SHIELD

Reality of exposure

Data brokers: the leak you pay for

Who collects your data, how, why it's structurally hard to stop, and what you can reasonably do.

Published 15 min read General

Last reviewed:

This version was translated with AI assistance and reviewed by a human.

Serveurs de données en rangées dans un datacenter

A US broker sends me a “free” sample on one of my clients, to convince me to buy the full profile. Forty-seven predictive attributes, including a “probability of divorce within 24 months” score calculated from his e-commerce purchases and the frequency of his rideshare trips. The client had never authorized anyone to analyze his purchases. No one had ever asked him anything. And the broker was billing me access to his private life the way you’d bill for an Excel file.

Angle de lecture

The usual trap

“I don’t use Facebook, so they don’t know much about me.” I hear this sentence in meetings at least once a month, and it is wrong to a degree that throws the people saying it. Almost none of the data a data brokerCompany collecting, aggregating, and reselling personal data at scale. holds on you comes from social networks. It comes from everywhere else: the supermarket loyalty card, the warranty form you mailed back for your dishwasher, the weather app that resells your geolocation, the contest you entered in 2017, the commercial register, the telecom carrier in certain jurisdictions. Social networks are the tree. Brokers exploit the entire forest, and the forest keeps growing even if you cut the tree down.

The second reflex, more sophisticated, goes: “The GDPREU Regulation 2016/679 on personal data protection, in force since May 2018. protects me, I have a right of access and erasure, so I can clean up.” That’s true on paper and largely illusory in practice. GDPR gives you rights enforceable against an identified data controller. But the brokerage industry rests precisely on the opacity of the chain: you don’t know who holds your profile, so you can’t exercise a right against an actor you’re unaware of. And when you obtain erasure from one of them, your profile is reinjected three months later from a secondary source the first one had already resold. You’re emptying a leaking bucket.

The third trap is commercial. You’re sold a subscription to an automated opt-out service — Incogni, DeleteMe, Optery — and led to believe that subscribing closes the subject. These services have real value, and I’ll come back to that at length. But the marketing discourse around them sustains exactly the same fiction I dismantle in Your data is already public: the idea that there is a “clean” state you could return to. That state does not exist. The right framing is not “delete my data from the brokers”, an unreachable goal, but “reduce the exploitable noise and accept living in a documented leaked state”.

Who the players are, and what they actually know

The data brokerage industry is old, massive, and invisible to the general public. The benchmark FTCIntelligence from open (public) sources: social media, registries, archives. report from 2014 — dated on figures, timeless on mechanisms — already counted brokers holding more than 700 billion aggregated data elements. Ten years later, the order of magnitude has exploded, not shrunk.

At the top, the major aggregators. Acxiom, acquired by LiveRamp in 2018, maintains profiles on around 2.5 billion people, with an average of nearly 1,500 attributes per profile. Experian combines credit scoring and brokerage. Oracle Data Cloud (formerly Datalogix then BlueKai) was for a long time an advertising pivot before Oracle announced its gradual dismantling in 2022 — proof, incidentally, that even the giants reconfigure their data lines when regulatory pressure rises. LexisNexis Risk Solutions feeds insurance, legal, and the public sector. Epsilon and LiveRamp structure cross-device matching, meaning the ability to stitch your identity back together across your phone, your computer, and your connected television.

Below them, the specialists. The American people search services — Spokeo, Whitepages, BeenVerified, Radaris — which aggregate public records and commercial data to sell reports on any individual, at 20 or 30 dollars apiece. CoreLogic on real estate. And the nebula of European brokers, more discreet because more exposed to GDPR: Schober in Germany, various local data management platform players that resell audience segments without ever appearing in your field of vision.

This second tier is the one that matters most for physical-safety threats, and it’s the one people most underestimate. The aggregators sell audience segments to advertisers — abstract, statistical, indifferent to you as an individual. The people-search sites sell you, by name, to anyone with a credit card: a vindictive ex-partner, a litigant on the other side of a lawsuit, a private investigator hired to map your routine, a journalist, a stalker. For an exposed profile — an executive in a contentious negotiation, a figure with public visibility, anyone in a high-conflict divorce — this tier is not a privacy nuisance, it’s an operational risk. Your home address sitting on a 25-dollar report is the difference between an adversary who knows where you sleep and one who doesn’t. I treat people-search suppression as a security control, not a privacy preference, and I prioritize it accordingly.

What they hold falls into three layers. The declarative data first: name, successive addresses, phone numbers, emails, date of birth, household composition, marital status, children, estimated income, inferred wealth, real estate ownership. The behavioral data next: purchase history reconstructed via loyalty cards and e-commerce partnerships, web browsing captured by marketing pixels, approximate geolocation resold by mobile apps that have no functional reason to collect it, media consumption habits. The predictive scores finally, and this is where it gets uncomfortable: purchase probability by category, financial risk, life stage (imminent move, birth, retirement), and yes, in some American catalogs, segments as intrusive as “recently bereaved person” or “household in financial distress”.

How does your data get there? Through three channels. The contractual sources: loyalty cards, mundane web forms, free mobile apps, airline and hotel rewards programs, pre-checked boxes no one unchecks. The partnerships: telecom carriers reselling aggregated metadata depending on jurisdiction, internet providers, card issuers reselling spending aggregates. The public sources: legal registers like Companies House in the UK or the BODACC and RCS in France (via Pappers and Infogreffe), voter rolls depending on the country. And a fourth category no serious broker will own up to but that exists: leak databases repackaged under the “data enrichment” label, where dumps from breaches come to enrich the legitimate profiles.

A point I hammer on assignments: a broker’s value doesn’t lie in the raw data, which is often mundane, but in identity resolution. Stitching your 2012 email address, your 2019 phone number, your current postal address, and your phone’s advertising identifier into a single unique profile — that’s the trade. An isolated data point is worth nothing; the graph that links them is worth a lot, because it lets you be tracked across services, devices, and time. This is why a partial opt-out — you remove the email but leave the phone — does not break the profile: a single still-valid pivot identifier is enough for the rest to stitch back together. When you handle your exposure, reason in terms of pivot identifiers (email, phone, address) and not isolated data points.

The legal terrain explains why the problem resists. In Europe, the GDPREU Regulation 2016/679 on personal data protection, in force since May 2018. gives you a right of access (Article 15) and erasure (Article 17). On paper, it’s solid. In practice, Article 17 comes with extensive exceptions — the controller’s legitimate interest, legal retention obligations, archives — and above all, it assumes you know whom to address. European brokers respond, often slowly and at the edge of legal deadlines. American brokers operating in Europe respond when they consider themselves compelled to, and national data protection authorities have neither the means nor the jurisdiction to pursue them all.

In the United States, there is no equivalent federal law. The landscape is a patchwork of states. The California Consumer Privacy Act (CCPA), reinforced by the CPRA, opens an opt-out right, and the California agency rolled out in 2026 the DROP mechanism (Delete Request and Opt-out Platform), which allows a single deletion request propagated to every broker registered in the state — a genuine structural advance. Vermont mandates a compulsory registry of data brokers, which at least makes the list public. Elsewhere in the United States, federal protection is close to nil. The rest of the world varies wildly: Brazil (LGPD) is aligned with GDPR but lightly enforced, China (PIPL) is aligned on the surface with a different, state-oriented purpose, and large swaths of Asia, Africa, and Latin America offer no practical recourse.

There’s a second asymmetry that compounds the first: enforcement lags the violation by years, and the fine never undoes the leak. When a regulator does act — and there have been real cases, including multimillion-euro penalties against brokers and ad-tech intermediaries in Europe — the data has already been copied, resold, and amortized across dozens of downstream buyers. The penalty punishes the broker; it does not retrieve your profile from the buyer who acquired it in good faith two years earlier. Regulation shapes future behavior. It does almost nothing for the stock already in circulation. This is the structural reason a compliance-only mindset misleads you: GDPR is a deterrent against new abuse, not a delete key for the past.

The operational consequence is clear: your data circulates in jurisdictions where you have no leverage, and the erasure you obtain in one jurisdiction has no effect in the others. This is why the right goal is not deletion — illusory at global scale — but reducing the throughput in the jurisdictions where you have a grip, and the documented acceptance of the rest.

The right approach: reduce the noise, don’t aim for zero

The pragmatic shift fits in one sentence: you will not delete your data from the market, you will reduce the volume of fresh, exploitable data entering it, and you will clean up where it’s legally possible. This is a logic of throughput, not of permanent erasure.

Concretely, three levers work. The first is opting out at the major aggregators, done by hand, once, seriously. Acxiom, Experian, Oracle, LexisNexis, Epsilon all offer unsubscribe forms — often buried, sometimes painful, but real and imposed by American and European regulatory pressure. Cutting the head off the chain reduces the redistribution toward the secondary players that feed off them. In the United States, the Vermont registry and the DROP mechanism of the California agency (CPPA), which since 2026 allows a centralized deletion request to registered brokers, are structuring entry points even for a European whose data has transited through American platforms.

The second lever is subscription automation, for the long tail of dozens of secondary brokers you’d never get around to handling individually. That’s the role of Incogni, DeleteMe, Optery. Let’s be honest about what they do and don’t do. Incogni (published by Surfshark) covers roughly 180 to 220 brokers, sends automated GDPREU Regulation 2016/679 on personal data protection, in force since May 2018. and CCPA requests, touches neither leak databases nor public registers, and costs around 7 to 8 euros a month on the annual plan. DeleteMe (Abine) relies on human operators, covers around thirty brokers with an American skew, and charges more. Optery claims the broadest coverage (250+ brokers) with welcome transparency: they show you, profile by profile, the status of each request and provide screenshots of the exposure found and then removed. For a European, Optery or Incogni do the job; DeleteMe is relevant mostly for profiles with a heavy American footprint.

The third lever is the non-delegable manual work, the kind no subscription will do for you: cut off the tap at the source. Disable geolocation in apps that don’t need it, revoke the marketing sharing on loyalty cards, close the dormant accounts from the last five years, systematically refuse resale boxes. This is the work that reduces the flow of fresh data. Opt-outs handle the stock; hygiene discipline handles the flow. Both are necessary, and the subscription does not exempt you from the second.

A word on the cure-worse-than-the-disease trap: some people-search brokers offer you deletion… in exchange for creating an account with them, with identity verification by official document. You then give them more data than they held. Never hand an identity document to a broker to exercise an opt-out; GDPR only requires proportionate verification in limited cases, and a serious broker is content with an email confirmation.

What this means concretely

Angle de lecture

For you, as a person

You have probably left a trail of data with dozens of brokers you don’t know, accumulated over ten to twenty years. You’re not going to make it disappear. You’re going to reduce the noise and cut off the supply. Three priorities, actionable this week, for under 200 euros over the year.

  1. Do the manual opt-out at the five major aggregators — Acxiom, Experian, Oracle, LexisNexis, Epsilon. Count on an hour and a half, form by form, tracking the confirmations in a simple spreadsheet. It’s free, and it’s the move with the best effort/impact ratio because it cuts the head off the redistribution chain.

  2. Subscribe to an automated opt-out service for the long tail — Incogni or Optery depending on your price tolerance, 100 to 150 euros a year. Don’t see it as a solution, but as a recurring housekeeping subscription: it resends requests every quarter because the brokers reinject you. Check its exposure report once a quarter, ten minutes.

  3. Cut off the tap at the source. In your phone settings, review the location permissions and turn them off for any app that has no obvious need for them. Uncheck the marketing sharing on your loyalty cards. Close the accounts you haven’t used in five years. It’s free, and it’s what stops your future data from feeding the market.

The rest is an annual discipline, not a sprint. Block out half a day a year to replay these three moves. That’s enough for 95% of profiles.

For you, CISO / CIO / executive

Brokers are the blind spot of your data protection program. You protect what you process; they exploit what your employees and executives let leak, without you having the slightest grip. Three points to integrate this reality into your framing.

1. The broker exposure of your key people is an input to your threat model, not a collateral HR subject. Brokers and people-search services let anyone reconstruct, for a few dozen euros, the home addresses, personal numbers, family composition, and estimated wealth of your executives. That’s the fuel for spear-phishingTargeted phishing on a specific person, built from their OSINT profile. and targeted social engineeringHuman manipulation to obtain information or actions, bypassing technical defenses.. Direct consequence: add a “broker exposure” line to the annual exposure audit of the executive committee and sensitive functions (legal, M&A, finance, R&D), on the same footing as an application pentest.

2. Your GDPR compliance does not measure your real exposure. A perfectly compliant organization — processing register up to date, DPO appointed, NIS 2EU Directive (2022/2555) extending cybersecurity obligations to essential and important entities. in progress — can have its entire executive committee for sale at a dozen brokers. These are two distinct dashboards. Direct consequence: explicitly separate, in governance, the compliance indicator (legal coverage) and the operational exposure indicator (what is purchasable about your people). This second dashboard is almost always absent, or worse, outsourced to a marketing solution that merely reformats public data.

3. You can fund executive-grade broker monitoring for the price of one consultant day. Optery/DeleteMe subscriptions in their “business” or “family” tier cover several identities for a few hundred euros a year per person. Direct consequence: for a ten-person executive committee, a budget on the order of 2,000 to 4,000 euros a year covers automated opt-out and monitoring. It’s marginal against your threat modelMapping of actors, motivations, capabilities and potential impacts against a target. spend or your EDR line, and it addresses a vector your DLPSolution detecting and blocking sensitive data leaks (emails, files, clipboard). and your CASBIntermediary between users and cloud apps enforcing security policies. don’t see at all.

Mistakes we see all the time

  • Subscribing to an opt-out service and considering the subject closed. The opt-out handles the stock; without cutting off the supply (geolocation, loyalty cards, forms), you’re paying to empty a bucket that keeps refilling.
  • Handing an identity document to a broker to “speed up” deletion. You give it more data than it held. A legitimate opt-out never demands a passport.
  • Ignoring the major aggregators and only handling the long tail. Cutting Acxiom or LexisNexis has more impact than unsubscribing from ten secondary people-search sites that re-feed from them.
  • Forgetting European and out-of-reach brokers. The American focus of consumer services leaves blind spots in Germany, France, and outside the EU, where some of your data circulates with no practical recourse.
  • Confusing deletion with delisting. Obtaining a Google removal (right to be forgottenGDPR Article 17: right to erasure of personal data under conditions.) deletes nothing at the broker: the data stays sellable, it’s just less visible in a consumer search.

Actionable checklist

  • N1 Do the manual opt-out at the 5 major aggregators (Acxiom, Experian, Oracle, LexisNexis, Epsilon) and track each confirmation
  • N1 Subscribe to an automated opt-out service suited to the profile (Incogni or Optery for Europe, DeleteMe if heavy US footprint)
  • N2 Disable geolocation on apps with no obvious functional need for it
  • N2 Uncheck the marketing / resale sharing on loyalty cards and close inactive accounts from the last 5 years
  • N2 Never provide an identity document to a broker to exercise an opt-out
  • N3 For an exposed profile: order an American people-search report on yourself to measure real exposure
  • N3 For an organization: add a 'broker exposure' line to the annual executive committee exposure audit and track the 90-day reappearance rate
  • N3 For a US profile: deletion request via the Vermont registry and the DROP mechanism of the California CPPA

Further reading

The FTC’s 2014 report, Data Brokers: A Call for Transparency and Accountability, remains the benchmark mapping of the industry’s mechanisms, even if its figures have aged. To follow regulatory developments, the Vermont registry and the DROP mechanism of the California agency (CPPA) document in plain terms the list of registered brokers and the centralized deletion procedures — useful even from Europe. The Privacy Rights Clearinghouse maintains a practical reference on data brokers and consumer recourse. For the threat-landscape framing, the ENISA Threat Landscape, in its annual edition, confirms that the dominant attack chain combines upstream OSINT and targeted social engineering — exactly what broker data fuels. All these sources appear in the frontmatter. For the overall strategic framing, see Your data is already public and, for the concrete downstream moves, The exposure audit and The right to be forgotten.

Sources and further reading

Related articles