The Data Broker Industry Is Finally Facing Real Regulation — What It Means for You

The $300 Billion Industry That Traded Your Life Without Asking

Data brokers — companies that buy, aggregate, and sell personal information without the subject's knowledge — have operated a $300 billion industry for decades with virtually no accountability. That changed in 2024 and 2025. The FTC enacted its first enforceable data broker rule, California's Delete Act (SB 362) took effect in January 2026, and EU regulators levied a €150 million fine against a French advertising network for selling location data without GDPR consent. The era of consequence-free personal data trading is ending — but not fast enough, and not without loopholes.

What Data Brokers Actually Do With Your Information

The business model is simple: collect data from every available source, combine it into comprehensive profiles, and sell access to those profiles to advertisers, insurers, employers, law enforcement, and political campaigns. The inputs are far broader than most people realize.

• Public records: property ownership, court filings, voter registration, professional licenses
• Loyalty programs: purchase history from retailer rewards cards, which infers income, health status, and lifestyle
• App SDKs: mobile apps embed third-party code that collects location data and device identifiers — often with consent buried in a 40-page terms of service
• Credit card transaction data: sold in aggregate by payment processors, revealing spending patterns across merchants
• Location pings: GPS coordinates from weather apps, navigation tools, and mobile games, timestamped and stored indefinitely

A typical data broker profile on an American adult contains: full name, current and historical addresses, phone numbers (including unlisted), estimated household income, political affiliation derived from donation records, and health conditions inferred from purchases of prescription drugs, mobility aids, or specific food products. These profiles are updated continuously and sold to anyone willing to pay.

The Major Players and Who Uses Them

The data broker market is dominated by a handful of large companies, each with a different specialization:

• Acxiom / LiveRamp: Acxiom maintains profiles on approximately 2.5 billion people globally. LiveRamp, its subsidiary, is the dominant "identity resolution" platform — it links offline data to digital ad IDs so brands can target individuals across devices. Primary customers: consumer packaged goods companies and retail advertisers.
• Experian: Best known as a credit bureau, Experian's marketing services division sells behavioral and demographic data entirely separate from its credit files. It supplies data to direct mail campaigns, insurance underwriting models, and financial product targeting.
• LexisNexis Risk Solutions: Focuses on identity verification, fraud detection, and background checks. Its data is used by banks, insurance companies, and government agencies including law enforcement — a pipeline that has attracted significant ACLU scrutiny.
• Oracle Data Cloud (now part of Oracle Advertising): Aggregates purchase data from retailers and media consumption data from publishers. Primarily serves large enterprise advertising campaigns. Oracle announced plans to wind down its third-party data business in 2024 under regulatory pressure, though its first-party partnerships continue.
• Epsilon: Owned by French advertising group Publicis, Epsilon operates the CORE ID identity graph and focuses on loyalty program data. Major customer base includes auto manufacturers, financial services, and telecom companies.
• Spokeo and BeenVerified: Consumer-facing "people search" brokers. Anyone can pay $20–$30/month to look up addresses, phone numbers, relatives, and employment history for any person by name. These services are frequently used in stalking cases, a fact documented in multiple state attorney general complaints.

California's Delete Act (SB 362): The Most Significant U.S. Privacy Law You Haven't Heard Of

Signed in October 2023, the California Delete Act took effect in January 2026. It requires every data broker registered with the California Privacy Protection Agency (CPPA) to honor deletion requests submitted through a single, centralized opt-out mechanism — meaning consumers can delete their data from all covered brokers with one submission instead of navigating hundreds of individual opt-out portals.

The law applies to any company that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship." This captures most of the industry. However, the exemptions are significant:

• Credit reporting agencies operating under the Fair Credit Reporting Act (Equifax, Experian, TransUnion) are largely exempt
• Background check companies with legitimate business purposes — employment screening, tenant verification — retain broad exemptions
• Financial institutions covered by the Gramm-Leach-Bliley Act are exempt for data used in financial products

The CPPA is required to build the centralized deletion mechanism, with enforcement beginning in 2026. Fines for non-compliance reach $200 per consumer per day, which creates meaningful financial exposure for large brokers sitting on millions of profiles.

FTC Enforcement: The Kochava Case and the X-Mode Settlement

The Federal Trade Commission spent years issuing reports about data brokers with no enforcement authority. That changed under the FTC Act's Section 5 unfair practices authority, and the agency began treating location data sales as inherently harmful.

In 2022, the FTC sued Kochava, a mobile analytics firm, for selling precise location data that could be used to identify individuals visiting abortion clinics, addiction treatment centers, and domestic violence shelters. The case established that selling sensitive location data without consent constitutes an "unfair" trade practice regardless of whether consumers technically agreed to data collection in an app's terms of service. The litigation is ongoing as of mid-2026.

In January 2024, the FTC settled with X-Mode Social (rebranded as Outlogic) for $4.95 million — the first data broker settlement in FTC history involving location data. X-Mode had sold precise location data to U.S. military contractors and government agencies, including data that could identify religious sites, political rallies, and medical facilities. The settlement required deletion of all data and prohibited the company from selling sensitive location information without explicit consent.

The FTC has also proposed a formal rulemaking that would classify location data and health data as categorically "sensitive," requiring affirmative opt-in consent before collection or sale — a standard far higher than the current industry practice of opt-out-if-you-can-find-it.

EU Enforcement: GDPR Article 9 Finally Has Teeth

The EU's General Data Protection Regulation has nominally prohibited selling sensitive personal data without explicit consent since 2018. Enforcement was slow until 2024, when regulators shifted attention to the advertising technology supply chain.

The French data protection authority (CNIL) imposed a €150 million fine on a French advertising network for selling location data from mobile apps to advertisers without obtaining GDPR-compliant consent. The case turned on the interpretation of Article 9 — which covers health, political, religious, and biometric data — as applying to inferred characteristics derived from location patterns, not just directly collected sensitive categories.

Ireland's Data Protection Commission (DPC), which oversees most of Silicon Valley's EU operations due to companies' Irish headquarters, opened investigations into mobile advertising SDKs operating in the EU. Given that Ireland's DPC has historically been criticized for slow enforcement, the investigations represent a meaningful escalation. GDPR fines can reach 4% of global annual revenue, which for large data brokers creates existential financial risk.

What This Means in Practice Right Now

Regulation is having a measurable but incomplete effect on the industry. Data brokers have begun more actively honoring deletion requests — not out of goodwill, but because CPPA audits and FTC scrutiny make non-compliance expensive. Opt-out portals that previously required physical mail and notarized documents are now accessible online.

However, the fundamental structural problem persists: deletion is not permanent. Data brokers operate automated re-scraping pipelines that continuously pull from public records, app SDKs, and data partners. A profile deleted today can be rebuilt in 30–90 days from new data points. This is why consumer deletion services require ongoing subscriptions rather than one-time cleanups.

Tools to Actually Remove Your Data

Three services dominate the consumer data removal market:

• DeleteMe ($129/year for one person): Manually submits opt-out requests to 750+ data brokers on behalf of users, with quarterly re-submission to catch re-appeared profiles. Covers Spokeo, BeenVerified, Whitepages, Intelius, and most major people-search brokers. Does not cover credit bureaus.
• Privacy Bee ($197/year): Broader coverage than DeleteMe, claiming 200+ additional broker sites. Includes a browser extension that flags data-sharing requests in real time. Effectiveness is reported at approximately 60–80% removal success — profiles at some brokers are technically impossible to delete due to legal exemptions.
• Kanary ($99/year): Focuses on speed of removal and provides a dashboard showing which brokers returned profiles and removal status. Smaller broker list than competitors but faster initial sweep.

None of these services can remove your data from credit reporting agencies, law enforcement databases, background check providers operating under FCRA exemptions, or government public records (court filings, property records, voter rolls). For those, you would need to pursue sealing of records through legal processes — expensive and jurisdiction-specific.

Where the Industry Is Pivoting

Facing regulatory pressure, the largest data brokers are not exiting the business — they are rebranding their products as "privacy-preserving." Three strategies dominate:

• Cohort targeting: Instead of selling individual profiles, brokers sell access to audience segments defined by behavior — "people who visited car dealerships in the last 30 days" — without exposing individual identifiers. Google's Topics API, which replaced third-party cookies in Chrome, is the most visible version of this approach.
• First-party data partnerships: Brokers position themselves as intermediaries between brands with first-party customer data, facilitating audience matching without data transfer. Epsilon's loyalty data network and LiveRamp's data collaboration platform operate on this model.
• Clean rooms: Privacy-preserving computation environments where two companies can analyze overlapping audiences without either seeing the other's raw data. InfoSum and Habu (acquired by LiveRamp) are the leading vendors. Clean rooms are technically more privacy-respecting but still enable the same behavioral targeting outcomes — they obscure the mechanism, not the result.

What You Should Do Right Now

Regulation moves slowly. The practical steps you can take today to reduce your data broker exposure:

• Opt out of CCPA data sales: Every California-compliant website must offer a "Do Not Sell or Share My Personal Information" link. Use it for every major retailer, data broker, and platform you interact with.
• Subscribe to a removal service: DeleteMe or Privacy Bee will not achieve 100% removal, but reducing your profile's presence on people-search sites meaningfully lowers exposure to targeted harassment, phishing, and social engineering attacks.
• Audit location permissions: Review every app on your phone and revoke location access for any app that doesn't need it to function. Disable "precise location" for apps where approximate location suffices. This cuts off the primary pipeline data brokers use for real-time location intelligence.
• Freeze your credit reports: A credit freeze at Equifax, Experian, and TransUnion prevents new accounts from being opened in your name, but it also limits updates to background check data derived from credit files. Free to place and lift under federal law.
• Use the CPPA deletion portal when it launches: California's centralized opt-out mechanism is the most significant single action available to consumers once operational — one submission covers all registered brokers.

The $300 billion data broker industry is not disappearing. But the combination of California's Delete Act, FTC enforcement authority over location data, and EU GDPR penalties has created genuine compliance costs for the first time. Brokers are building deletion infrastructure because they have to. The leverage now exists — the question is whether enough people use it.