what is a data brokerMay 28, 2026Leak Check Me

What Is a Data Broker? The $290 Billion Industry That Sells You by the Profile

A data broker is a company that collects and resells your personal information. Here's how the $290B industry works — and what you can do about it.

As of January 2026, the California Privacy Protection Agency's data broker registry listed 545 companies — and that's just the ones legally required to register in one state. Worldwide, market researchers put the active count at roughly 5,000 brokers buying and selling personal information about, essentially, everyone with a postal address. The global data broker market was valued at around $290 billion in 2025 and is on track to top $470 billion by 2032.

That's the industry. Most people have never heard of any of the companies in it. This post explains what a data broker actually is, how they get your information, what they do with it, who buys it, and what's finally starting to change.

One-sentence answer: A data broker is a company that collects personal information about people from public records, commercial sources, scraped websites, and breaches, then packages and sells that data to advertisers, employers, debt collectors, insurance underwriters, identity verifiers, and government agencies.

TL;DR

Data brokers operate as middlemen between sources of personal data and buyers who want it.
Sources include public records (county courts, voter rolls, property deeds), commercial purchases (loyalty programs, warranty cards), scraped sites (social media, professional directories), and breach corpuses.
Buyers range from advertisers and marketers to law enforcement, immigration agencies, insurance underwriters, and identity-verification services.
The industry generates roughly $290 billion globally per market research firms, with around 5,000 companies operating.
California's Delete Act (SB 362) creates the first centralized opt-out system; it goes live for consumer requests in 2026.

The textbook definition (and what it leaves out)

The FTC defines a data broker as a company that "collects consumers' personal information and resells or shares that information with others." That covers it technically. What it misses is the scale of the operation and the variety of buyers.

A real-world data broker doesn't just have your name and address. It probably has your age, household income range, marital status, number of children, vehicle make and model, recent purchases at hundreds of merchants, the medications you've been prescribed (or have searched for), the political party you most likely vote with, the religion you most likely identify as, your inferred health conditions, and a credit-adjacent risk score. Acxiom, one of the largest, holds data on roughly 260 million Americans across 162 million U.S. households.

How brokers actually collect your data

Four pipelines feed the broker ecosystem.

Public records

County recorder offices, court systems, DMVs, voter registration databases, and property assessor records publish personal information by design. Marriage and divorce records, property purchases, civil suits, criminal records, business registrations, professional licenses — all of it is legally public and most of it is digitized and bulk-downloadable.

Brokers run scrapers that pull these records as fast as the agencies publish them, then standardize the data into searchable profiles. This is the backbone of every people-search site you've ever heard of.

Commercial data purchases

Every time you fill out a warranty card, sign up for a loyalty program, enter a sweepstakes, donate to a campaign, fill out a survey, or check a "yes, share my info with partners" box, you've handed a data point to a commercial collector who then resells it. Loyalty programs in particular are quiet feeders — grocery cards, drugstore rewards, airline miles — all sold downstream into broker profiles you'll never see.

Web scraping

Social media profiles, professional directories like LinkedIn, GitHub, news sites, podcast appearances, conference attendee lists — anything published on the open web gets scraped, indexed, and joined with your existing profile. Even "private" social posts have leaked through scraping repeatedly.

Breached and leaked corpuses

This is the dirty pipeline. Some brokers — and many more dark-web vendors that brokers buy from — incorporate leaked breach data into their profiles. A leaked email/password pair from a 2018 breach gets cross-referenced with a current address pulled from a county record, and now an attacker has a much more complete person to target. The credentialed sources resist talking about this; the Krebs on Security archive is the best ongoing record.

How brokers sell it (and to whom)

Brokers don't operate one product line. They operate several, often through the same corporate parent.

People-search products. Spokeo, BeenVerified, Whitepages, Radaris, MyLife, Intelius. These sell consumer-facing lookups — "find an old friend," "see who's calling," "background check on your date." The pitch is consumer; the customers include stalkers and abusive ex-partners. We cover the specifics here.
Marketing brokers. Acxiom, LiveRamp, Epsilon, Experian Marketing Services. These sell to ad networks, retailers, and political campaigns. Their products are audience segments and lookalike models built on hundreds of attributes per person.
Risk-assessment brokers. LexisNexis Risk Solutions, TransUnion, ID Analytics. These feed credit scoring, insurance underwriting, fraud detection, and employment screening. LexisNexis Risk Solutions claims to process over 270 million transactions per hour.
Identity-verification brokers. Companies like LexisNexis, Equifax, and Idology sell knowledge-based authentication ("which of these addresses have you lived at?") to banks, telecoms, and the IRS.
Location brokers. Companies that aggregate mobile-device GPS data harvested from apps. Venntel, X-Mode/Outlogic, Babel Street, Kochava. Until recently this pipeline ran almost entirely unregulated.
Government data brokers. Companies like Thomson Reuters CLEAR and LexisNexis Accurint that combine public records with commercial data and sell access to law enforcement, ICE, and the IRS. The Brennan Center and EFF have documented this extensively in our piece on the government data broker loophole.

How big is the industry, really

Estimates vary because researchers define the market differently — some include only consumer-data brokers, others fold in B2B marketing data and credit bureaus.

Grand View Research put the global data broker market at $290 billion in 2025, growing to roughly $473 billion by 2032 at a 7.2% CAGR.
The U.S. accounts for roughly 40% globally.
California's registry of 545 brokers (January 2026) is just one state's count of consumer-data brokers required to register. The U.S. total is several thousand once you include marketing brokers not covered by California's definition.

Regulators are finally moving

For decades the data broker industry operated with almost no federal oversight in the U.S. That's beginning to shift.

FTC enforcement actions

In January 2024, the FTC settled with X-Mode Social and its successor Outlogic, prohibiting them from selling sensitive location data. The complaint cited the sale of location data that could be used to track visits to medical clinics, places of worship, and domestic abuse shelters. The order was finalized in April 2024.

The FTC also has an ongoing case against Kochava — first filed in August 2022 — alleging the broker collected and sold precise GPS-level location data from hundreds of millions of mobile devices without meaningful consent. A federal judge in Idaho denied Kochava's motion to dismiss in February 2024 and the case is moving toward trial.

California's Delete Act

In October 2023, California Governor Gavin Newsom signed SB 362, the Delete Act, the first U.S. law to require a centralized opt-out system across all registered data brokers in a state. The California Privacy Protection Agency (CPPA) is building DROP — the Data Broker Requests and Opt-Out Platform — which will let any California resident file a single request that propagates to every registered broker.

Key dates:

January 2024: Registry opened.
January 2026: Consumer DROP requests begin.
August 2026: Brokers must access DROP at least every 45 days.

The CPPA has already enforced. In July 2025 it fined Accurate Append $55,400 for failing to register. Background Alert was ordered to suspend operations until 2028 or pay $50,000. Small numbers in absolute terms, but the precedent matters.

Other states and the federal picture

Vermont, Texas, and Oregon have followed with their own broker registration regimes. At the federal level, the Fourth Amendment Is Not For Sale Act has bipartisan momentum but has not passed as of mid-2026.

What this means for you, practically

Three things are true at once. One: Data brokers aren't going away — the industry is too profitable and too useful to legitimate businesses (insurance underwriting and identity verification are real things) to be regulated out of existence. Two: Your individual exposure is mostly fixable — the brokers that surface your address, phone, family, and employer in a public people-search profile are exactly the brokers you can file opt-outs against, and exactly the ones California's Delete Act targets first. Three: Knowing the industry exists is step one. Breaking the link between your leaked credentials and your live broker-fed profile is step two, which we cover in our data leak protection manifesto.

What you can do today

Check the California broker registry. It's searchable here. If you're a California resident, prepare to use DROP when it opens to consumers.
Run your name through the top three people-search sites — Spokeo, Whitepages, BeenVerified — and see what profile they have on you. That's your visible exposure.
Stop feeding the supply side. Stop filling out warranty cards. Use a separate email for loyalty programs. Decline cashier requests for your phone number.
File the top six people-search opt-outs — Spokeo, Whitepages, BeenVerified, Radaris, MyLife, Intelius — and bookmark the URLs. You will be back in 60–90 days.
Watch the FTC's data broker page. Enforcement is the only thing that meaningfully changes the industry's behavior at the margins.

The pitch

We built Leak Check Me to do the practical half of the work — helping execute eligible opt-out actions against brokers that surface your contact information and patrolling for the relistings that come back. The mission is small and concrete: $20 to scrub the top broker profiles once, $19/mo if you want us to keep watching. We don't claim to dismantle the industry. We claim to make your personal corner of it noticeably quieter. Start a scrub mission at leakcheckme.com.