Discussions around data privacy and security often focus on what the big tech giants – such as Google, Facebook, and others – do with their users’ data. Less talked about are the businesses whose entire business model is focused on collecting personal data and then selling it for profit. Those businesses are called data brokers. But who are they, how do they collect your information, what do they do with it, and how can you opt-out?
What are data brokers?
Data brokers are companies selling personal information about you. Data brokers collect information from various sources to build up a detailed picture of who you are and then sell it on. Data broking is big business – it’s been estimated that the industry is worth $200 billion per year, with up to 4,000 data brokering companies worldwide. Some of the most significant data brokers are Experian, Equifax, Acxiom, and Epsilon.
The data brokerage industry has been criticized for being opaque: data brokers have no real incentive to interact with the people whose data they collect, analyze, share, and profit from.
Data broker meaning
The term “information broker” is sometimes used interchangeably with “data broker” – they mean the same thing. Data brokers do not have a direct relationship with the people they collect data on, so most people aren't aware that the data is even being collected. While individuals often click "I agree" to online privacy policies and terms of use – sometimes unthinkingly – it's not always obvious how much control of data is being consented to and what the cumulative effect across so many websites is.
How do data brokers collect information?
Data broker sites obtain information about you in several ways, both on and offline, connecting the dots to build comprehensive consumer profiles:
- Your web browsing history. Every time you use a search engine, a social media app, or other types of app, fill out an online quiz or enter a competition, or visit different websites, you're leaving an electronic trail. Data brokers use this to build up a picture of who you are. Web tracking installed on most websites collects information about your online activities. Data brokers use web scraping – a small piece of software or script that extracts data from any website – to gather that information.
- Public sources. This includes birth certificates, marriage licenses, divorce records, voter registration information, court records, bankruptcy records, motor vehicle records, and census data.
- Commercial sources. Your purchase history – what you’ve bought, when you bought it, how much for, and whether you used a coupon or loyalty card.
- Your consent. When you sign up for things like a store’s loyalty program, you may have given your consent for your data to be shared without necessarily realizing it (unless you read the fine print).
What information do data brokers collect?
Using these different sources, data brokers piece together a wealth of information about you. The types of information collected include:
- Your name
- Address (both current and previous addresses)
- Date of birth
- Gender
- Marital status
- Family status, including if you have children, how many and how old they are
- Social Security number
- Education levels
- Assets
- Occupation
- Phone number
- Email addresses
- Buying habits – what you buy, when you buy it, and how much for
- Personal interests and hobbies
Potentially they may also know your income levels, some details of your health status, your political views, and any criminal records.
Data brokers aggregate this information to build up user segments – for example, “new mothers”, “fitness enthusiasts”, and so on – which they sell to other companies for commercial purposes. Some of the categories may seem harmless, but they become intrusive and potentially raise ethical questions when focusing on medical or personal circumstances (for example, “HIV sufferers”).
Despite the volume of information collected, data brokers don’t always get it right. For example, you might be buying baby clothes for a friend or family member, and the data broker perceives you to be a parent as a result, even though you might not be. You might be buying medications for an elderly relative, which the data broker interprets as a reflection of your health status and so on.
How is your data used?
Data brokers sell your data to other companies for various commercial purposes. These include:
- Marketing and advertising. Businesses purchase data so they can tailor marketing messages, customer offers, and online advertising to you. During election campaigns, political parties may use data to target you with political messages.
- Risk mitigation. Some businesses use the data they buy from data brokers to help crack down on fraud. For example, they may check that a consumer's information on a loan application matches the information that data brokers supply. Or the information might be used to calculate a consumer’s likelihood to default on a loan.
- Health insurance. Information about your health – what drugs you buy and what symptoms you search for online, for example – can be used by health insurance companies to work out what rates you should be charged for cover based on your data profile.
- People search sites. People search sites – such as Spokeo, PeekYou, PeopleSmart, Pipl, and others – allow you to search for a person by name and – usually for a fee – receive information about them, like their address, phone number, email address, date of birth and so on. The information which populates these sites comes from data brokers – and can sometimes be used for doxing, social engineering, or identity theft.
Are data brokers legal?
As ever, laws vary by jurisdiction, and the legal picture is not always clear-cut. Generally speaking, if data brokers use public records to obtain information, then their activities are legal, though there are gray areas.
In the EU, there is the General Data Protection Regulation (GDPR), which is a data privacy and security law that covers any organization which targets or collects consumer data in the European Union. This states that consumers must explicitly provide consent before their data can be collected. GDPR also gives consumers the right to ask that organizations delete data stored about them. Other countries have similar laws to this – for example, the Brazilian equivalent is the LGPD (Lei Geral de Proteção de Dados).
In the US, the picture is more fragmented since there is no overarching federal equivalent to GDPR. Laws vary by state, with some states taking a closer interest in data broking than others. For example, California’s Consumer Privacy Act allows consumers to obtain copies of what information data brokers have compiled about them, request that the information be erased, and opt-out of having their data sold.
Often, the consent required to collect user data is buried in the fine print of most websites. So it's not always apparent to individuals how much control of their data they are giving up.
Data brokers data breach examples
Aside from the ethical and legal issues raised by data brokerage, one area of concern is the scope for data breaches. Data brokers compile sensitive information that could have severe consequences for the individuals affected if it fell into the wrong hands.
Notable data broking security incidents include:
- In 2017, Equifax announced a data breach that affected the personal information of 147 million people. The company later announced a settlement with the Federal Trade Commission and 50 states, which included up to $425 million to help compensate the individuals affected.
- In 2015, 15 million records belonging to T-Mobile but stored on Experian’s servers were accessed.
- In 2011, Epsilon was hacked, exposing the names and email addresses of millions of people on email marketing lists, who were then subject to spam as well as spear-phishing attempts.
- In 2003, Acxiom was hacked, with over 1.6 billion records (including names, addresses, and email addresses) stolen and sold to spammers.
How to protect yourself from data brokers
It isn't easy to stay off data broker lists entirely. Still, you can opt-out of data collection by contacting data broking sites individually to request they remove your details – which is a time-consuming process. Alternatively, there are companies you can pay to do this for you. A better approach is to try to stay off data broker lists in the first place by taking steps to safeguard your privacy online.
How to remove yourself from data collection sites
Privacy Rights Clearinghouse has a comprehensive data broker list here. This includes a link to their privacy policies and details on how you can opt-out from each broker. Opting out is unlikely to be a one-off process – it’s something you probably need to revisit regularly to be effective. If you’re a resident of the EU, this guide explains how you can send GDPR erasure requests, as well as further information on removing yourself from data collection sites.
A company called Brand Yourself scans for your data in the databases of major data brokers and gives you a report on where your data has been found. That will provide you with a starting point of which data brokers to remove yourself from.
To opt-out of these sites, you usually have to contact them via email. It's a good idea to create a new, throwaway, secondary email account to do this. This is to keep your primary email account safe and to protect it from spam.
If you are concerned with how a company is handling your personal data, you can file a complaint with the relevant government agency in your country. This will vary around the world – for example, in the US, it’s the Federal Trade Commission, and in the UK, it’s the Information Commissioner’s Office.
Pay private companies to keep you away from data brokers
Companies such as PrivacyDuck and DeleteMe are examples of companies that will help keep your data private. However, these companies charge a fee for their services.
Safeguard your privacy online by following the steps below
- Familiarize yourself with the legal framework governing data privacy in your country or state to see what your rights are.
- Avoid posting personal information on social media. For example, your date of birth is often used as an identifier or security question, so avoid posting it publicly.
- Consider making your social media accounts private, so only friends and family can see them.
- Avoid participating in online quizzes or entering online sweepstakes – these often capture data about you.
- Avoid downloading risky apps from untrustworthy sources and delete any unnecessary apps you don’t use.
- Keep the number of online accounts you have to a minimum – only ones you really use.
- Avoid opening unknown emails.
- To curtail tracking, use a web browser that includes tracker-blocking and ad-blocking software.
You can also use a VPN or Virtual Private Network to enhance your online privacy. When you connect to the internet using a VPN, your IP address remains hidden, and your data is encrypted. Kaspersky VPN Secure Connection stops hackers from reading your data and provides online privacy.
Related Articles: