Identity theft and fraud protection for your finances, personal info, and devices.
Data Brokers and Your Privacy
Data brokers — also known as information brokers — collect, aggregate, sell, and share consumer data. They pull your personal information and other types of data from online, offline, public, and semi-public sources.
These may include public records, social media, and survey and census responses. At any given time, a data brokerage could have your name, date of birth, mailing address, Social Security number (SSN), driver's license number, and marital status.
The data broker industry features several data brokerage types: people search, marketing and advertising, risk mitigation, health, and financial data brokers. Depending on its industry, these companies may use and sell sensitive information to:
- Develop people search sites
- Create targeted advertising and marketing
- Detect and prevent fraud
- Perform credit or background checks
- Inform your health insurance and credit decisions
With companies harvesting your personal data from credit bureaus, healthcare providers, banks, and credit card companies, where does that leave your privacy?
Understanding existing data privacy laws
According to the National Conference of State Legislatures (NCSL), only five states have comprehensive consumer privacy laws in place that regulate the collection and use of personal data [*].
In the states of California, Colorado, Connecticut, Virginia, and Utah, consumers have the right to access, correct, or remove information collected about them.
While several other states have comprehensive privacy laws pending, the majority of states only protect children's privacy, restrict the use of biometrics and facial recognition, or provide no protections at all.
The Fair Credit Reporting Act (FCRA) does extend some additional security. Enforced by the Consumer Financial Protection Bureau (CFPB), the FCRA restricts the use of information in employment and credit decisions [*]. It also ensures data accuracy and allows consumers to dispute information.
Is Your Personal Information at Risk?
Any personal information that data brokers may collect about you can have seismic implications on your online privacy. Hackers leaked or breached more than five million online American accounts — rendering the United States as one of the top most-breached countries in the world [*].
If hackers penetrate a data broker website, they can gain unencumbered access to enough information to then steal your identity. Between 2012 and 2021, 10 data broker leaks accounted for more than 210 million stolen records [*]. The stolen data is usually sequestered by a data breach broker who then sells it on Dark Web forums [*].
Despite claims that data brokers anonymize consumer data, recent studies have revealed otherwise. A person may be re-identified with 99.98% certainty via 15 demographic data points [*]. Reports from 2020 showed that about 60% of internet users have at least 12 data points exposed online [*].
How your geolocation data may be used
Anytime you share your location with an app, you should expect to give up some of your privacy — but not your constitutional rights. Yet, it appears that some data brokers don’t toe the line in this regard.
Idaho-based data broker Kochava, for example, collected and sold location data from tens of millions of daily active users.
The company's trackers followed people’s visits to private places of worship, medical centers, and shelters. The Federal Trade Commission (FTC) filed a complaint against Kochava in August 2022 for the sale and use of potentially sensitive information [*].
Another organization, Fog Data Science, sold location datasets to police forces across the country [*]. This violates state-specific laws, such as California’s Electronic Communications Privacy Act (CCPA) [*].
It also treads on Fourth Amendment rights — protection against unreasonable search and seizure. It might even prevent people from participating in worship or protests, thus violating their First Amendment freedom of religion and assembly rights.
Your health data may also be at risk
The Health Insurance Portability and Accountability Act (HIPAA) limits the usage of health data by healthcare providers [*], but many digital health organizations and apps operate in an unregulated gray area.
Research out of Duke University in 2023 found that many data brokers were willing to sell mental health data collected from users [*]. They provided information such as zip codes, ages, and marital status of individuals diagnosed with depression, anxiety, and bipolar disorder.
In another case, the Flo fertility-tracking app broke its promise to users that their information would remain private [*]. Flo disclosed details about pregnancies — information that could potentially be exploited by those opposed to reproductive choice, stalkers, or individuals engaging in blackmail.
What can you do?
In 2018, the European Union introduced sweeping data restrictions with the General Data Protection Regulation (GDPR) [*]. They now regulate how and what types of consumer data organizations can collect, store, and use.
In the United States, however — except for the few states with privacy laws like the California Consumer Privacy Act — Americans can only rely on manual opt-outs, data removal requests, and data removal services.
Before You Opt Out, Here’s What To Know
Manually opting out of data broker lists can involve a time-consuming litany of steps. It's also one of the few options that you have to remove information from data broker sites.
Depending on the language of the opt-out, you may block your information from being sold, or delete it. Some organizations let you delete your file with a click; many others require a meandering process.
Here are some of the oversights and challenges with opt-outs:
- Opt-out loopholes. Organizations may hide behind contractual data collection agreements, legalities, or creative terminology for purchase of your data. Unless your state has a comprehensive data privacy law, organizations have no obligation to delete your data. In fact, even in states with data laws, organizations may keep information as long as it's anonymized [*].
- Suppression-based opt-outs. Companies that honor your opt-out request may sometimes only suppress your information — not delete it. This keeps it out of circulation but still on file. You may even notice that data you once had removed reappears in the future [*].
- No third-party opt-outs. A third-party removal service, such as Incogni, Privacy Bee, or DeleteMe can save you time. However, some organizations block these types of services and ask individuals to make their own opt-out requests.
- Opt-out fees. Many organizations have bandied about the idea of paying for opt-outs, but it remains unpopular [*]. Still, some organizations offer heightened data privacy for a fee, such as GoDaddy [*].
- More information required. Various organizations ask users to submit additional identification information to complete the opt-out request. Supplying more sensitive information, such as government IDs or Social Security numbers, can dissuade users from completing the process. The verification information submitted could even be resold.
- Partial opt-outs. Other data brokers only offer partial opt-outs, which means that they only remove certain types of information. For example, credit bureaus allow opt-outs from targeted advertising and profiling — but not the collection of credit-related information [*]. Other organizations maintain records that they can share for legal reasons [*].
How To Opt Out of Data Broker Lists
In general, the opt-out process consists of the following steps:
- Find the list of data brokers to contact. Along with the data brokers explored in detail below, some of the largest organizations collecting your information can include: Spokeo, Whitepages, Intelius, Oracle, Experian, TransUnion, and Equifax.
- Locate and study the opt-out process. Study the intricacies of the opt-out. Research information that is exempt from opt-outs, any guarantees the data broker provides, and what information is needed to proceed.
- Submit an opt-out request. Opt-out requests vary in their makeup. Some have check boxes, while others have opt-out forms, letter requirements, or multi-stage processes.
- Verify request and/or identity. Most organizations ask you to identify yourself during this process. This may include an email verification or a more strenuous process requiring photo IDs and verification questions. Companies may even ask for a notarized affidavit [*].
- Wait for an opt-out confirmation. Make sure you receive an opt-out confirmation. Research from Consumer Reports found that only 18% of recipients who submitted opt-out requests received a confirmation that the data wouldn’t be sold in the future [*].
- Look again for your data. Consider calling the data brokers back to double-check that your request went through. You can also look up your name via a search engine to see what results populate.
- Research other options. If your requests go unanswered or unhonored, you might try using a third-party opt-out service. If an organization publishes personally identifiable information (PII) that puts you at risk of identity theft or doxxing, you can also request that Google remove your PII from search results [*].
How to opt out of Acxiom
Acxiom collects information from public and government records, self-reported data, and commercial records. It pulls from directories, government licenses, and demographic data in order to create marketing profiles [*].
How to opt out:
- Click on "Do Not Sell My Personal Information" in the Acxiom website footer, or visit acxiom.com/optout/.
- Identify yourself, and select the areas from which you want to opt out.
- Provide your contact information, and complete the CAPTCHA.
- Submit an email to receive a confirmation link.
- Follow the confirmation link, and complete another CAPTCHA.
How to opt out of CoreLogic
CoreLogic provides business intelligence for the real estate industry. The company collects data from tax rolls, schools, local businesses, and transaction data.
How to opt out:
- Download and print its opt-out form or contact firstname.lastname@example.org.
- Fill out your contact information and address (submitting your Social Security number is not recommended).
- Sign, and submit the form to Teletrack at: P.O. Box 509124 San Diego, CA 92150.
How to opt out of BeenVerified
A people search site, BeenVerified offers contact details and personal information. BeenVerified collects data from public records, including legal proceedings, social media, and transactions.
How to opt out:
- Click on "Do Not Sell My Personal Information" in the website’s help section, or visit beenverified.com/app/optout/search.
- Search for your listing by providing your name and state.
- Find your listing, and click on “Proceed to Opt Out.”
- Enter an email address, and complete the CAPTCHA.
- Click on "Verify Opt-Out" in the confirmation email.
- Confirm your information on the confirmation page, and wait up to 24 hours for a response.
How to opt out of PeekYou
PeekYou collects data from court records, social media, news sources, and other public records. The company offers people-search services to users for a fee [*].
How to opt out:
- Click on "Do Not Sell My Personal Information" at the bottom of the PeekYou website or visit peekyou.com/about/contact/ccpa_optout/do_not_sell/.
- Search for your listing by providing your name and state.
- Open your listing, and click on "Opt Out."
- Complete the opt-out form with your name, email address, location, other optional information, and a CAPTCHA.
- Click on the confirmation link sent in the opt-out verification email.
How to opt out of Epsilon
Epsilon provides customers with consumer data that informs targeted marketing and advertising. The organization draws data from transactions, demographic surveys, and self-reported information [*].
How to opt out:
- Click on "Your Privacy Choices" on Epsilon's webpage footer or visit us.epsilon.com/marketing-data-summary-request.
- Select your country and "Do Not Sell My Personal Information" or "Do Not Share My Personal Information."
- Provide your contact information and address.
- Verify your identity with a government ID and a piece of mail; submit it to email@example.com.
- Wait up to two weeks for an opt-out verification.
Protect Your Privacy — and Your Identity
While the opt-out process impinges on your time and energy, it can give you some relief. The more of your private information that is circulating, the higher your chances are of falling victim to identity theft. To limit your available PII, consider taking the following preventative steps:
- Freeze your credit. A credit freeze blocks lenders (or anyone else) from accessing your credit. Once frozen, you will need to unfreeze your credit when you want to use it. You will also need to place a freeze with the three major credit bureaus — Experian, Equifax, and TransUnion.
- Enquire about data privacy options with your Department of Motor Vehicles (DMV). Depending on your state, you may request to see what information the DMV has on you. You may also amend or dispute the information if it qualifies under the DMV's policies [*].
- Check with your phone carrier's privacy policies. Phone carriers only need to collect information for billing and legal purposes. You may request that your carrier stop collecting or selling other types of personal data [*].
- Delete unused accounts. Your information could be idle in an unused social media or other online account. Since data brokers can trawl these pages for data, close such accounts as soon as possible.
- Opt out of direct marketing and telemarketing. If scammers have your phone number, they may attempt to trick you directly or via telemarketing. You can limit the amount and type of marketing you receive at DMAchoice.org [*].
- Decline pre-screened credit offers. Put yourself on an opt-out list by visiting optoutprescreen.com or by calling 1-888-5-OPT-OUT [*]. You can select a five-year or permanent opt-out.
- Disable location services on your phone. Turn off location services on your devices to stop trackers from following you. Both iOS and Android offer location settings that you can toggle off [*]. You can set permissions for individual apps, as well.
- Use a Virtual Private Network (VPN). A VPN won't prevent cookie-based targeted advertising, but it can limit companies from tracking your IP address. It also encrypts any personal information sent from your device.
- Sign up for identity theft protection. Identity theft protection monitors for personal information leaks. Compared to other leading fraud protection services, Identity Guard is one of the best identity protection providers — complete with fraud protection, Dark Web monitoring, and identity theft insurance.
Identity Guard also offers opt-out services to help you reduce your private digital footprint. It manages the opt-out process on your behalf by requesting the removal of your information from up to 20 data brokers.