How states can rein in data brokers

Whenever you go online, data is being collected about you by companies on the other side of your favorite apps, websites, or smart devices. This includes data you intentionally provide, such as your contact information or date of birth, as well as information collected from tracking software that follows you across apps and websites as you shop, play games or browse the web. That data can be highly personal and sensitive, such as health information or location data that identifies where you live and work.

And a lot of that information is up for sale, thanks to shadowy companies called data brokers.

What are data brokers?

Data brokers are third-party companies that specialize in collecting, buying, combining and reselling data that they bundles into profiles about you. Their business model is to get data from all kinds of places and sell the data and profiles to practically whomever is looking to buy. 

Profiles can include tags such as “frequent alcohol drinker,” “financially challenged,” or “working-class mom.” Companies or other third parties will then purchase those profiles in order to advertise to consumers who will be more likely to purchase their product. Scammers may even buy this data to identify ideal targets.

You’ve never heard of most data brokers, but they’ve almost certainly heard of you. One data broker studied by the FTC was found to have 3,000 data segments for nearly every U.S. consumer. Data brokers are terrible for your personal security, and there are hundreds that we know of operating in the U.S.

How do data brokers get my data?

Data brokers get personal data from a wide range of sources. 

Some common sources of data include:

• Cookies and other software embedded in the background of apps and websites
• Smartphone location data from W-Fi and GPS signals
• Retail loyalty card programs
• Online surveys
• When you click a targeted ad online
• Real-time television viewing data
• Credit card transactions 
• Buying information from other data brokers

Why are data brokers dangerous?

Unlimited data collection and sales by data brokers pose a real security threat to consumers.

In January 2025, it was revealed that hackers stole troves of personal information, including location data, from a major location data broker called Gravy Analytics. That location data came from thousands of apps, including popular ones like Candy Crush or Tinder.

Data brokers can be careless when it comes to what information they sell and to whom. For instance, Duke researchers found data brokers willing to sell them mental health data with little effort to hide personal information such as names and addresses. Carelessness by data brokers can even put us at risk on a national security level. The Duke researchers also found data brokers willing to sell sensitive data about active-duty U.S. military members, including location, health, financial and religious information. 

Some data brokers have even worked directly with scammers. In 2020 and 2021, the data brokers Epsilon LLC, Macromark Inc. and KBM were charged with conspiracy to commit mail and wire fraud for supplying lists of vulnerable individuals – including elderly people with Alzheimer’s – to scammers. 

This issue is only getting worse. The number of fraud and identity theft complaints the FTC receives has skyrocketed in the last 20 years, from 224,000 complaints in 2001 to 3.6 million in 2023. This explosion is largely thanks to the fact that so much of our lives have moved online, making it easier than ever to harvest, buy and sell people’s information, and use it to target them with sophisticated scams.

What can lawmakers do to rein in data brokers?

Some states have begun passing consumer privacy laws that allow you to ask data brokers to delete your data. Unfortunately under these laws, you have to go to each of those companies one at a time to request your information be deleted. That means fully exercising your rights can be a pain. There are likely hundreds of companies, including data brokers, holding your information right now.

Fortunately, there is something states can do about this problem: pass the Delete Act.

What is the Delete Act?

The Delete Act addresses the problem of data collection and use by data brokers in two parts: 

1. Requires data brokers to register with the state in a public-facing database where consumers can see a list of brokers, what types of data they collect, and a link to the broker’s website. 
2. Creates an accessible deletion mechanism where consumers can go to a state website and request that every registered data broker delete all of the personal data associated with them and not sell or share information collected about them in the future.

Data brokers are also required to pay a registration fee, which helps cover the cost of creating the registry and deletion mechanism.

Why is the Delete Act important?

The goal of the Delete Act is to get people’s personal data deleted from shady data brokers who sell your personal information.

We need to clamp down on the excessive collection and sale of consumer data, particularly by shadowy data brokers, that mean Americans’ personal information is constantly up for sale to the highest bidder.

California passed the Delete Act in 2023. Oregon, Vermont and Texas have all taken a good first step by establishing data broker registries in their state. The next step would be to pass the Delete Act to allow consumers to easily request their data be deleted from that list of registered data brokers. Vermont is currently considering a Delete Act bill, as are Nebraska and Illinois. California privacy regulators have also discussed the possibility of designing its deletion mechanism to be interoperable to make it easier for other states to implement.

What can I do now to protect myself from data brokers?

If you live in one of the 13 states with a consumer data privacy law in effect, you have the right to request data brokers delete your personal data.

We recommend starting with some of the biggest data brokers below. You can submit an access request if you want to see what data they have on you, or jump straight to deleting your data and opting out of future data collection.

Epsilon

Acxiom

LiveRamp

Oracle

If you don’t live in a state with a data privacy law, there are other measures you can take to protect your privacy, including:

• Don’t accept web cookies
• Turn on the default privacy settings on your smartphone
• Download a universal opt-out mechanism onto your web browser

Learn more