The data-broker industry is one of those parts of modern life that is both enormous and largely invisible. The Federal Trade Commission’s 2014 report "Data Brokers: A Call for Transparency and Accountability", still the most comprehensive public document on the industry, available at ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf, estimated that one major broker held information on 1.4 billion consumer transactions and 700 billion data elements. The industry has grown substantially since then.
The 2024 disclosures around the National Public Data breach (2.9 billion records including Social Security Numbers) brought the industry to mainstream attention. The breach itself was a symptom: a small data broker most people had never heard of had been quietly aggregating sensitive data for years.
What data brokers actually collect
The industry breaks down into three rough categories:
People-search sites. Spokeo, Intelius, BeenVerified, Whitepages, Radaris, and dozens of others. They aggregate public records (court filings, voter registration, property records, marriage and divorce records), purchased commercial data (warranty registrations, magazine subscriptions, retail loyalty), and scraped social-media information into searchable profiles. Anyone with a credit card can look up almost anyone’s home address, phone numbers, family members, employers, and rough net worth.
Marketing-data brokers. Acxiom (now part of LiveRamp), Epsilon, Experian Marketing Services, Oracle Data Cloud (winding down through 2025), Equifax. Compile detailed behavioural and demographic profiles for advertising and direct-marketing use. The classic "household segment" model: name, address, household composition, estimated income, purchasing categories, life-stage indicators (homeowner, parent, divorcing).
Risk and identity-verification brokers. LexisNexis Risk Solutions, Equifax, ChoicePoint (acquired by LexisNexis), TransUnion. Sell to financial institutions, insurance, employers, landlords, government. The most consequential category because their reports drive credit, insurance, and employment decisions.
There are dedicated location-data brokers (Cuebiq, X-Mode, now part of Outlogic; Veraset; SafeGraph) that aggregate phone-app location signals and sell movement patterns. The 2020 Vice exposés on US military and law-enforcement purchases of bulk location data from these brokers remain the canonical accounts.
The legal context
The United States has no federal data-broker law. Several states do:
Vermont (2018) requires brokers to register annually and disclose their data sources and opt-out procedures. Vermont’s broker registry, at sos.vermont.gov/securities/data-broker-registration/, lists hundreds of registered entities.
California (CCPA/CPRA) gives California residents rights to know, delete, and opt out of sale; brokers selling to or about Californians must register with the California Privacy Protection Agency. Registry at cppa.ca.gov/data_broker_registry/.
Texas, Oregon, Washington, and a handful of others have varying degrees of broker registration or limited opt-out rights.
In the EU, GDPR’s broad scope effectively governs brokerage as personal-data processing. The European data-broker industry is consequently smaller and more constrained than the US equivalent, though it exists.
The Federal Trade Commission has used Section 5 of the FTC Act in targeted cases, actions against InMarket Media and X-Mode in 2024 over location-data sales, but these are exceptions rather than systematic regulation.
The opt-out reality
The honest answer about opting out is that it is laborious, never complete, and requires ongoing maintenance.
Identification of brokers. There is no central list of every broker holding data on you. Vermont’s and California’s registries are starting points; the World Privacy Forum maintains a longer list at worldprivacyforum.org/data-brokers/. Realistically you are dealing with 200-400 broker entities for full coverage.
Per-broker opt-out. Each broker has its own process. Some have functional online opt-out forms. Some require mailed letters with notarised affidavits. Some accept email. Most reappear with the same data months later because new "public records" data flows back in.
DIY versus services. Doing this yourself for the major brokers takes 8-12 hours initially and roughly the same on quarterly maintenance. Paid services, DeleteMe, Optery, Kanary, Privacy Bee, EasyOptOuts, handle the work for $100-500/year. The credible services maintain their broker lists publicly and document removal status.
The Privacy Rights Clearinghouse maintains an updated opt-out guide at privacyrights.org/resources/online-information-brokers-and-people-finder-sites.
A pragmatic prioritisation
If you are doing this yourself, start with the brokers that produce the most exposure:
People-search aggregators. Spokeo, BeenVerified, Whitepages, Intelius, Radaris, Mylife, PeopleFinder, USPhonebook, FastPeopleSearch, FamilyTreeNow. These are the first hits in a Google search of your name and the most likely sources of doxing material.
Public-record harvesters. Family-tree and genealogy sites (Ancestry, MyHeritage’s optional opt-outs); old voter-registration aggregators; court-record sites.
Major marketing brokers. Acxiom / LiveRamp, Epsilon, Experian Marketing Services. These do not show your data publicly but feed downstream use including advertising and identity verification.
Location-data brokers. Less accessible to opt out from but worth doing for the few who publish opt-out endpoints.
Tax-related and credit-bureau brokers. Equifax, Experian, TransUnion, Innovis. Credit freezes (free in the US since 2018) are the high-leverage step here, separate from data-broker opt-outs.
What to do alongside opt-outs
Limiting future data flow matters more than removing past data:
Do not register loyalty programs with your real name when avoidable. Use a separate email address if the discount is worth it.
Disable advertising IDs on iOS (Settings → Privacy → Tracking) and Android (Settings → Google → Ads → Delete advertising ID). This breaks the link between app activity and persistent identity.
Use a credit freeze at all four bureaus. This stops the most impactful fraud vector, which is unauthorised credit applications using stolen broker data.
Use a separate phone number for low-trust signups. Apple Hide My Email, Firefox Relay, SimpleLogin, or just Google Voice.
Treat every "register your warranty" prompt as a data-broker funnel, because most of them are.
The structural fix, comprehensive federal privacy legislation, has been promised for years and may eventually arrive. Until it does, opt-outs and exposure-minimisation are the available tools. They are imperfect, and they are dramatically better than doing nothing.