How to Prevent Companies from Buying and Selling Your Personal Information
Your information is everywhere. Here's how to stop data brokers from buying and selling it.
Online security is a major issue, but when we ask the hard questions about cybercrimes, we need to go beyond how to tell if our computers have been hacked or what someone can do with our phone numbers. A growing concern is the matter of digital privacy. We know without question that Google is watching our online activity, but perhaps less publicized is the fact that a ton of our personal information is floating around the Internet. And data brokers are selling it to the highest bidders.
That fact shocked a lot of viewers who tuned in to a recent episode of Last Week Tonight, during which host John Oliver put the spotlight on companies in the business of selling personal data. Ironically, some of the features that make the Internet work better for us—like cookies—are what allow data brokers to track every move we make online. While it might be annoying to know that stores are spying on you, a more nefarious use of information gleaned from data brokers is doxxing, a digital attack in which a person’s personal information is published online in a threatening or vengeful way.
Plenty of people sling barbs and defend controversial opinions on social media sites while hiding behind fake accounts, but because of data brokers, nobody is as anonymous as they want to be. “Purchasers of data can use it to expose individuals for political, religious, or other ideological views,” says Randall Trzeciak, director of the masters of science in information security policy and management program at Carnegie Mellon University’s Heinz College. So let’s dive into what data brokers know about us, how they collect our information, and what they do with it.
What is a data broker?
“Data brokers will gather whatever data they can find given the tools they have and the services you’ve used,” says Dan DeMers, cofounder and CEO of data collaboration platform Cinchy. “The fundamental issue at the heart of the debate around data brokers is really about control.”
Data brokers know your birthday, your religion, your address, your shopping habits, and more. They buy and collect all this personal information, which they then sell to other companies. Those companies use the data to target and profile you, marketing products more effectively. “Data brokers buy, aggregate, and sell personal data collected from third parties,” says Paul Bischoff, a privacy advocate with Comparitech. “Typically, the people whose data is being bought and sold are not aware of these transactions.”
When national credit bureau Equifax got hacked in 2017, the information of 147 million Americans was compromised, and according to the Federal Trade Commission, the company settled for $425 million to help victims impacted by the data breach.
But the hack was only part of it.
In addition to providing credit ratings, Equifax also operates as a data broker and keeps the information of approximately 800 million individuals and more than 88 million businesses. “The biggest risk that data brokers pose is being hacked and millions of people’s personal information being stolen,” says Eric Florence, a cybersecurity analyst with SecurityTech. “This has already happened to Equifax.”
Who is the biggest data broker?
Despite those numbers, Equifax is not the biggest data broker. That badge goes to Acxiom, which according to Radhika Gupta, the founder of 365 Solutions, “handles the data of a whopping 2.6 billion people in 62 countries.”
Yep, the company is most likely in your business.
“Acxiom has records on pretty much every adult in the U.S. and many other countries,” says digital privacy and security expert James Wilson, founder of My Data Removal. “They work with many Fortune 500 companies, and nearly half of all Fortune 100 companies.”
Data brokers fall into two categories: business to business and business to consumer. “The big B2B data brokers gather information from multiple sources, combine it, analyze it, and sell it, mostly to marketers,” Wilson says. “The B2C data brokers get data wherever they can. They often show some data for free and try to get you to pay, usually between $1 and $30, to see the full record.”
The top 10 B2B data brokers:
- Oracle America
The top 10 B2C data brokers:
How do data brokers collect your information?
Data brokers use legal means of collecting your information. For starters, they can learn a lot from the cookies that track your every move online. “Cookies collect data and are enabled, in part, by the consent forms and privacy policies that the vast majority of website visitors and application users tend to agree to without much—if any—scrutiny,” DeMers says.
Indeed, consenting to cookies seems to be the price of admission on many sites, with the Accept button big and bold. The Reject button is, unsurprisingly, either harder to find or the prize at the end of a rabbit hole of permissions.
But there are other ways for data brokers to get your information. They’ll buy it from other companies, including credit card companies. And according to Lyle Florez, founder of Easy People Search, they’ll crawl the Internet for public information found on social media sites like LinkedIn, Instagram, and Facebook.
“Collecting information is getting easier day by day with all those mouthwatering shopping offers and visually stunning free-to-play games. Free-to-play apps or signing up for discount/membership cards require handing over a good amount of information,” says network security engineer Andreas Grant, founder of Networks Hardware. “Any information we make public on our social media profile is also up for grabs. Every time we visit a website, our activities are tracked, plus there is public information, like birth certificates and marriage licenses, which anyone can access.”
In short, everything is fair game when it comes to collecting info about you. “Data brokers scrape data from other websites, like social media; data breaches; public records [including property tax records]; and services you use, like PayPal, the waste management company, Verizon, and everyone else who has your data,” adds Wilson.
What do data brokers know about you?
“Data brokers collect genuine and crucial information about you, which can be extensive and can include everything from your birth date and addresses to your job title, number of children, and even your outside interests,” Florez says.
In an attempt to do an anonymous search without tracking, many of us turn to private browsers or Google Incognito mode, but these are imperfect tools. “Even Google’s Incognito mode has been known to have data leaks, so it’s hard to trust that these are reliable options,” says James Milin-Ashmore, a cybersecurity expert at Always VPN. “As hard as this is to stomach, what Google is doing isn’t illegal by any means. It’s simply storing the information we voluntarily provide.”
So no matter how you browse the Web, data brokers may have all of the below information about you—and then some.
- Phone numbers
- Email addresses
- Birth date
- Income range
- Web browsing history
- Shopping history
- Health status
Data brokers will collect “possibly any information available online that can help companies narrow down our preferences or enrich the people search websites,” Grant says.
Exactly how much info they have on a person varies. “But think about the information you share on social media,” says Shmuli Goldberg, chief marketing officer at Identiq. “Think about your online activity and the apps you use—which track your location, your activity, your contacts, your photos—and which of those you allow to collect that information.”
What does a data broker do?
Data brokers are in the business of selling your information to large companies, governments, and advertising agencies. They combine data on consumers from different sources, sort and analyze it, and then sell it to anyone willing to buy it. With the staggering amount of data produced each day by every person in the world, it’s no surprise that revenue from data brokering is estimated to be between $200 and $400 billion every year.
It can feel creepy to google “first signs of pregnancy” and then receive coupons for formula and diapers, or to pick up a prescription for high blood pressure and then see ads for tips on lowering it. And you might wonder if someone’s spying on your iPhone. But it’s important to note that while HIPAA regulations protect the information you relay to your doctor, anything you search for on the Internet is not protected in the same way.
“If you are a company looking to target expectant mothers, then being able to find people based on their Web history, gender, and age range will allow your company to spend every advertising dollar more wisely,” says Chris Pierson, PhD, the founder and CEO of BlackCloak, a company specializing in personal digital protection for high-net-worth individuals.
But remember: Data brokers aren’t just selling to marketers eager for your cash. They’re selling to anyone who’s willing to pay, including governments. In fact, the Centers for Disease Control and Prevention (CDC) purchased the location data of millions of phones to determine whether Americans followed lockdown orders during the COVID-19 pandemic.
What risks do data brokers pose?
“The main problem with data brokers is a severe lack of transparency,” Bischoff says. “Consumers have no control over who has their data, how it’s protected, or whom it’s being shared with. That leaves consumers with no reliable recourse to remove data from the Internet or confront those who collected and shared it.”
That’s right: You may be able to remove personal information from Google search results, but that doesn’t eliminate it from the far reaches of the Internet. And it doesn’t stop data brokers from finding it.
“We’ve already seen how the lack of regulation on data brokers can get out of hand,” Bischoff says. “Perpetrators of domestic violence can hire private investigators who purchase information about victims, such as their location history.” (Unfortunately, abusers can also track you with Apple AirTags as well.) The fact that there aren’t any current regulations preventing data brokers from selling that information means that people are at risk.
And the fear of dire consequences increases when people consider that governments are clients of data brokers.
According to a May 2022 report from the Georgetown Law Center on Privacy and Technology, the Immigration and Customs Enforcement agency (ICE) has cut deals with data brokers to get its hands on the information of hundreds of millions of Americans. As the researchers put it, “ICE now operates as a domestic surveillance agency.” And that’s not just for people who are about to be deported.
And in 2020, U.S. defense contractors bought data from the apps Muslim Pro and Muslim Mingle. Not only does the information identify users by their religion, but because Muslim Mingle is a dating and chat app, it could also identify LGBTQ+ Muslims. In the United States, people who aren’t out to their family or friends may fear danger or negative repercussions should an app reveal their sexual preference to the highest bidder.
Elsewhere in the world, the danger is even graver. “Being identified as gay in the U.S. might not seem so bad,” Bischoff says. “But what about LGBTQ+ people in countries where such relationships are illegal?”
The risks posed by data brokers when it comes to personal health are another growing worry. “In light of the possible reversal of Roe v. Wade, we’re already seeing data brokers line up to sell the location data of people who visit abortion clinics,” Bischoff says. “And nothing is stopping data brokers from selling that info to whomever they please.”
If a state made abortion illegal, it could purchase and use this data to track down people it considers criminals.
Are data brokers illegal?
Because these aren’t illegal practices, Grant points out, “finding loopholes isn’t too difficult.”
So why is the government OK with the practice? For starters, it works out in Uncle Sam’s favor. “Because the government is not allowed to collect information on everyday citizens for law enforcement purposes, it, too, is a consumer of data broker information,” Pierson says.
Law enforcement agencies such as Homeland Security and ICE can gain access to phone numbers, addresses, driver’s licenses, facial recognition scans, and other data to “track down” people. “Since the government does not warehouse the data but is instead just a consumer of it on an ad hoc basis, this does not run afoul of constitutional restrictions,” he adds.
How can you protect yourself from data brokers?
After reading all this, you may be tempted to disappear completely from the Internet, which is one (albeit extreme) way to protect yourself. Removing yourself from data brokering sites is another option, but it isn’t a one-and-done situation and requires constant vigilance, as data brokers can add new information about you, which isn’t illegal.
How to remove yourself from data broker sites
“You have to go to each site and request that your information be removed, deleted, or suppressed,” Wilson says. “And the process is different for every data broker. Some data brokers will honor your removal and never add you back. Others will add you back, since you weren’t removed from the source but just their database. When they update their database from their source, your record will be back up on their site.”
It can feel like a losing battle. Wilson says you have three options when dealing with data brokers: You can do nothing and hope for the best. You can manually do it yourself. Or you can use a service like My Data Removal, a company he founded. It removes your data from data brokers and checks monthly to ensure the data is still gone. If the company finds your personal information again, it’ll remove it.
How to prevent your data from ending up on a broker’s site
“Check all your privacy settings on every app you use,” Goldberg says. “Few apps need access to your contacts, photos, or location, for example, but many ask for it as if it’s standard. You can also limit the access to [only] when you’re using the app, rather than letting the app track and access it all the time.”
It’s always wise to use good passwords and two-factor authentication, especially on sites with your financial information, but not all websites and apps offer it. (Can’t remember those complex passwords? Use a password manager.)
Few apps will encourage you to be careful about this, so you’ll need to be proactive. Whatever you do, avoid using phrases that appear on common passwords lists—it’ll make it harder for anyone to guess correctly and access your account.
Goldberg also suggests being careful about the things you share on social media. “Do you really want criminals to be able to see where you were at a given time? Or find out your mother’s maiden name or the name of your first pet? Take a look at your privacy settings and make sure they’re right for you,” he says.
- Randall Trzeciak, director of the masters of science in information security policy and management program at Carnegie Mellon University’s Heinz College
- Dan DeMers, cofounder and CEO of Cinchy
- Paul Bischoff, privacy advocate with Comparitech
- Eric Florence, cybersecurity analyst with SecurityTech
- Radhika Gupta, founder of 365 Solutions
- James Wilson, digital privacy and security expert and founder of My Data Removal
- Lyle Florez, founder of Easy People Search
- Andreas Grant, network security engineer and founder of Networks Hardware
- James Milin-Ashmore, cybersecurity expert at Always VPN
- Shmuli Goldberg, chief marketing officer at Identiq
- Chris Pierson, PhD, founder and CEO of BlackCloak
- Perspectives in Health Information Management: “Health Information Privacy Laws in the Digital Age: HIPAA Doesn’t Apply”
- Georgetown Law Center on Privacy and Technology: “American Dragnet: Data-Driven Deportation in the 21st Century”