
Imagine searching your own name online and finding your home address, phone number, previous addresses, relatives, and an estimate of your income — all on a website you have never visited. For most people in the United States, that is not a hypothetical scenario. It is the business model of the data broker industry.
Data brokers are companies that legally vacuum up personal information from existing databases, public records, retailers, apps, and social media platforms, then package and sell it to the highest bidder. Unlike stolen data sold on the dark web, broker-collected information is accumulated through entirely legal means — a distinction that makes it far harder to regulate.
They pull from multiple sources. Public records provide property ownership, marriage licences, court filings, and voter registration. Retailers and loyalty programmes sell purchase histories that reveal income levels, dietary habits, and health concerns. Mobile apps collect location data, contacts, and device identifiers. Social media platforms share — or sell — the data users voluntarily post.
The buyers include marketers targeting advertisements, insurance companies assessing risk, landlords running background checks, and recruiters vetting candidates. However, the same data also fuels scams. Fraudsters purchase data from brokers to personalise phishing attacks, impersonate family members, and commit identity theft.
A report from the BBC earlier this year documented call centre scammers in India who bought US consumer data from brokers and used it to pressure victims into emptying their bank accounts.
Removing personal information from data brokers is possible but laborious. Each broker operates its own opt-out process, and new data appears every time a public record is updated or a loyalty card is swiped. Privacy advocates describe the process as an aggravating version of whack-a-mole.
California’s Delete Act, which took effect in 2026, allows state residents to make a single opt-out request that applies to all data brokers at once — a model that privacy advocates hope other states will adopt.
For users outside California, automated data removal services such as Incogni and DeleteMe will submit opt-out requests on behalf of subscribers, covering hundreds of broker sites. Security experts also recommend minimising the data shared with retailers, using privacy-focused browsers, and regularly monitoring credit reports.
Sources: PCWorld

