Discussions around data privacy and security often focus on what the big tech giants – such as Google, Facebook, and others – do with their users’ data. Less talked about are the businesses whose entire business model is focused on collecting personal data and then selling it for profit. Those businesses are called data brokers. But who are they, how do they collect your information, what do they do with it, and how can you opt-out?
Data brokers are companies selling personal information about you. Data brokers collect information from various sources to build up a detailed picture of who you are and then sell it on. Data broking is big business – it’s been estimated that the industry is worth $200 billion per year, with up to 4,000 data brokering companies worldwide. Some of the most significant data brokers are Experian, Equifax, Acxiom, and Epsilon.
The data brokerage industry has been criticized for being opaque: data brokers have no real incentive to interact with the people whose data they collect, analyze, share, and profit from.
Data broker sites obtain information about you in several ways, both on and offline, connecting the dots to build comprehensive consumer profiles:
Using these different sources, data brokers piece together a wealth of information about you. The types of information collected include:
Potentially they may also know your income levels, some details of your health status, your political views, and any criminal records.
Data brokers aggregate this information to build up user segments – for example, “new mothers”, “fitness enthusiasts”, and so on – which they sell to other companies for commercial purposes. Some of the categories may seem harmless, but they become intrusive and potentially raise ethical questions when focusing on medical or personal circumstances (for example, “HIV sufferers”).
Despite the volume of information collected, data brokers don’t always get it right. For example, you might be buying baby clothes for a friend or family member, and the data broker perceives you to be a parent as a result, even though you might not be. You might be buying medications for an elderly relative, which the data broker interprets as a reflection of your health status and so on.
Data brokers sell your data to other companies for various commercial purposes. These include:
As ever, laws vary by jurisdiction, and the legal picture is not always clear-cut. Generally speaking, if data brokers use public records to obtain information, then their activities are legal, though there are gray areas.
In the EU, there is the General Data Protection Regulation (GDPR), which is a data privacy and security law that covers any organization which targets or collects consumer data in the European Union. This states that consumers must explicitly provide consent before their data can be collected. GDPR also gives consumers the right to ask that organizations delete data stored about them. Other countries have similar laws to this – for example, the Brazilian equivalent is the LGPD (Lei Geral de Proteção de Dados).
In the US, the picture is more fragmented since there is no overarching federal equivalent to GDPR. Laws vary by state, with some states taking a closer interest in data broking than others. For example, California’s Consumer Privacy Act allows consumers to obtain copies of what information data brokers have compiled about them, request that the information be erased, and opt-out of having their data sold.
Often, the consent required to collect user data is buried in the fine print of most websites. So it's not always apparent to individuals how much control of their data they are giving up.
Aside from the ethical and legal issues raised by data brokerage, one area of concern is the scope for data breaches. Data brokers compile sensitive information that could have severe consequences for the individuals affected if it fell into the wrong hands.
Notable data broking security incidents include:
It isn't easy to stay off data broker lists entirely. Still, you can opt-out of data collection by contacting data broking sites individually to request they remove your details – which is a time-consuming process. Alternatively, there are companies you can pay to do this for you. A better approach is to try to stay off data broker lists in the first place by taking steps to safeguard your privacy online.
Privacy Rights Clearinghouse has a comprehensive data broker list here. This includes a link to their privacy policies and details on how you can opt-out from each broker. Opting out is unlikely to be a one-off process – it’s something you probably need to revisit regularly to be effective. If you’re a resident of the EU, this guide explains how you can send GDPR erasure requests, as well as further information on removing yourself from data collection sites.
A company called Brand Yourself scans for your data in the databases of major data brokers and gives you a report on where your data has been found. That will provide you with a starting point of which data brokers to remove yourself from.
To opt-out of these sites, you usually have to contact them via email. It's a good idea to create a new, throwaway, secondary email account to do this. This is to keep your primary email account safe and to protect it from spam.
If you are concerned with how a company is handling your personal data, you can file a complaint with the relevant government agency in your country. This will vary around the world – for example, in the US, it’s the Federal Trade Commission, and in the UK, it’s the Information Commissioner’s Office.
Companies such as PrivacyDuck and DeleteMe are examples of companies that will help keep your data private. However, these companies charge a fee for their services.
You can also use a VPN or Virtual Private Network to enhance your online privacy. When you connect to the internet using a VPN, your IP address remains hidden, and your data is encrypted. Kaspersky VPN Secure Connection stops hackers from reading your data and provides online privacy.