The TLDR
You have a file. Several thousand companies have a copy of it. You didn’t sign anything. Data brokers collect your personal information from public records, commercial purchases, loyalty programs, app data, and each other — then package it into profiles that get sold to marketers, employers, landlords, insurance companies, law enforcement, and scammers. The industry generates over $200 billion annually, and you’re not a customer. You’re the product.
The Reality
The major players in this industry aren’t the people-search sites you find on Google. Those are the retail storefront. The real ecosystem runs deeper:
Tier 1 — The Aggregators: LexisNexis, Acxiom (now Liveramp), Oracle Data Cloud, Equifax, Experian, TransUnion. These companies hold hundreds of data points on hundreds of millions of people. They purchase, aggregate, and model data at industrial scale.
Tier 2 — The Enrichers: Companies like Clearbit, ZoomInfo, and FullContact specialize in taking a single identifier (an email address, a phone number) and returning a complete profile — name, employer, social media accounts, income estimate, home value.
Tier 3 — The People-Search Sites: Spokeo, BeenVerified, WhitePages, Intelius, Radaris, and hundreds more. These are the consumer-facing sites that charge $1–$30 per report. They buy from Tier 1 and 2 companies and resell at markup.
The FTC’s 2014 data broker report found that the nine largest brokers held data on virtually every American household. That was over a decade ago. The ecosystem has only grown since.
How It Works
Where the Data Comes From
Data brokers don’t hack you. They don’t need to. You volunteer most of it — or your government does.
Public records: Voter registration, property deeds, court records, marriage licenses, business filings, vehicle registrations, and professional licenses are all public in most states. Brokers scrape county recorder offices, state databases, and federal registries systematically.
Commercial purchases: Loyalty programs, warranty registrations, magazine subscriptions, purchase histories from retailers, and financial transaction records. When you signed up for that rewards card, the terms let the retailer sell your purchase history.
App and website data: Apps with advertising SDKs share your data with ad networks, which sell to data brokers. Your location data, browsing history, app usage patterns, and device identifiers all flow through this pipeline.
Social media: Public profiles on Facebook, LinkedIn, Instagram, and Twitter provide names, photos, employment history, education, relationships, and interests. Even “private” profiles often leak data through APIs.
Each other: Data brokers buy from other data brokers. LexisNexis feeds Spokeo. Acxiom feeds Oracle. Oracle feeds advertising platforms. The data circulates endlessly.
How Profiles Get Built
The matching process is called identity resolution. A broker starts with a name and address from voter registration. They match it to a phone number from a warranty card. They add an email address from a data breach. They link it to a browsing profile via a cookie match. They attach an income estimate from property records and census data.
The result is a profile with hundreds of attributes: age, gender, ethnicity, religion, political affiliation, income, net worth, health conditions (inferred from purchases), interests, habits, relationship status, children’s ages, pets, vehicle type, and more.
Acxiom alone claims to have data on 2.5 billion people worldwide with up to 10,000 attributes per person.
How Profiles Get Scored and Sold
Profiles are grouped into segments: “Expectant Parents,” “Frequent Gamblers,” “Health-Conscious Seniors,” “Financial Distress.” These segments get sold to buyers who want to target specific populations.
Some scoring is explicitly discriminatory. The Cracked Labs research project documented how data brokers sell “vulnerability scores” — identifying people in financial distress, health crises, or addiction — which get used for predatory marketing.
How It Gets Exploited
Pretexting and Social Engineering
When a scammer calls you and knows your mother’s maiden name, your previous address, and the last four digits of your SSN, they didn’t hack your bank. They bought a report from a people-search site for $3.
Data broker information makes social engineering attacks dramatically more effective. According to the FBI IC3, business email compromise and impersonation scams — both of which rely on personal details to build credibility — cost businesses $2.7 billion in 2022 alone.
Stalker Enablement
People-search sites are the most dangerous tools available to stalkers. For less than $30, anyone can get a current address, phone number, relatives’ names, and previous addresses for any person in the United States.
The FTC has brought enforcement actions against data brokers that enabled stalking, but the fundamental business model — selling personal information to anyone who pays — remains legal.
Scam Targeting
Data brokers sell demographic segments that allow scammers to target vulnerable populations: elderly individuals, recent divorcees, people who’ve filed for bankruptcy, and people who’ve recently lost a family member. These segments exist because they’re profitable for “legitimate” marketers. Scammers buy the same lists.
What You Can Do
Opt-Outs (and Their Limits)
You can submit opt-out requests to individual data brokers. The big ones:
- Spokeo, BeenVerified, WhitePages, Intelius, Radaris, PeopleFinder, TruePeopleSearch
The problem: there are hundreds of brokers. Opting out of one doesn’t opt you out of its upstream sources. And many brokers re-add your data within 3–6 months from their data feeds.
Automated removal services (DeleteMe, Kanary, Optery) submit opt-outs on your behalf and re-check periodically. They’re not free ($100–$200/year), but they’re more effective than manual opt-outs because they handle the re-listing problem.
Upstream Prevention
The most effective defense is reducing the data that enters the pipeline in the first place:
- Use alias emails (SimpleLogin, AnonAddy, iCloud Hide My Email) for every registration
- Minimize information at registration — if a field isn’t required, leave it blank
- Avoid loyalty programs that require your real information
- Use cash or virtual cards for purchases you don’t want tracked
- Lock down social media — anything public on Facebook or LinkedIn feeds the data broker pipeline directly
Legal Rights
- CCPA/CPRA (California): Right to know what data is collected, right to delete, right to opt out of sale. Even if you don’t live in California, many brokers extend these rights nationally.
- GDPR (EU): Right to erasure, right to access, right to object to processing.
- Vermont Act 171: Requires data brokers to register with the state — the registry is public and useful for identifying which companies have your data.
The Hard Truth
You cannot fully remove yourself from the data broker ecosystem. The data has already been sold, resold, and aggregated too many times. What you can do is reduce the flow of new data, opt out of the consumer-facing sites where your information is most accessible, and make it harder — not impossible — for someone to assemble a complete picture.
Sources & Further Reading
- FTC Data Broker Report (2014) — foundational federal analysis of the data broker industry
- Cracked Labs: Corporate Surveillance in Everyday Life — detailed research on how data brokers collect, combine, and sell personal data
- EFF: Data Brokers — digital rights perspective on the broker ecosystem
- Vermont Data Broker Registry — public list of registered data brokers
- CCPA/CPRA Text — California consumer privacy rights
- FBI IC3 Annual Report — cybercrime statistics including impersonation fraud enabled by broker data