Who’s Selling Your Data? Why Data Brokers Are Under Fire

Key Takeaways:

• Data brokers are companies that collect, buy, and sell personal information often without your knowledge. They gather data from apps, websites, and public records to build detailed profiles for marketing and risk targeting.
• State governments are stepping in with their own privacy laws to regulate data brokers and increase transparency. But without a unified federal law, protections still vary widely depending on where you live.
• At the heart of the issue is control. People want more say over who collects their data, how it’s used, and the ability to limit or revoke that access—but current systems rarely make that possible.

 

A growing number of Americans are finally asking a long-overdue question: Where does my personal data actually go? In most cases, data brokers, advertisers, and third parties collect and trade that information, often without your knowledge or consent. They extract, categorize, and sell everything from real-time location data to intimate health details at massive scale.

This quiet but powerful industry is now under public scrutiny. States are launching investigations, lawmakers are proposing reforms, and privacy advocates are demanding more transparency and control. What many once dismissed as the price of using “free” online services is now seen as a systemic privacy failure. It threatens safety, enables discrimination, and erodes trust in the digital economy.

This article explores the rise and role of data brokers, why they’re under growing pressure, and how new policies and technologies are beginning to reshape the future of privacy and identity.

What Are Data Brokers?

Data brokers are companies that collect, organize, and sell personal information, usually without any direct relationship with the people whose data they use. They gather this information from a wide variety of sources, including mobile apps, loyalty programs, public records, social media platforms, online purchases, and web browsing activity. Most individuals have no idea their personal details are being shared, let alone sold.

The scale of this industry is enormous, and still largely hidden from view. A 2018 academic analysis estimated that between 2,500 and 4,000 data broker firms were operating in the United States at the time. That number has likely grown, especially as data collection technologies have become more advanced and widespread. Yet despite their influence, many of these companies remain unregulated and invisible to the average consumer.

What Data Do Brokers Collect and Why Does It Matter?

The types of data traded go far beyond email addresses or shopping history. Brokers actively buy and sell details like home addresses, income brackets, GPS locations, voter registration records, browsing behavior, purchase history, and even assumptions about a person’s health status or political views. Companies often collect this data through vague app permissions or buried consent language, which makes it hard for users to understand what they’re agreeing to.

These practices come with real consequences. When the wrong people access personal information, it can lead to identity theft, financial scams, stalking, and reputational harm. In a 2024 investigation, a U.S. senator revealed that a data broker sold location data tied to visits to nearly 600 Planned Parenthood clinics across 48 states. An anti-abortion group then used that data to target individuals with millions of personalized ads, raising alarms about how easily sensitive health-related information can be exploited without consent. Some brokers also sort individuals into sensitive categories based on race, religion, or income level—data that others can use to deepen inequality and discrimination. Unlike credit reports, these profiles are rarely available for review, correction, or deletion, leaving people exposed with few options.

Why Are Data Brokers Facing Scrutiny Now?

Cases like the Planned Parenthood data sale have made it clear how exposed people’s personal information really is. The fact that companies can track visits to a reproductive health clinic, a place of worship, or even a protest using location data has raised serious alarms among privacy advocates, lawmakers, and the public. These are no longer isolated incidents. They reveal a broader pattern drawing new attention and calls for change.

Recent investigations have uncovered widespread failures across the industry. In 2025, a joint review by the Electronic Frontier Foundation and Privacy Rights Clearinghouse found that hundreds of data brokers were violating state registration laws in places like California, Texas, Oregon, and Vermont.

Even among those that did register, many are still falling short. A 2025 study by UC Irvine researchers found that nearly 43 percent of registered data brokers in California did not respond to consumer data requests, violating the state’s privacy law. Another analysis found that only one in ten offered a clear way for users to opt out of data sales or sharing.

These are not simple mistakes. They show a deeper unwillingness within the industry to respect user rights or follow the rules. Even in states with strong privacy laws, enforcement remains inconsistent. People often have no clear way to check what data has been collected or to get it removed.

As more of these failures come to light, the pressure to fix them is growing. Privacy groups are calling for stronger laws and better enforcement. State lawmakers are launching investigations and proposing new rules to hold data brokers accountable. Across the country, there’s a growing sense that personal data should not be treated like any other product. It’s sensitive information that deserves clear limits, strong protections, and real control in the hands of the people it belongs to.

How States Are Regulating Data Brokers With New Consumer Privacy Laws

While new state laws mark progress, they also highlight a growing problem. People in one state may have strong privacy protections, while those in another have almost none. This patchwork approach makes it harder for individuals to understand their rights and more complicated for companies to follow the rules. Without a national privacy law, the system remains uneven. Some states are building stronger guardrails, but for now, your protections largely depend on where you live.

As the risks posed by data brokers become harder to ignore, some state lawmakers are stepping up. In the absence of federal action, they’re introducing new rules aimed at giving people more control over how their personal data is collected, shared, and sold. Here are a few examples of how states are addressing the issue:

1. California: One-Click Opt-Out and Routine Audits

California has taken the lead with some of the strongest privacy laws in the country. In 2023, the state passed the Delete Act (SB 362). This law requires data brokers to give people a simple, one-click way to opt out of all data collection and sales across every registered broker. It also mandates regular audits to ensure brokers are following the law. These steps build on earlier protections under the California Consumer Privacy Act and are meant to make privacy rights easier to exercise.

2. Texas: Casting a Wider Net

Texas passed two laws, SB 1343 and SB 2104, that expand who qualifies as a data broker under state law. These laws now require more companies to register and follow privacy rules, including responding to access and deletion requests. By lowering the threshold for coverage, Texas has pulled a much broader group of businesses into its regulatory system.

3. Vermont and Oregon: Early Movers with Strong Registries

Vermont was the first state to pass a data broker law, back in 2018. It created a public registry and required brokers to disclose the types of data they collect and report any security breaches. Oregon followed with updates in 2023, requiring clear consumer notices and stronger rules for responding to data requests. These early efforts helped shape the growing national conversation around broker accountability.

Why the U.S. Still Lacks Federal Data Broker Regulations

The patchwork of state laws exists for a simple reason: Congress has yet to pass a national privacy law that addresses the data broker industry. While lawmakers across the political spectrum have expressed concern over how personal data is collected and sold, attempts to create federal standards have repeatedly stalled.

One proposal—the American Privacy Rights Act (APRA)—aimed to set nationwide rules for how companies handle consumer data. But like other recent privacy bills, it has struggled to gain the bipartisan support needed to move forward.

Meanwhile, federal agencies have faced their own setbacks. A proposal under the Biden administration would have empowered the Consumer Financial Protection Bureau (CFPB) to limit the sale of sensitive personal data. However, in 2025, the Trump administration reversed course and shelved the plan before it could take effect.

Without federal action, the result is a fragmented system where your rights depend on your ZIP code. In some states, you may have the right to access, delete, or block the sale of your personal information. In others, those protections don’t exist at all.

The lack of a unified federal law also leaves businesses with no consistent framework to follow. Companies that operate nationwide must navigate a growing number of state-level regulations, each with different definitions, timelines, and penalties. For consumers, this means privacy protections are neither guaranteed nor easy to enforce.

Why People Feel Trapped in the Data Broker System

Most people never notice when companies collect their personal data. There’s no alert, no confirmation screen, and no clear explanation. You browse a website, download an app, or use a discount code, and in the background, companies quietly harvest, sell, and pass along your information to third parties you’ve never heard of.

By the time someone tries to take back control, it’s often too late. Brokers have already copied, packaged, and distributed their data across dozens of systems. While some offer opt-out forms, they often bury them or require more personal details just to complete the request. Many people give up before they finish the process.

This leads to a deep sense of powerlessness. You may notice ads that feel too personal. You may get denied a loan, charged a higher insurance premium, or flagged during a background check without ever knowing why. Behind these outcomes could be a profile you never created, built from data you never knowingly shared.

What’s at stake goes far beyond privacy. When people feel powerless over how others use their information, it undermines trust—not just in companies, but in institutions, technology, and society. Protecting personal data isn’t just a legal issue. It’s about fairness, dignity, and the right to make choices without being quietly judged or manipulated behind the scenes.

How to Opt Out of Data Brokers and Take Back Control of Your Personal Information

The system may feel stacked against individuals, but that doesn’t mean you have no options. While the process isn’t always simple, there are steps people can take to reduce how much of their personal information is collected, stored, and sold.

These actions fall into two categories: what you can do on your own, and what we can push for as a society. Neither path offers a quick fix, but together, they can begin to shift control back to the people who should have it in the first place.

As an Individual

There are several ways to reduce your exposure to data brokers:

• Submit opt-out requests to registered data brokers. Some states maintain public registries where you can see which brokers are operating and how to contact them. These opt-out processes vary by company, and many require identity verification, but they are a critical first step.
• Use data removal services. There are tools and services that specialize in sending removal requests on your behalf, tracking broker responses, and flagging new data exposure. While some are paid, they can save time and help manage a complex process.
• Adjust your digital habits. Review app permissions on your phone, avoid apps and websites known for aggressive tracking, and consider using privacy-focused browsers or browser extensions to reduce passive data collection.

As a Society

Individual actions matter, but long-term change requires broader reform. To build a system where privacy is the default, we must:

• Pass stronger privacy laws that limit how much data companies can collect in the first place. The burden should not fall entirely on individuals to opt out after the fact.
• Push for greater transparency from platforms, data brokers, and third-party vendors. People should have a clear view of who is collecting their data, how it is used, and whether it can be deleted.
• Support cross-border collaboration among regulators. Working groups like the Global Privacy Assembly and the Consortium of Privacy Regulators are pushing for stronger enforcement, coordinated oversight, and shared strategies to protect individuals in a fragmented regulatory landscape.
• Support privacy-first technologies that give users more control. Tools like verifiable credentials, decentralized identifiers, and on-device data wallets allow people to prove things like age or identity without exposing unnecessary personal details. These systems are designed to prevent data from being stored or sold in the first place. By supporting selective disclosure, they offer a safer alternative to traditional models that rely on collecting and retaining sensitive information.

Conclusion

The growing pressure on data brokers reflects a broader cultural and policy shift. Public awareness is rising. States are passing new laws, and more people are questioning how their information is collected and used. These changes matter, but they are not enough on their own.

Without strong national protections and technologies that give individuals control, people remain vulnerable. Opt-out forms and state registries offer limited relief in a system that continues to treat personal data as a product.

The future of identity should not depend on surveillance, profiling, or unchecked data collection. It should be built on consent, transparency, and the ability to share only what is necessary. Real privacy starts with control, not with damage control after your information has already been used.

About Identity.com

Identity.com is committed to building a future where individuals—not third parties—control their personal information. As an open-source ecosystem and member of the World Wide Web Consortium (W3C), we support privacy-first standards that give people more autonomy online. Our decentralized identity tools allow businesses to verify users securely and efficiently, without relying on invasive data collection. Through technologies like verifiable credentials and reusable Gateway Passes, we help reduce onboarding friction while protecting privacy. To learn how Identity.com can support your identity verification and compliance needs, please get in touch.