making some records public can be beneficial, like:

• For property records: Helping us all know who owns land for sales, disputes, and taxes
• For court records: Creating transparency to prevent secret trials and government abuse
• For professional licenses: Giving consumers a way to verify credentials of people they're asked to trust

But accessing these records used to require physically going to a courthouse or county office – an effort that provided a natural privacy barrier. You wouldn't casually look someone up, because it might take hours or days. And you certainly wouldn't go and look everyone up.

As data became digitized, data brokers eliminated that barrier. Now anyone can find anyone in seconds. The records are still "public," but accessibility has fundamentally changed their impact on privacy. The legal framework in the US wasn't build with modern technology in mind and hasn't caught up.

FCRA

The Fair Credit Reporting Act (FCRA) is one of the few national consumer protection laws that regulates data brokers. But it only applies to data used for specific purposes like credit, employment, insurance, and housing.

A 2014 FTC report found that data brokers maintain separate products to avoid FCRA requirements, allowing them to sell detailed consumer profiles without the oversight required for credit reporting. They use FCRA-compliant data for credit, employment, and insurance. And they use non-FCRA data for marketing, people search, and everything else.

The non-FCRA side operates with almost no regulation. They can collect whatever they want, sell to whomever they want, and face few consequences for errors or privacy violations. Many non-FCRA-compliant data brokers require searchers to agree not to use data for employment or tenant screening, but violations are rampant with minimal enforcement.

Cross-pollination with tech giants

To complicate things, many of the biggest tech companies are also close to being data brokers (even if that's not how they talk about themselves).

Google and Facebook, for example, collect massive amounts of data through their services. Instead of making that data publicly available, they use it to sell access to targeted advertising opportunities. They know enough about you to sell access to you at the exact moment it's relevant to advertisers.

If you've ever seen an Instagram ad for the perfect thing you never knew you needed (we're looking at you, Halloween costumes for dogs), that's exactly what's happening. And it's very effective.

Google's parent company Alphabet made $82 billion in advertising revenue in the fourth quarter of 2025 alone, almost all of it based on creating access to its users. Similarly, Amazon knows what you buy, what you search for, what shows you watch, and what books you read. It used this knowledge to generate $68 billion with its advertising business in 2025, making it the third-largest digital ad platform after Google and Facebook.

Tech companies have partnerships with traditional data brokers, too. Facebook partnered with Acxiom and Epsilon to match offline purchases with online profiles, for example. Google also partners with data brokers to improve ad targeting.

The 1st Amendment defense

Data brokers argue that collecting and selling "publicly" available information is protected by the 1st Amendment. Indeed, courts have generally held that gathering and distributing public information is a form of protected speech.

This makes regulation difficult. How do you restrict data brokers without restricting legitimate journalism and research?

Proponents also argue that data brokers provide value by:

• Helping businesses reach customers more efficiently
• Reducing credit risk and fraud
• Enabling background checks that keep people safe
• Providing economic data that improves markets

These arguments ignore the massive privacy violations, the lack of transparency, the errors in data, and the complete absence of consumer consent. Is something really "public" if it's collected secretly? Further, the economic benefits accrue to businesses and brokers, while the costs (loss of privacy, increased fraud risk, discrimination, hacking, stalking) are borne by individuals.

We need stronger regulations. Full stop.

Regulation challenges

New regulations in more states, often modeled after CCPA or GDPR, are promising, but loopholes make vigilance and government enforcement essential.

Data de-anonymization: Regulations have carve-outs for "anonymous" data, but supposedly-anonymous data like a nameless GPS coordinate path can often be de-anonymized to link it to complete profiles about you. You're probably the only one driving between your home and workplace every day, making it possible to identify you based on an "anonymous" location history, thus exposing all the other doctor's offices, stores, and friends you've visited.

Illegal access to regulated data: As long as access to restricted databases is possible, systems will be abused. Telegram channels have been used to sell access to USinfoSearch. The Flock license plate camera network has been used by stalkers to find romantic interests.

Data breaches: Good intentions and minimal data sharing don't matter if a data breach happens. And data breaches are growing more common. Limits on collection (even without sharing) will be necessary.

Until laws change, here's what you can do

Protecting your privacy is about balancing the risks with rewards. Here's a list of steps you can consider taking. Few people do all of these, but taking just some of these steps can have a big impact:

Minimize new data creation:

• File temporary, not permanent, change of address with USPS
• Read privacy policies before creating accounts
• Use virtual credit cards and email aliases
• Turn off location tracking for apps that don't need it
• Use a registered agent service for business registration
• Lock down social media
• Share made-up personal data whenever legal and practical

Consider more difficult measures if privacy is critical to you:

• Maintain or use multiple addresses (like P.O. boxes or private mailboxes when possible)
• Purchase property through an anonymous LLC
• Switch to apps and services that respect your privacy

Please see our guide to removing yourself from the internet for more detail.