Data brokers operate a trillion-dollar economy built on personal information, yet most people have never heard of Acxiom, Epsilon, or LexisNexis Risk Solutions. These companies collect, aggregate, and sell detailed profiles about consumers—often without their knowledge or consent. Recent regulatory pushes in the US and EU are finally forcing this shadow industry into the light, but enforcement remains fragmented across state lines and national borders.
- How Does the Data Broker Business Model Actually Work?
- What Are the Primary Data Collection Methods?
- How Are Regulators Responding to Data Broker Practices?
- What Makes Enforcement So Challenging?
- Where Do Current Privacy Laws Fall Short?
- The Technology That Enables Mass Data Collection
- What’s Next for Data Broker Regulation?
- The Hidden Scale: Major data brokers maintain profiles on hundreds of millions of consumers, with each profile containing hundreds of data points about health, finances, and personal preferences.
- The Revenue Model: The same personal information gets resold multiple times to different buyers, creating a trillion-dollar industry most consumers never interact with directly.
- The Regulatory Gap: Fragmented enforcement across jurisdictions allows data brokers to forum shop and avoid comprehensive oversight despite new privacy laws.
How Does the Data Broker Business Model Actually Work?
Data brokers function as intermediaries in the personal information economy. They collect data from public records, retail transactions, social media platforms, mobile apps, and thousands of other sources, then package this information into consumer profiles sold to marketers, insurers, employers, and government agencies.
The business operates on scale. A single data broker might maintain profiles on hundreds of millions of consumers, with each profile containing hundreds of data points. These range from basic demographics and purchase history to sensitive categories like health conditions, financial status, and political affiliations.
Unlike social media platforms or search engines, data brokers rarely interact directly with consumers. You’ve probably never visited Acxiom’s website or created an account with Epsilon, yet both companies likely maintain detailed files about your shopping habits, income level, and lifestyle preferences.
Shadow profile creation allows these companies to build comprehensive dossiers even on people who actively avoid social media platforms. The revenue model centers on data licensing. Retailers pay for lists of consumers likely to buy luxury goods. Insurance companies purchase profiles to assess risk. Political campaigns buy voter targeting data. The same personal information gets resold multiple times to different buyers.
What Are the Primary Data Collection Methods?
Data brokers acquire information through several channels, creating comprehensive profiles by combining data from multiple sources.
Public records provide the foundation. Court filings, property records, voter registrations, and business licenses are all public information that data brokers systematically collect and digitize. These records reveal addresses, family relationships, financial transactions, and legal proceedings.
Commercial transactions generate another major data stream. Loyalty card programs, warranty registrations, contest entries, and online purchases all feed information to data brokers. Retailers often sell customer lists directly, or share data through partnerships with marketing companies.
• Data brokers process millions of consumer records daily through automated matching systems
• Real-time bidding systems broadcast personal data to hundreds of companies within milliseconds of each website visit
• Mobile apps share location data that creates detailed maps of consumer behavior patterns
Digital tracking captures online behavior through cookies, pixels, and mobile app SDKs. According to research by EPIC, data brokers partner with websites and apps to collect browsing history, search queries, location data, and engagement patterns. This creates detailed profiles of interests, habits, and preferences.
Social media monitoring adds another layer. Data brokers scrape publicly available social media posts, analyzing everything from political views to vacation plans. Even privacy-conscious users leave digital footprints that data brokers can piece together.
Survey and contest data provides direct consumer input. Those online quizzes and sweepstakes entries aren’t just entertainment—they’re data collection mechanisms. Consumers voluntarily provide detailed personal information in exchange for prizes or personality insights.
How Are Regulators Responding to Data Broker Practices?
European regulators moved first with the General Data Protection Regulation, which took effect in 2018. GDPR requirements include explicit consent for data processing and give consumers rights to access, correct, and delete their personal information. Data brokers operating in Europe must now obtain clear permission before collecting personal data and provide mechanisms for consumers to opt out.
The regulation’s extraterritorial reach affects US-based data brokers serving European consumers. Companies like Acxiom and Epsilon have restructured their European operations, created new consent mechanisms, and hired data protection officers to ensure compliance.
US regulation remains more fragmented. California’s Consumer Privacy Act, which took effect in 2020, requires data brokers to register with the state and allows consumers to request information about data collection and sales. The law defines data brokers as businesses that collect and sell personal information about consumers they don’t have direct relationships with.
Under California’s definition, a data broker is “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
Vermont took a different approach with its Data Broker Regulation Act, requiring annual registration and basic disclosures about data practices. The state maintains a public database of registered data brokers, revealing the scope of an industry that previously operated in complete obscurity.
What Makes Enforcement So Challenging?
Regulatory enforcement faces significant practical obstacles. Data brokers operate across jurisdictions, making it difficult for individual states to monitor compliance. The industry’s complexity also creates enforcement challenges—data flows through multiple intermediaries before reaching end buyers, making it hard to trace violations back to specific companies.
Many data brokers have adapted by creating new consent mechanisms and privacy controls. Acxiom launched AboutTheData.com, allowing consumers to view and edit their profiles. Epsilon created privacy dashboards and opt-out mechanisms. These changes represent genuine progress, but also reveal the vast scope of data collection that previously occurred without consumer awareness.
• The Brennan Center documents how current regulations fail to cover third-party data brokers whose revenue derives from processing personal information not collected directly from consumers
• Analysis reveals data brokers advertise “troves of personal information” to potential buyers across multiple industries
• Enforcement gaps allow companies to restructure operations to avoid regulatory oversight
Some companies have restructured their business models rather than face regulatory compliance costs. LexisNexis spun off its marketing data business into a separate entity. Other firms have exited certain geographic markets or stopped collecting specific types of sensitive information.
The industry argues that data broker services provide legitimate value by enabling targeted advertising, fraud prevention, and background screening. They contend that regulation could harm beneficial uses of data while failing to address actual privacy harms.
Where Do Current Privacy Laws Fall Short?
Existing regulations leave substantial gaps that limit their effectiveness in controlling data broker activities.
Sectoral enforcement creates inconsistent oversight. Different agencies regulate data brokers depending on their primary business focus—the FTC handles general consumer protection, financial regulators oversee credit reporting, and healthcare authorities manage medical data. This fragmented approach allows companies to forum shop and avoid comprehensive oversight.
Interstate data flows complicate state-level regulation. A data broker based in one state can collect information about residents of another state, creating jurisdictional confusion. California’s privacy law applies to businesses serving California consumers regardless of location, but enforcement across state lines remains challenging.
Third-party relationships blur accountability. Data often passes through multiple intermediaries before reaching its final destination. When a consumer receives unwanted marketing or faces discrimination based on data broker profiles, tracing responsibility back through the chain of data sales proves extremely difficult.
Consent mechanisms often fail to provide meaningful choice. Data brokers have created opt-out systems, but these typically require consumers to contact dozens of companies individually. The burden falls on consumers to discover which data brokers hold their information and navigate complex opt-out processes. Removing personal information from these systems requires persistent effort across multiple platforms.
The Technology That Enables Mass Data Collection
Modern data collection operates at unprecedented scale through automated systems that can process millions of records daily. Data matching algorithms connect information from different sources to build comprehensive profiles. These systems use probabilistic matching to link records that don’t contain exact identifying information.
Real-time bidding systems in digital advertising create new data sharing opportunities. Every time you visit a website, data about that visit gets broadcast to hundreds of potential advertisers within milliseconds. Data brokers participate in these auctions, collecting behavioral information even when they don’t win advertising slots.
Mobile location tracking provides particularly detailed information about consumer behavior. Apps share location data with advertising networks and data brokers, creating detailed maps of where consumers live, work, shop, and socialize. This location data gets combined with other information to infer income levels, political affiliations, and lifestyle preferences.
Social graph analysis reveals relationships and influences between consumers. Data brokers analyze social media connections, contact lists, and communication patterns to understand how information and purchasing decisions spread through social networks.
What’s Next for Data Broker Regulation?
Several regulatory developments could reshape the data broker industry over the next few years.
Federal privacy legislation remains under consideration in Congress, with multiple bills proposing national standards for data collection and use. A federal law could create consistent rules across states and provide more comprehensive enforcement mechanisms.
The Federal Trade Commission has increased scrutiny of data broker practices through enforcement actions and policy statements. The agency is exploring whether existing consumer protection laws provide sufficient authority to regulate data brokers, or whether new legislation is necessary.
State-level regulation continues to evolve. More states are considering data broker registration requirements and consumer privacy rights. This could create a patchwork of different rules that companies must navigate, potentially driving industry consolidation.
International coordination on data protection is strengthening. US and European regulators are developing closer relationships, sharing information about enforcement actions and coordinating approaches to global data flows.
The industry itself is consolidating as compliance costs increase. Smaller data brokers are being acquired by larger companies that can afford regulatory compliance infrastructure. This consolidation could make enforcement easier but might also concentrate more data in fewer hands.
Technological changes could also reshape the industry. Privacy-focused browser features, app permission systems, and encrypted communications are making some types of data collection more difficult. However, data brokers are adapting with new collection methods and data inference techniques.
The data broker industry will likely remain a significant part of the digital economy, but increased regulation and consumer awareness are forcing greater transparency and accountability. The shadow economy of personal information is finally stepping into the light.
