AVG Signal Blog Privacy Privacy Tips Data Brokers: Who They Are and How They Work
Data_brokers-whos_selling_your_data-Hero

What is a data broker?

Data brokers are companies that collect, bundle, and sell your information to third parties interested in targeting you as a consumer, a buyer, and sometimes a private citizen. Aggregating and selling data is the core function of data brokerage and the reason why data brokers exist.

This article contains:

    What is a data broker in comparison to an information broker? No difference. They both operate in the business of selling data to make a profit. The terms “data broker” and “information broker” can be used interchangeably.

    What do data brokers know about me?

    Data brokers know personal information about you such as your full name, age, gender, email address, phone number, date of birth, place of residence, personal interests, buying habits, and education level. Sometimes they even have deeply sensitive data like your income and health status or arrest record.

    This kind of information helps the data broker industry classify you into a predefined category and sell your profile to anyone interested.

    Your public persona that is bought and sold by the data broker industry can feel like a poorly written biography by someone who’s been eavesdropping. Even though part of the data brokerage process is to enrich, cleanse, and analyze profiles before licensing them for other companies to use, what they know about you may be shallow, inaccurate, and entirely assumed.

    • Have you been searching for baby clothes for your pregnant sister-in-law? You might be classified as pregnant.

    • Did you sign up for a loyalty card at your local pharmacy where you buy medicine for your diabtec grandmother? You might be classified as a health risk.

    • Are you writing a research paper about gambling, and so visiting websites that may indicate you’re a risk taker? You might be targeted for high-risk loans.

    And even when data brokers do get your information right, as in accurate, it’s still very creepy to see what they know about you.

    • Are you registered to vote? They know your political-party affiliation.

    • Do you have a membership card for a brick-and-mortar store? They know your buying behavior.

    • Do you have social media accounts? They know your personal interests, what you like and dislike, your date of birth, your full name, where you’ve been, and who you’re related to. Oh, and whatever you told them on those addictive quiz apps.

    Want to keep this type of private information actually private? And, specifically, remove yourself from unwanted data broker lists? AVG BreachGuard does exactly that — it helps you take control of your online privacy and keep your data from falling into the wrong hands.

    How do data brokers collect information?

    Data brokers collect information by tracking your activities on and offline. Application programming interfaces (APIs) from social media sites, mobile apps, and e-commerce sites offer windows into your online activities. Offline activities can be tracked via public records (marriage licenses, property records, business licenses, the DMV) and brick-and-mortar loyalty programs.

    How data brokers collect information may seem mysterious, but every time you search on Google, use mobile apps, interact on Facebook, Twitter, or Instagram, or just go about your typical digital day, you produce identifiable data that could fall into the hands of a third party. 

    It’s called web tracking. Web tracking is made possible by software that’s installed on most websites and mobile applications to track your online activity, such as your clicks, page views, time on site, and even your mouse movements. These data points stitched together can create implied preferences and help data brokers categorize you based on assumed purchasing intent. Data brokers also learn a lot when you engage in unsafe activities online and, of course, when hackers get their hands on your data.

    If you think of on and offline as two avenues for information collecting, now consider the two source points — first-party brokers and third-party brokers.

    First-party data brokers collect enormous amounts of data in exchange for using their products. Every pic you post, every “like” you give, every search you make, every product you order that arrives with shockingly fast overnight delivery provides more information about you. They’re called first-party brokers because they have a direct relationship with you, the customer. 

    While most first-party data brokers are adamant they don’t sell your data, some may use clever wordplay to skate around privacy regulations. For example, they could sell access to your data, not your data itself. In a certain search engine giant’s own words, advertisers can target people “based on what they’re passionate about and their habits and interests” as well as “their recent purchase intent” (i.e., what you search for online). One silver lining is that some services let you download your data to see what they have on you.

    Third-party data brokers like Experian and Equifax buy, repackage, and sell data of people with whom they have absolutely no direct relation.

    How do data brokers make money?

    Data brokers make money by selling the personal information they’ve collected, refined, and bundled into consumer categories. Most often, data ownership is not technically transferred between parties (i.e., “sold” in the traditional sense), but rather leased to multiple third parties in the form of subscription contracts.

    The jackpot for a data broker is selling data as a pre-packaged consumer bundle. The whole is greater than the sum of its parts. You, the “cycling enthusiast” or you, “the new homeowner” is the type of aggregated personal data that third parties are willing to pay big money for.

    The more refined the pre-packaged data, or the more sensitive, the higher the price tag. By combining contact information (name, email address, telephone number), demographic data (salary, age, gender, ethnicity), and consumer-preference data (likes, dislikes, shopping habits) data brokers are able to create categories that will sell.

    Some categories, like “cycling enthusiast,” seem harmless. Worst case, you’ll be wrongly targeted to purchase a new bike, when you really prefer rollerblading. But ethical boundaries arise when data brokers begin creating and selling lists of “rape sufferers,” “erectile dysfunction sufferers,” and “AIDS/HIV sufferers.”

    You could actually buy lists of people assumed to be afflicted by these life circumstances for $79 a pop.

    Broadly speaking, the data broker business model focuses on predefined consumer bundles. However, not all types of data buyers are interested in purchasing these packages. Sometimes data brokers make money by selling information about a specific person, usually in the form of White Pages or people search sites.

    Who's buying my data?

    In addition to advertising agencies and political parties who purchase data to target you with political messages, other buyers are interested in buying data on you specifically. Landlords may buy your data to assess your credibility as a tenant, financial institutions to assess your risk as a borrower, and prospective employers to assess your potential as a job candidate.

    How much is my data worth?

    Data brokerage is a multi-billion dollar industry — we’re talking around $200 billion. Dang! As a sum, that’s an enormous value. Now you must be asking, how much is my data worth, specifically. That price tag varies from $89 per email address to $8 per month for access to your social media accounts.

    For those looking to venture into digital vigilantism and take ownership of your digital worth, you can actually become your own data broker.

    Or, a better alternative is to remove your data from these shady lists altogether. You can prevent data brokers from making money off you with AVG BreachGuard, which automatically requests that your data be removed from their lists. AVG BreachGuard also comes with 24/7 privacy risk monitoring and will alert you right away in case any of your personal data is ever exposed.

    Is it legal to broker data?

    It depends on where you live. People living in the EU are far more protected than those living in, say, China or Russia.

    In the US, highly lucrative industries like data brokerage are pushed by big money to loosely interpret the law. Even the regulators themselves (legislators who are voted into office by targeted, big-spend election campaigns) benefit from the fine line of data brokerage.

    And, in fact, most people unknowingly consent to having their data sold. Remember the last time you quickly clicked “accept” on a website without reading the terms and conditions? Yup — it happens all the time. And it’s totally legal in the US. In Europe, meanwhile, GDPR — the data privacy and security law that covers any organization that targets or collects data related to people in the EU — has a very specific definition of what qualifies as “consent.”

    In the US, illegal data brokerage practices can even vary from state to state. Medical records and reports relating to credit scores are usually somewhat protected, though. This grey zone of data protection and online privacy rights can make data brokerage teeter on the line of murky at best, criminal at worst.

    Current data-protection laws and regulations

    Unlike the EU’s GDPR, there is no federal data-protection law in the US that broadly defines acceptable practices. But the Federal Trade Commission (FTC) tries to play a role in pushing along the digital privacy agenda and generally prohibits “unfair or deceptive acts or practices in or affecting commerce.”

    While the FTC can be far reaching, unfortunately many ideas that come from this governing body can be just that — ideas. In May 2014, the FTC released a 110-page report titled “Data Brokers: A Call for Transparency and Accountability,” which focused on the results of a comprehensive study detailing the practices of nine high-profile data brokers.

    The outcome? Nothing. No legal regulation was adopted from the commission’s recommendations. Unlike Europe, the US hasn’t adopted all encompassing federal-level legislation and instead leaves it up to individual states and individual industries to protect data.

    The Health Insurance Portability and Accountability Act (HIPAA), for example, is a nation-wide law that protects your health care and health insurance data. But you can still be targeted online for prescription drugs based on traces of your user data.

    But there is light at the end of the data tunnel. Here are the most important regulations currently on the books in the US to protect your data, along with a more comprehensive list of data-privacy legislation here.

    • Fair Credit Reporting Act (FCRA): Passed in 1970, the law requires that consumer reporting agencies let you access and correct errors in your credit report. The shortcoming is that this law does not apply to data brokers, who are not considered consumer reporting agencies — such as people search brokers, marketing and advertising brokers, and risk mitigation brokers.

    • California Consumer Privacy Act (CCPA): Passed in 2018, this law extends consumer privacy protection to the internet. People are entitled to access the categories in which they’ve been classified by data brokers, and must be provided with a web notice and clear opportunity to opt-out before a business can sell their data.

      A 2019 amendment to the CCPA makes it mandatory for data brokers to register with, and pay an annual fee to, the California Attorney General. The CCPA is considered the most comprehensive data protection law that exists in the United States — but only California residents are protected.

    • Vermont’s Data Broker Law: Passed in 2018, this comprehensive law requires data brokers to register on an annual basis with the state and self-report many aspects of the way they do business. This includes providing opt-out information for individuals, disclosing their data-procurement processes, reporting on data breaches, and providing free access to credit freezes.

    The four most common types of data brokers

    1. Marketing and advertising brokers specialize in helping companies target you as a consumer. The most well-known brokers include Datalogix, owned by Oracle, and Acxiom, which is reported to have 3,000 attributes and scores on 700 million people.

    2. People search brokers sell data profiles on individual people. Some people search brokers like Pipl require you to indicate your intentions for the data, while others like Spokeo give you immediate results for free.

    3. Personal health brokers specialize in collecting sensitive information about your health (prescription drugs, over-the-counter drug purchases, and so on) and your assumed health (symptoms you search about online). They then sell this data to health insurance companies who can, in turn, refuse to insure you or raise your rates based on your data profile.

    4. Financial information brokers specialize in selling personal information about an individual’s credit score and likelihood to default on loans. They also help verify an applicant's true identity to prevent fraudulent activities. This type of data can be used against you in the form of higher interest rates from insurance companies or a loan denial from a bank. The major players in this sector include Experian, Equifax, and Transunion.

    How can I opt out of these lists?

    It’s hard to stay off data broker lists entirely and consistently, but you do have a few options. You can contact individual data brokers directly to request removal. You can pay a company to do it for you. Or you can avoid getting on unwanted lists in the first place by taking small steps to protect your privacy online.

    • Option 1 — Self-opt out 

      This route can be highly time consuming, and not always 100% effective. Privacy Rights Clearinghouse has an accessible list of data brokers, along with a link to their privacy policies, and a brief description of the opt-out process. It’s a good place to start, but opting out of individual data broker lists takes patience, progress tracking, and must be done regularly to be effective.

    • Option 2 — Pay a company to opt out for you

      Save yourself some time and enlist a service like AVG BreachGuard to do the tedious, dirty work for you. Not only will you get 24/7 privacy risk monitoring and data broker list removal, you’ll also get the inside scoop on who’s been tracking you.

    • Option 3 — Stay off lists in the first place

      Another option is to practice smart online behavior by encrypting your data and keeping it safe. This includes using a secure browser, like AVG Secure Browser, and avoiding unnecessary risks online like opening unknown emails, signing up to random accounts, and downloading risky apps. While these are smart, safe browsing habits, they won’t necessarily be effective in avoiding data brokers. And despite all your best efforts, data breaches on legitimate websites — which can expose your sensitive data to the world — are beyond your control. That’s why it’s important to have a privacy, risk-monitoring plan established.

    Be proactive about your data with AVG BreachGuard

    AVG BreachGuard is your digital bodyguard, protecting you from unforeseen online threats 24 hours a day, 7 days a week. AVG BreachGuard offers three layers of privacy protection:

    1. 24/7 privacy risk monitoring — If and when a data breach happens, AVG BreachGuard knows about it. We monitor the dark web non-stop for your leaked data and deliver instant alerts about privacy threats and how to fix them.

    2. Removal from data broker lists — There’s no doubt you’re already on hundreds, maybe thousands, of third-party data broker lists. AVG BreachGuard lets you see what type of information data brokers are collecting about you, and automatically demands that they remove you from their databases.

    3. Account security review — Audit your existing online presence and get tips for how to better protect your digital life, such as increasing the strength of your passwords and optimizing your account settings.

    In today’s world, it can feel impossible to get real digital privacy. But you need not worry with AVG BreachGuard there to protect you.

    Connect privately on your iPhone with AVG Secure VPN

    Free trial

    Connect privately on your Android with AVG Secure VPN

    Free trial