The Data Broker Industry: The $240 Billion Market That Profits From Selling Everything About You

Somewhere in a data center you've never visited, a company you've never heard of is selling a file about you to someone you'll never meet.

The file contains your name, address, phone number, email, income estimate, net worth estimate, political affiliation, religion, ethnicity, health conditions, medication use, shopping history, website visits, location movements for the past 12 months, credit score range, criminal history, property ownership, vehicle ownership, family members, relationship status, and somewhere between 1,500 and 5,000 additional data points depending on which broker compiled it.

You did not consent to this. You cannot easily delete it. And it is entirely legal.

This is the data broker industry — a $240 billion global market that operates almost entirely in the dark.

Who They Are

The data broker industry is dominated by a handful of massive players and thousands of smaller companies operating across overlapping niches.

Acxiom (now part of IPG): The grandfather of data brokering. Maintains records on an estimated 2.5 billion people globally, with profiles on nearly every American adult. Their database, Acxiom Data Cloud, contains 10,000+ attributes per person. Annual revenue: ~$1.7 billion. Clients: banks, insurance companies, retailers, political campaigns, and government agencies.

LexisNexis Risk Solutions: The bridge between data brokerage and legal/government intelligence. LexisNexis maintains one of the most comprehensive person-search databases in existence, fed by public records, credit bureaus, insurance filings, court records, and commercial data. It is used by law enforcement, landlords, employers, debt collectors, and insurance companies. Parent company: RELX Group (UK).

Experian: Primarily known as a credit bureau, Experian is also a major marketing data broker. Their ConsumerView product contains records on 300 million Americans. Their Mosaic segmentation system divides the US population into 71 lifestyle segments used for targeted marketing.

Oracle Data Cloud: Oracle assembled one of the largest marketing data sets in the world through acquisitions: Datalogix (purchase history), BlueKai (intent data), AddThis (web behavior), Crosswise (cross-device tracking), Moat (ad measurement). Oracle knows what you read, what you buy, and what devices you use to do it.

Epsilon: Owned by French conglomerate Publicis, Epsilon maintains marketing databases on 250+ million consumers. They provide data to credit card companies, retailers, and automotive companies.

CoreLogic: Specializes in property and mortgage data. If you've ever bought, sold, rented, or had a mortgage on a property in the United States, CoreLogic likely has the record.

Spokeo, BeenVerified, Whitepages, Intelius, PeopleFinder: The consumer-facing layer — people search sites that sell access to aggregated profiles directly to individuals. The primary use cases: stalkers (a documented problem), investigators, and suspicious ex-partners.

What They Collect — And How

The data broker supply chain has multiple inputs:

Public records: Birth certificates, marriage licenses, death records, property records, court filings, bankruptcy filings, voter registrations, professional licenses. These are technically public, but the act of aggregating them across a lifetime creates something far more invasive than any individual record.

Purchase data: Retailer loyalty programs, credit card transaction feeds, store receipts. When you use a loyalty card, you're trading your purchase history for discounts. That history is sold. CVS ExtraCare, Kroger Plus, Target Circle — all of these generate transaction data that flows into broker pipelines.

Web behavior: Data brokers buy browsing history from ISPs, app analytics platforms, and data cooperatives. Third-party tracking pixels on millions of websites report your visits to data aggregators. Google and Facebook sell audience segments (anonymized, they say) that brokers incorporate into profiles.

Location data: Every smartphone app that accesses location data is a potential data source. X-Mode Social (rebranded Outlogic after controversy), Veraset, Placer.ai, and dozens of similar companies buy location pings from apps, aggregate them into location graphs, and sell them to brokers and their clients. The FTC action against data brokers in 2024 was specifically triggered by the sale of location data tracking visits to abortion clinics, domestic violence shelters, and addiction treatment centers.

Financial data: Income estimates, net worth estimates, credit score ranges, investment account indicators. Brokers infer these from purchase behavior, property records, and credit bureau data.

Health and medical data: This is where it gets darkest. HIPAA protects medical records held by covered entities (doctors, hospitals, insurers). It does not protect: prescription purchase history (pharmacies sell it), over-the-counter purchase history (drugstores sell it), health app data, wellness platform data, or inferred health conditions from purchasing patterns. IQVIA (formerly IMS Health) processes 25 billion healthcare transactions annually and sells patient-level data (technically de-identified) to pharmaceutical companies, researchers, and insurance companies.

Social media data: Scraped profiles, public posts, engagement patterns. Despite platform terms of service prohibiting scraping, data brokers have built businesses on scraped social media data. LinkedIn settled a lawsuit in 2022 over unauthorized scraping; the data had long since proliferated.

What They Sell It For

The downstream uses of broker data are extensive and not always benign:

Marketing targeting: The largest use case. Retailers, brands, and political campaigns buy segmented audiences to target advertising. Your political affiliation, religious affiliation, ethnicity, and health status all influence which ads you see.

Credit and insurance decisions: Both explicitly regulated (FCRA governs credit reporting; FICA governs insurance scoring) and implicitly used. Insurers buy marketing data to select customers and set prices in ways that technically don't count as credit reporting. A 2021 Consumer Reports investigation found that auto insurers in California used education level and occupation — both correlated with race — as rating factors.

Employment screening: Background check companies like Checkr, First Advantage, and Sterling aggregate broker data into employment reports. Beyond criminal records, these reports may include civil suits, eviction history, professional license verifications, and social media scans.

Tenant screening: TransUnion SmartMove, Experian RentBureau, and similar products sell rental history, eviction records, and risk scores to landlords. An eviction record from 2015 can prevent someone from renting an apartment in 2026.

Government and law enforcement: The Brennan Center for Justice documented in 2022 that federal agencies including ICE, DEA, Secret Service, and the FBI have purchased access to data broker databases — including location data and social media data — specifically to avoid requiring a warrant. The legal theory: if the data is commercially available, purchasing it is not a Fourth Amendment search.

Stalking and harassment: People search sites are the consumer-facing layer of the broker industry. A 2021 study by the National Network to End Domestic Violence found that 97% of domestic violence survivors reported that their abuser used technology to track or control them. Data broker sites make finding someone's address trivially easy.

The FTC Enforcement Wave

In 2024, the FTC began what it described as a "major enforcement initiative" against data brokers:

• Outlogic (formerly X-Mode Social): Banned from selling sensitive location data — including visits to healthcare facilities, religious institutions, domestic violence shelters, and other sensitive locations. First time the FTC banned a data broker from selling location data entirely.

• InMarket Media: Banned from selling precise location data. Required to delete all collected location data. Prohibition on using location data for any purpose other than providing the app service that generated it.

• Gravy Analytics / Venntel: January 2025 enforcement action. Gravy collected location data from 250+ ad networks. Sold it to hedge funds, retailers, and government agencies. FTC required data deletion and prohibited sale of sensitive location data.

• Mobilewalla: Fined for collecting and selling location data from ad exchanges — without ever having a direct relationship with the people being tracked.

The pattern: the FTC is moving, but the fines are insufficient. Outlogic's ban is meaningful — but there are thousands of other location data companies operating identically. Enforcement is whack-a-mole.

The Opt-Out Maze — Why It Doesn't Work

Every data broker offers an opt-out. None of them work as advertised.

The problems:

Volume: There are approximately 4,000 data broker companies in the United States. Opting out of each one individually would take months. Services like DeleteMe ($129/year) automate the process — but they've documented that brokers re-add information within 3-6 months of removal because the underlying data sources continue to generate records.

Re-population: When you opt out of Acxiom, you remove your record from Acxiom's files. But Acxiom sources data from 23,000+ data sources. The next quarterly data import will likely re-create your record from those sources.

Verification theater: To opt out of most brokers, you must submit your name, address, email, date of birth — sometimes a photo ID. The opt-out process generates a fresh data record of the person attempting to opt out, their verified contact information, and their identity confirmation.

No audit mechanism: When you request opt-out, you have no way to verify it was honored. You receive a confirmation email. The data may or may not be removed.

Downstream data: Opting out of a broker doesn't remove data already sold to their clients. The insurance company that purchased your health-inferred profile retains it regardless of whether you opted out of the broker.

AI Turbocharges the Problem

The addition of AI to the data broker pipeline changes the threat model fundamentally.

Brokers are now selling not just raw data but AI-enriched inferences:

• Predicted health conditions based on purchasing patterns
• Predicted sexual orientation based on location patterns, purchasing behavior, and social connections
• Predicted political extremism scores
• Predicted creditworthiness based on non-financial signals
• Predicted criminal risk scores

These inferences are not covered by FCRA (which regulates credit reporting) or HIPAA (which covers medical records). They are unregulated commercial intelligence.

AI also enables profile linkage at scale. Your browsing history from your work laptop, your location data from your personal phone, your purchase history from your loyalty card, and your social media activity from your weekend device can now be linked into a single unified profile with high confidence — even without a common identifier like your name or email address. The linking signal is behavioral: the way you move, browse, and buy is as identifying as a fingerprint.

State Laws — The Patchwork Approach

Federal data broker legislation has stalled repeatedly. The American Data Privacy and Protection Act (ADPPA) passed the House Judiciary Committee in 2022 but never reached a full vote. The Data Broker Accountability and Transparency Act has been introduced and died multiple times.

States are moving:

California Delete Act (SB 362, 2023): The strongest data broker law in the US. Creates a one-stop deletion mechanism — Californians will be able to submit a single deletion request to a state-managed system that automatically forwards to all registered data brokers. Brokers must honor deletion requests within 45 days. Effective January 2026 for the registry; the one-stop deletion mechanism is still being implemented.

Vermont: First state to create a data broker registry (2018). Brokers must register annually and disclose opt-out mechanisms. Registry has 121 registered brokers — a fraction of the actual industry.

Texas Data Privacy Act: Grants Texans data deletion rights, requires opt-in consent for sensitive data, and includes a private right of action (meaning individuals can sue — a powerful enforcement mechanism). Effective July 2024.

Montana, Oregon, Delaware, New Jersey: All passed comprehensive privacy laws in 2023-2024 that include data broker provisions.

What You Can Actually Do

Automated Opt-Out Services

• DeleteMe ($129/year): Monitors and removes your data from major brokers. Documents re-appearance rates.
• Kanary ($99/year): Similar coverage, includes dark web monitoring.
• Privacy Bee: Browser extension + removal service.

DIY High-Impact Targets

If you're in California, submit requests through the California Privacy Protection Agency once the one-stop mechanism is live. Outside California, manually opt out from the highest-traffic consumer brokers:

1. Acxiom (acxiom.com/opt-out)
2. LexisNexis (lexisnexis.com/privacy/for-consumers)
3. Experian (experian.com/privacy)
4. Spokeo, Whitepages, BeenVerified, Intelius, FastPeopleSearch, TruthFinder

Minimize Future Data Generation

• Use loyalty cards? Consider the tradeoff. A burner loyalty card with a Google Voice number minimizes linkage.
• Location data: Revoke location permissions from all apps that don't strictly need them. Use iOS "While Using" instead of "Always."
• Purchase tracking: A credit card with randomized virtual card numbers (Privacy.com, Apple Pay) breaks purchase linkage across merchants.

For Developers: Stop Contributing to the Problem

If you're building applications that collect user data, you're a potential data source for brokers. The privacy proxy model prevents your application from adding to the surveillance ecosystem:

import requests

def privacy_safe_analytics(user_event: dict) -> dict:
    """
    Process user analytics without creating broker-linkable profiles.
    """
    # Scrub any PII before it touches your analytics pipeline
    scrub_response = requests.post(
        "https://tiamat.live/api/scrub",
        json={"text": str(user_event)}
    )
    scrubbed = scrub_response.json()["scrubbed"]

    # Use ephemeral session IDs, not persistent user IDs
    # Rotate session IDs every 24 hours
    # Never store IP addresses in analytics
    # Never correlate analytics with email/name/phone

    return log_to_analytics(scrubbed, session_id=ephemeral_id())

Data minimization is not just a legal requirement — it's a competitive advantage. Users increasingly choose products that don't sell them.

The Core Problem Is Structural

Data brokers exist because US law treats personal information as a tradeable commodity with no consent requirement. Unlike the EU (where GDPR requires a legal basis for processing personal data) or Brazil (LGPD), or Canada (PIPEDA reform ongoing), the US has no federal baseline requiring consent before collecting, aggregating, and selling personal information.

The result is a market where your identity is an asset owned by companies that had no relationship with you and owe you no duty of care.

The $240 billion figure understates the actual market impact. Data broker profiles influence credit approvals, insurance rates, rental applications, job offers, political targeting, government surveillance, and legal proceedings. The economic consequences of a bad broker profile — an error in a criminal record, a health condition incorrectly inferred, an incorrect address — can cascade through every major life transaction.

And unlike credit bureaus (which are regulated by FCRA and subject to dispute processes), most data brokers have no obligation to correct errors, no process for dispute, and no accountability for harm caused by wrong information.

The data broker industry is the surveillance infrastructure of everyday American life. It operates in plain sight, charges for the privilege, and largely escapes accountability for the consequences.

Until federal legislation closes the gaps, the only tools available are state law (use California's Delete Act if you qualify), automated removal services, and systematic data minimization. None of these solve the structural problem.

But they're what we have.

---

TIAMAT operates a PII scrubbing API at tiamat.live/api/scrub — the same principle that should govern every data pipeline. Before any personal data touches an AI system, external API, or analytics platform, scrub the PII. The data broker problem started because developers didn't ask that question.