Skip to content

Data brokers and data privacy: Monetization, regulation, and how they affect consumers

Data brokers obtain personal data from a wide variety of sources, aggregate and analyze it, and sell it to many companies, agencies, and industries. The business is highly lucrative. We look at what data gets collected, from where, how it’s used and monetized, and what laws regulate this industry.
Resources / Blog / Data brokers and data privacy: Monetization, regulation, and how they affect consumers
Published by Usercentrics
14 mins to read
Mar 26, 2025

It’s not just companies that consumers do business with online that collect and use personal data. Data brokers — also known as information brokers — access, aggregate, and sell huge amounts of personal data. This often happens without the knowledge or consent of the individuals the data belongs to, but is done legally.

Data is big business, too. The data brokerage market value is nearly USD 434 billion for 2025. We look at what data brokers do, how they obtain personal data and what they do with it, what laws they have to comply with, and what people can do if they don’t want data brokers to have their information.

What are data brokers?

Data brokers are companies that collect, analyze, aggregate, and sell consumer data. This data is collected from a variety of sources, including individuals’ online activities, social media platforms, forms and surveys, financial transaction records, and public records. 

These companies often perform various kinds of aggregation, augmentation, analysis, and repackaging of data. The result can be valuable consumer profiles and packages of data that are sold to other organizations ranging from ad networks to law enforcement.

Who do data brokers sell data to?

Depending on the types of data and how it’s analyzed and processed, a wide variety of organizations and industries purchase the data that brokers sell, including:

  • Marketers and advertisers: e.g. using purchasing history, online behaviors, and demographic details for highly targeted ad campaigns
  • Employers and recruiters: e.g. using employment history, financial records like credit scores, and social media activity to perform background checks and help enable hiring decisions
  • Fraud prevention and cybersecurity companies: e.g. using email and phone usage, IP addresses, and device “fingerprints” (unique IDs) to investigate and identify fraud or authenticate user identities
  • Health and pharmaceutical companies: e.g. using health-related search or purchasing history and fitness tracker data to perform research and market healthcare products
  • Financial institutions: e.g. using spending habits, loan histories, credit health indicators, and income estimates to assess credit risks and target financial products like mortgages
  • Insurance companies: e.g. using medical history, lifestyle choices, vehicle ownership and driving records, and property records to assess risks and determining insurance policy pricing
  • Retail and real estate companies: e.g. using household income, purchasing history, real estate search history, and property ownership history to identify potential home buyers and target advertising
  • Government agencies and law enforcement: e.g. using purchasing behavior, social media activity, geolocation and mobile tracking, and public records for surveillance, investigations, and public safety initiatives
  • Politicians and campaign staff: e.g. using online search histories, social media interests, political affiliation, and voter registration records to target potential voters with personalized political messages and ads

How do data brokers get your information?

Data brokers can collect information from public sources, like property ownership, business registration, or voter registration information. They can also obtain information from a wide variety of online sources and individuals’ activities.

Information that data brokers obtain from users’ online activities

Data brokers collect a lot of digital personal data, especially from everyday user activities. For example, via cookies and other tracking technologies they can collect data on people’s search and browsing histories, time spent on sites and pages, and ecommerce activities like purchases or abandoned carts. 

Activities people voluntarily participate in online, often for some incentive, are also a great source of data. For example, contests and giveaways, surveys and quizzes, and reviews or feedback forms for products and services can all deliver detailed identifying information, demographic data, and insights on preferences and habits.

Information that data brokers obtain from mobile apps use

From apps brokers can track location from GPS, purchases, and habitual activities. From connected devices (Internet of Things) ranging from fitness trackers to computerized systems in cars, there’s a wealth of information about activities, preferences, locations, and more.

Information that data brokers obtain from financial transactions

Financial transactions are protected by a number of regulations, but data brokers still have access to a wide variety of data sources. These include purchase histories from retailers and loyalty card programs, credit card use trends (like how often people buy online), anonymized and aggregated data about consumer spending habits, and information about subscription services (e.g. streaming media services or meal plans).

Information that data brokers obtain from healthcare activities

Health information is also heavily regulated, but data brokers can still legally access information about health-related search queries, revealing health interests, concerns, or diagnoses. They obtain data about health status from fitness trackers and other monitors, and they can obtain health-related purchasing information, like about medications, supplements, or assistive devices.

Information that data brokers obtain from third parties

Data brokers don’t always collect or process personal data themselves. Often they purchase data collected by others from their customers. These entities include:

  • Ecommerce platforms
  • Streaming media services
  • Marketing agencies
  • Apps publishers (e.g. health, fitness, gaming)

In some cases this data is anonymized before sale, but it can still provide valuable information about demographics, volumes or frequencies of purchasing or use, etc. In some cases, however, data brokers can cross-reference data and be able to re-identify individuals.

Information that data brokers obtain from data breaches

In addition to all the more publicly available sources, plenty of information can be obtained on the dark web, which is where vast amounts of data from data breaches tends to end up. These data sets can include specific types of data, like names, email addresses, or credit card numbers, up to extensive customer profiles with a lot of sensitive personal information.

Given the frequency of data breaches, it can be possible to obtain and match data from multiple breaches to create rich profiles of breach victims’ personal information, which can be used for fraudulent activities or re-sold.

Learn more

In many cases, no, particularly in the United States, data brokers do not need explicit or informed consent from the individuals’ whose data they collect and use. This is in part because publicly available data does not typically require prior consent. 

Additionally, some data is exempt because it has been anonymized, and some companies include data sharing clauses in their terms of service, which users have to agree with to access a service, make a purchase, etc., but often do not read in detail.

It also depends on the jurisdiction. For example, in the European Union, explicit and informed consent is required from individuals before their data is collected, per the General Data Protection Regulation (GDPR) and other laws. 

However, in the United States, for the states that have privacy laws to date, in most cases personal data can be collected and used without needing to obtain prior consent, unless the data subject is a child. The main legal requirement is that data subjects be informed about data processing and their rights.

Types of data for which data brokers would likely need to obtain consent under various laws include the following:

There can be loopholes in regulatory requirements as well. For example, websites and apps that track health and fitness data are not subject to HIPAA, and social media platforms may not verify that users are over the age of 13, so may collect and sell children’s data without legally required parental consent.

How do data brokers make money?

Data brokers make their money from selling the data they collect, or insights that can be gleaned from analyzing the data. Often they sell to other types of companies or organizations, but sometimes they sell data to other data brokers.

Data can be sold in several different ways. The most straightforward is bulk sales of data to advertisers, marketers, and other companies. The more timely, well organized, and detailed the data is, the more data brokers can charge for it.

Data brokers can also maintain continually updated databases, and sell access to the data they contain on a subscription basis. These subscriptions are particularly valuable to marketers for targeting advertising, for financial institutions to do risk assessments, or for companies that need live or near-live geolocation data.

Data brokers can also make data more valuable by combining data from multiple sources and analyzing and segmenting it. 

Combining individuals’ preferences and activities, purchase histories, and other sources, data brokers can create detailed profiles and groups, like people who regularly enjoy luxury travel, or people of a certain age and education level who are likely to vote for a specific political party. 

Data brokers can also make well-educated predictions from data and spot burgeoning trends, selling that information rather than the data that produced them. This can also be highly valuable for brands and marketers.

Brokers’ databases are also used in paid partnerships, like with ad networks and social media platforms, via direct platform integrations. Data brokers provide detailed consumer profiles via the databases, and advertisers pay for access to this information. 

The more targeted the information, the more they pay, and the broker makes a fee or commission from the ad network. This information is then used to show highly targeted ads to platform users.

Beyond the business world, data brokers can also sell data to government agencies and law enforcement. This can include location data, biometrics like facial recognition data, social media activity, and other personal information these entities can gain access to through private contractual agreements. 

Organizations that require high levels of security can also purchase tools from data brokers, which are powered by personal data. For example, banks, cybersecurity companies, and retailers may be interested in tools to improve identity verification and fraud detection to cut down on credit card fraud, and banks can use them to authenticate loan applicants.

Data brokers’ operations are legal for a number of reasons. The most direct one is that some data they collect and use is publicly available to anyone, so the average person could collect and analyze it the same way data brokers do.

Another reason is that there are loopholes in some privacy laws and other relevant regulations, which enable data brokers to access and process various kinds of personal data. 

Some laws intended to protect data and individuals’ privacy are also aging rapidly and may no longer adequately protect privacy rights and personal data in a world where technology continues to evolve rapidly. Legislation rarely proceeds as fast as the tech industry, and in the US, specifically, there is a patchwork of federal and state-level regulation.

In some cases, individuals do provide consent for collection and use of their data. They just may not know it if they don’t make a habit of reading Terms of Service and other relevant documents. Or they may have consent fatigue and just click “Accept” without reading further because they want to access a website, complete a purchase, or other function.

Also, as we noted at the beginning of the article, it’s a highly lucrative industry and the data is extremely valuable to a lot of entities. Some companies — in addition to the data brokers themselves — make a lot of money from the flow of personal data (the volume of which is always increasing). 

This means many companies, agencies, etc. have strong incentives to lobby for continued access to data from as many sources and for as many uses as possible.

Learn more

What data privacy laws regulate data brokers?

There aren’t many laws that explicitly regulate data brokers, but their activities are included in a variety of laws with varying jurisdictions and covering various industries. Some of these include the following.

Federal US laws regulating data brokers

The United States doesn’t have any federal laws explicitly regulating data brokerage. However, it is covered under operational requirements of certain industries, specific audiences whose data brokers may collect and use, and other factors. These are the most important US federal laws regulating data brokers:

  • Fair Credit Reporting Act (FCRA)
  • Federal Trade Commission (FTC) Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Children’s Online Privacy and Protection Act (COPPA)

State-level US laws regulating data brokers

To date, only some states have data privacy laws passed or enacted, and the US does not have a federal privacy law. Data brokerage is covered under some state-level data privacy laws, but a few states also have laws that more directly target these businesses.

International laws regulating data brokerage

Some international data privacy laws are more stringent than US laws, and cover any entity collecting or processing personal data to offer goods and services or to monitor individuals. As a result, data brokers are covered under these broader regulations.

Start scan

How do you remove data from data brokers?

Data brokers collect personal information from such a wide variety of sources, and many consumers are not even aware that it’s happening. As a result, it may seem daunting to try and get your data removed from their databases. But there are several ways to go about it.

You can approach the data removal process manually, and personally request removal of your data from individual data brokers. It’s free to do so, but requires completing forms, verifying your identity, and sending emails, so will cost you in time spent.

There are paid data removal services that will do the legwork for you. Some focus on specific types of sites and services; others tout their ability to remove data from dozens of brokers. These are typically subscription services that regularly monitor and have your data removed. 

Beyond the brokers themselves, personal information can appear in search engine results. Companies like Google do provide tools to request removal of your data. 

Under the GDPR, European residents have the “right to be forgotten”, though that isn’t necessarily the case elsewhere. 

However, individuals can request removal of personal information that appears online, like phone numbers or addresses, whether on websites or search results, for example if doxxing has occurred (the publishing of private and/or identifying information about an individual online, typically with malicious intent). 

This requires contacting the search engine company or website owner to request data removal, and may not be a fast process. (Privacy laws that provide deletion rights do typically include a time frame within which requests must be acted upon.)

How to prevent data brokers from accessing your data?

Data brokers can’t sell your data if they don’t have it, and there are a few ways to prevent or limit the personal data you create online.

Adjust privacy settings in web browsers and on social media accounts. Remove or limit the tracking they perform on your activities. Use search engines that center privacy and use less or no tracking. On mobile phones, disable app tracking for iOS or Android, and decline when new apps ask if they can initiate tracking.

As the old saying goes, “if something is free, you are the product”. So expect that free apps or services will be tracking and collecting your data and very likely monetizing it. This can include everything from fitness trackers to VPNs to weather apps.

There are privacy-focused apps and services for just about all functions we perform online, from instant messaging to email to browsing. You may want to make the switch.

When you do need to provide personal data, e.g. when signing up for services, you can use specific and generic credentials. For example, create email accounts, potentially from a temporary email service, that’s separate from your main account. Use that to complete an ecommerce purchase as a “guest” or to sign up for newsletters.

Depending on where you live, you may also have access to free phone numbers so you don’t have to provide your real one. You can use one of those when it’s for a purpose where you won’t actually need to be contacted by phone.

How Usercentrics helps you protect your personal data and privacy

For individuals, it’s important not to ignore consent banners on websites. Depending on where you live, you may see them a lot, but taking a moment to interact with them and read important information means you can then make informed decisions and can decline consent for many kinds of tracking. 

Or, if you live in a jurisdiction like a US state where prior consent is not required but there is a privacy law in place, you likely have access to a mechanism on websites where you can opt out of specific uses of your personal data, like for targeted advertising.

For companies, respect your customers and relevant laws regarding access to and sale of personal data. Building trusted relationships with your audience is the best way to obtain high quality data for marketing and other business-critical purposes. Use a consent management platform for transparency and to enable granular consent decisions.

Usercentrics enables companies to create user-friendly consent banners for websites, apps, and other connected platforms that match company branding and provide legally required information and consent options to users. Achieve and maintain privacy compliance with regulations around the world, and build trust with users.

Start trial

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.

Frequently asked questions

What do data brokers do?

Data brokers collect, analyze, and sell consumer data that they obtain from various sources. These sources include public records, website and app tracking, social media activity, and purchase histories.

Data brokers can aggregate and analyze this data to create detailed profiles on individuals, which they sell to a wide variety of entities, including: advertisers, marketers, financial institutions, insurers, law enforcement, and political campaigns.

How do data brokers get your information?

Data brokers use cookies and other trackers on websites and apps to collect personal information. They can also access publicly available records online or from social media activity that is not privacy-protected. Some companies also sell data from their customers’ activities to data brokers.

What regulations apply to data brokers?

There are a number of laws around the world that cover data brokerage, but not many laws explicitly to regulate this type of business. Regional regulations like the GDPR, CCPA/CPRA, PIPEDA, and others regulate the collection and use of personal data, as do laws to regulate large tech platforms and their operations, like the DMA and DSA. California, Vermont, and Nevada in the United States also have laws or statutes that specifically regulate data brokers.

How to opt out of data brokers?

You can use a paid service or manually request to opt out of their use of your data. You can also request that your data be removed from sources where personal data can be obtained, like search engine results. Depending on regulations where you live, you can also decline access to your personal data, or opt out of certain uses of it, e.g. via a consent management platform.

You can also prevent data brokers’ access to some of your data by using strong privacy settings on your computer, phone, and online services, and services like email and messaging that center user privacy.

How do I remove my data from data brokers?

You can request the removal of your data yourself from individual data brokerages, or you can pay a service to request removal and to continually monitor the internet for your data. You can also request removal of your data from search engine results, at least in some jurisdictions.

Article
Apr 14, 2025
Learn how compliance auditing software can help ensure you meet regulatory requirements, assess risk, and securely document and store the evidence needed in the event of an audit.
Read more
Article
Mar 27, 2025
The ePrivacy Directive and GDPR impact companies doing business in the EU. How are their requirements evolving, and how will data privacy compliance and enforcement change now that the push for the ePrivacy Regulation has been abandoned? We look at ePrivacy, cookies and data protection in the EU.
Read more
Article
Mar 27, 2025
Achieve and maintain privacy compliance. Protect your visitors’ privacy and your ad monetization with a customized cookie banner on your Webflow website. Easily manage consent, build trust with your audience, and show your commitment to Privacy-Led Marketing — in a few simple steps.
Read more