What are data brokers? A complete guide to your privacy and protection

Every time you browse the web, sign up for a service, or fill out an online form, traces of your personal life are being collected. Sometimes, this information is collected and sold by companies known as data brokers.

Data brokers gather information from a wide variety of sources and use it to create detailed profiles about people. They then sell these profiles to a range of potential buyers. It’s a multibillion-dollar business that thrives in the background of the internet.

In this guide, we’ll take you through the world of data brokers and people search sites, explain the risks they pose, and share proven strategies to reduce your exposure.

Please note: This information is for general educational purposes and not legal advice.

What is a data broker?

A data broker is a company that collects information about people from a variety of sources, including public records, online tracking, social media, and retailers. Once collected, this information is combined with other sources, analyzed, and then sold or shared with clients.

The industry includes firms that curate marketing lists, verify identities for fraud prevention, power background checks, and build audience segments for advertising. The same company can operate in more than one category.

How data brokering works

Data brokers obtain raw information about people, combine it with data from other sources, and analyze it. They then package this data into profiles and deliver it to their clients.

• Collection: Brokers collect raw information on people from sources including government filings, commercial partners, and digital activity. These data streams form the base material, which they then combine with other sources to build a detailed profile.
• Enrichment: Next, the brokers merge the various datasets they’ve collected and clean any inconsistencies to build detailed individual profiles. From here, they can generate inferences such as interests, likely income brackets, or household composition.
• Packaging: Different clients will have different requirements, so the brokers package the information accordingly. For example, an advertiser might purchase an audience segment, a lender could request an identity verification score, or a background check company may want to pull an address history.
• Delivery: Finally, clients access the information the broker has compiled. This can be via files, advertising platforms, or search websites that pull everything together into a report about a person.

Data brokers make their money from subscriptions, usage fees, and licensing. Some firms also create marketplaces where buyers and sellers exchange audience data.

Types of data brokers

Data brokers are not all alike. Most fall into three main categories, though a single company can operate across more than one.

Marketing and advertising brokers

These brokers specialize in converting consumer activity into ad segments. By analyzing purchase patterns, loyalty programs, and browsing behavior, they build categories that advertisers pay to target.

Risk mitigation and identity verification brokers

These companies work with banks, telecoms, insurers, and online marketplaces to confirm identities, flag fraud, and measure transaction risk. They use data such as address histories, phone numbers, and behavioral patterns.

Unlike credit bureaus, their role is not limited to lending, though some firms operate in this area. Since their data powers fraud detection systems, consumers usually have little or no way to opt out.

People search and background check brokers

These brokers offer consumer-facing services that compile public records into concise reports. People search sites are widely used for informal checks and research, making them one of the most visible parts of the industry.

What are people search sites?

People search sites are specific types of data broker services that let you look up a person using a name, phone number, email address, or home address. Unlike many data brokers that work behind the scenes with businesses, these sites sell information directly to consumers.

The results often include contact details, past and present addresses, relatives, age ranges, property records, and, in some cases, court filings. Most people search sites operate on a subscription or pay-per-report model. They draw on public records, web crawls, and commercial data, then present the results in simplified reports.

How people search sites work

People search sites:

• Crawl public records such as property deeds, court filings, and business registrations.
• Scrape information from web pages and social media profiles.
• Buy data from other brokers.
• Refresh their databases periodically.

Opting out stops a site from selling your current listing, but new public records or online data can cause the information to reappear later.

Why do people use people search sites?

People often use search sites to reconnect with old friends, look up neighbors or love interests, or check someone’s contact details. They may also be used by landlords for quick tenant checks and by some businesses that buy reports to verify identity information without formally involving credit bureaus. However, criminals could also use these sites for stalking, identity theft, and other nefarious purposes.

How people search sites display your information

Most sites distinguish between free previews and full paid reports. A free search may only show a name and city, while the paid version could unlock broader details like your contact information, family members, or work and education history. Providers vary in how they process opt-out requests, with some taking longer than others.

How do data brokers collect your information?

Data brokers gather information from a wide range of sources. Each piece may look trivial on its own, but combined, they form a detailed profile of your identity, habits, and networks.

Public records and government databases

Brokers routinely pull property deeds, court filings, corporate registries, professional licenses, voter rolls where they exist, and bankruptcy filings.

Online tracking and cookies

Websites and mobile apps often embed trackers that log page views, clicks, device identifiers, and browsing paths. Ad platforms can take this activity and match it to audience segments based on factors like age, interests, or location. Advertisers then buy and sell these segments in real time.

Social media and online accounts

Your public profiles, posts, and interactions can reveal your interests, affiliations, and personal connections. If you voluntarily share details like email addresses, job titles, and phone numbers in your social profiles, it makes it easier for brokers to connect your information across databases.

Retailers, apps, and third-party partnerships

Some of the companies you interact with, like loyalty programs, online stores, or mobile apps, may share certain types of data with other businesses. This can include things like your purchase history, location, or how you use an app. In some cases, apps use built-in software tools, called SDKs, to collect this information in the background to help with analytics or advertising.

Broker-to-broker trading

Data brokers sometimes share or sell information with one another, combining and repackaging datasets. This means that a single piece of information, like a demographic detail or purchase pattern, can appear in multiple databases across the industry.

What types of personal information do data brokers collect?

Data brokers can gather a range of personal details, from where you live to publicly available information about your family or professional connections.

Basic personal identifiers

This category covers information like names, aliases, age ranges, dates of birth, and address histories. Contact details, including phone numbers and email addresses, are also commonly collected. Some datasets go further by mapping household composition, listing family members or relatives, so a profile can reflect more than one individual.

Brokers may also add demographic details such as gender, marital status, or education to help businesses segment audiences for marketing or research purposes.

Financial and credit information

Some companies operate as regulated consumer reporting agencies (CRAs), handling credit files that are covered by laws such as the Fair Credit Reporting Act (FCRA). Others build unregulated “shadow credit” datasets. These can include estimated income brackets, purchasing power, mortgage status, or debt indicators.

Employers and professional records sometimes feed into these profiles, adding salary ranges or industry categories. Even though these scores are not official credit ratings, they can still shape the offers you receive, the ads you’re shown, or the decisions companies make when evaluating you as a customer.

Online behavior and interests

Your browsing activity, app usage, and purchase patterns can provide insight into your hobbies, interests, and potential future behavior. Data brokers and marketers often use predictive models to group people into categories such as “luxury travelers,” “pet owners,” or “fitness enthusiasts.”

Pharmacy loyalty cards, gym memberships, wellness apps, and wearables can also generate signals about health habits. While reputable companies generally don’t share directly identifiable health data with brokers, when such signals are included, they help build profiles that go beyond basic demographics. These profiles are used to tailor advertising, offers, or other customer experiences.

Location and device data

Data brokers can collect information such as device identifiers, IP addresses, and GPS coordinates from apps, ad networks, and other third parties. In some cases, this could potentially tie online activity to physical locations, showing where someone lives or works and which stores, clinics, or other places they visit.

While some companies say they only sell aggregated or “coarse” data, regulators have found that such representations don’t always hold up. In 2024, the U.S. Federal Trade Commission took enforcement action against several location-data brokers, citing the sale or sharing of precise location records without safeguards.

Brokers may also gather device information such as operating systems, browser fingerprints, and app installations, which makes it possible to connect activity across different devices.

How data brokers can affect your privacy and security

Data brokers collect and trade information about millions of people, which has serious implications when it comes to data privacy and personal security.

Identity theft

When brokers combine details such as names, addresses, dates of birth, and certain financial information, these datasets can sometimes provide enough context for criminals to attempt identity-based fraud. This might include opening accounts, rerouting communications, or answering security questions that rely on publicly available knowledge.

Targeted scams

Accurate contact information, family connections, and interests can also be used to craft highly personalized scams, often called spear phishing. These phishing attacks can come via email, phone, or text messages and may target you or people you know.

Beyond highly targeted scams, having your contact details in data broker databases can make it easier for companies or malicious actors to reach you. This increases the risk of general spam calls and messages, phishing emails, and robocalls.

Loss of anonymity and personal safety concerns

Information such as property records, location logs, and linked datasets can provide insight into where someone lives, works, or visits regularly. Regulators have warned that location tracking tied to sensitive places (clinics, religious institutions, or even workplaces) opens the door to stalking, harassment, or discrimination. For anyone concerned about privacy, the aggregation of this data can erode privacy and present potential safety considerations.

Examples of real-life data broker breaches and misuse

• National Public Data breach: In 2024, a U.S. data broker that provided background checks reported a breach affecting 2.9 billion records, including names, addresses, Social Security numbers, and phone numbers.
• Exactis exposure: A marketing data broker left a database of roughly 340 million records publicly accessible. The database included phone numbers, addresses, and detailed personal attributes, illustrating how improperly stored data can create risks.
• Apollo breach: Cybercriminals broke into a sales intelligence platform and pulled billions of data points linked to hundreds of millions of contact records. The leak exposed professional and personal details that companies had been using for lead generation.

Are data brokers legal?

Data brokers operate legally in many jurisdictions, though the regulatory landscape varies across countries and regions. In some places, they’re subject to specific laws; in others, their activities are less regulated.

Current data broker laws and regulations in the US and globally

United States

• Federal laws: The Fair Credit Reporting Act (FCRA) regulates consumer reporting agencies (CRAs), a subset of data brokers that compile credit or other financial information used for decisions like loans, insurance, or employment. It sets rules to ensure the accuracy of data, limits who can access it, and gives consumers rights to view and correct their reports. If a broker collects or sells data for marketing, analytics, or other general purposes, it’s not covered by the FCRA, though broader regulations like the FTC Act or sector-specific rules may still apply in certain situations.
• State laws:
  • California (CCPA and Delete Act): The California Consumer Privacy Act (CCPA) gives residents rights to know what personal data is collected, request deletion, and opt out of its sale. In addition, starting in 2026, registered data brokers will be required to process deletion requests through one state-run portal, making it easier for residents to opt out.
  • Vermont: Enacted the first dedicated state-level data broker law in 2018. It requires brokers to register and maintain minimum security safeguards, even if they have no direct consumer relationship.
  • Other states: Privacy laws in Oregon, Colorado, and Virginia grant residents rights to access, correct, delete, or opt out of certain processing activities. In states without such laws, there is no legal guarantee to ensure the deletion of your information by data brokers.

Global overview

In Canada, data handling is covered by the Personal Information Protection and Electronic Documents Act (PIPEDA). In 2023, the government introduced Bill C-27, which proposed significant changes to PIPEDA, including the creation of the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act, but the bill has not yet been passed into law.

Australia’s Privacy Act requires organizations to be upfront about how they handle data and to seek consent. In late 2024, the government passed the Privacy and Other Legislation Amendment Act, introducing reforms such as a statutory tort for serious privacy invasions, a criminal offense for doxxing, and a tiered civil penalty system

Globally, the regulation of data brokers varies. While many countries have comprehensive data protection laws that indirectly cover broker activities, few have standalone regulations specifically targeting data brokers. Notably, Argentina's Personal Data Protection Law sets out duties for data controllers and processors and grants individual rights, serving as an example of a non-EU law addressing data broker activities

Data broker laws in the European Union and GDPR implications

The European Union’s General Data Protection Regulation (GDPR) is among the strictest privacy laws in the world, and data brokers are subject to its provisions. They’re treated as controllers, which means every use of personal data has to be backed by a lawful basis, usually consent or a claimed legitimate interest.

For individuals, the regulation guarantees a wide set of rights: access to your data, the ability to correct errors, the option to block direct marketing, and the right to ask for deletion. GDPR also limits automated decision-making: Article 22 says people shouldn’t be subject to automated profiling or decision-making unless clear exceptions apply.

Regulators have taken action against data brokers for non-compliance with GDPR. For instance, France’s data protection authority fined Tagadamedia in late 2023 for misleading consent collection and SOLOCAL Marketing Services in 2025 for passing personal data to partners without a lawful basis.

Essential strategies for reducing data broker exposure

You can’t erase yourself entirely from the data economy, but you can take meaningful steps to shrink your digital footprint, limit new data collection, and catch exposures early.

Minimize publicly available personal data

Reducing the amount of personal information that’s publicly available can help prevent data brokers from building detailed profiles. Here are some steps you can take:

• Remove yourself from data brokers and people search sites: Start with the major sites that list your phone, email, and address. Use their opt-out or removal pages, and revisit periodically to ensure your data hasn’t reappeared. Learn more in our guide on how to remove yourself from data broker sites.
• Consider a data removal service: Automated removal services can handle opt-outs across dozens of sites and keep them renewed, saving you a lot of time and effort. ExpressVPN’s Data Removal service, available to U.S. users on the Pro plan, scans data broker and people-search sites for your information, submits deletion requests on your behalf, and monitors to make sure the data doesn’t reappear. There’s also a free scanning tool that lets you know which brokers have your info.
• Use Google’s removal tools: Google lets you request the removal of search results that expose sensitive details like phone numbers or addresses. This doesn’t erase the source, but it makes the data less visible. See our walkthrough on Google’s personal data removal tools.
• Be cautious with public records: When filing paperwork, look for privacy options your jurisdiction allows. Some courts let you redact personal contact details. In business filings, you may be able to use a registered agent address instead of your home.

Use privacy-focused tools and browsers

Some privacy-friendly settings, tools, and browsers can help limit how much new data is collected about you online.

• Limit cross-site tracking: Turn off third-party cookies in your browser settings.
• Use tracker blocking tools: You can block trackers with content blockers on your devices or at the router level. This reduces how many entities can collect data on your activity. ExpressVPN’s Threat Manager prevents your device from communicating with third parties known to track activity or engage in malicious behavior.
• Use a VPN: Using a VPN like ExpressVPN encrypts your internet traffic and prevents your ISP or network from linking your online activity to your household IP. Note, however, that a VPN doesn’t stop tracking on sites where you’re logged in, so it should be combined with the other tools mentioned here.

Review and adjust privacy settings regularly

Regularly updating your accounts and app settings can prevent unnecessary exposure of personal information.

• Social media: Set your profiles to private, remove unnecessary phone numbers and addresses, and prune old posts that reveal personal details.
• Mobile apps: Take time to check which permissions your apps actually use. If an app doesn’t need your location, contacts, or access to photos, turn those off. And if you’ve got apps you barely touch, it’s better to delete them altogether.
• Retail and loyalty programs: When signing up, give only what’s really necessary. Using a phone number often just feeds into directories, so skip it where you can.

Monitor for data breaches

Because data brokers collect and share information from multiple sources, it’s important to stay alert to potential exposures of your personal information and take steps to detect misuse early. Monitoring for stolen data, suspicious credit activity, and unauthorized changes to key identifiers can help you reduce the risks associated with having your information held by brokers.

ExpressVPN’s Identity Defender, available to U.S. users on select tiers, combines multiple tools in one suite to help protect your identity:

• Data Removal: Scans data brokers and people-search sites to find and remove your personal information.
• ID Alerts: Monitors the dark web for stolen data, watches for suspicious Social Security number use, and flags unauthorized change-of-address attempts. Alerts are sent immediately if any issues are detected.
• Credit Scanner: Tracks your Experian credit file, providing alerts for suspicious activity or potential identity theft.

ID Theft Insurance: Offers coverage of up to $1 million* for eligible losses in the event of identity theft.

*The insurance is underwritten and administered by American Bankers Insurance Company of Florida, an Assurant company, under group or blanket policies issued to Array US Inc, or its respective affiliates for the benefit of its Members. Please refer to the actual policies for terms, conditions, and exclusions of coverage. Coverage may not be available in all jurisdictions. Review the Summary of Benefits.