Data brokers are legal businesses, operating in the open. But the data they collect and sell enables serious, documented harm. Your information is online. The real question is who is accessing it, and what they are doing with it.

Roughly 4,000 data broker companies operate in the US. They aggregate public records, voter registrations, property filings, court records, and commercial data, then sell access to anyone. No background check on the buyer. No notification to you. Seven documented ways that model causes real harm:

1. Stalking and physical safety

People-search sites publish current and historical addresses, phone numbers, and the names of known associates. For anyone fleeing domestic violence, dealing with a stalker, or living under a restraining order, this is a direct threat to physical safety. A determined person can find someone's current address in minutes for under ten dollars.

The FTC has documented cases where data broker information was used to locate and harm domestic violence survivors. Address Confidentiality Programs exist in every US state, but most people who need them do not know they exist, and the programs do not cover the dozens of data brokers that independently publish residential addresses.

Public figures, healthcare workers, judges, law enforcement officers, and social workers face elevated risk. Several states allow certain professions to request removal, but these laws cover a fraction of the population and a fraction of the brokers. Your physical location is treated as a commodity, sold without your knowledge or consent.

2. Spam calls and robocalls

Americans received an estimated 55 billion robocalls in 2024. The Do Not Call Registry, maintained by the FTC since 2003, has proven largely ineffective. Scammers ignore it entirely, and political campaigns, charities, and survey firms are exempt. The supply chain behind phone spam runs directly through data brokers.

55 billion robocalls per year in the US. Data brokers are the primary supply chain. Your phone number is sold, resold, and aggregated across dozens of databases. Removing it from one broker does not stop the others.

Once a phone number is on a broker site, it is available to telemarketers, lead generators, and anyone paying for a list. Even if you never gave it to a broker directly, it gets harvested from public records, warranty registrations, loyalty programs, and the data-sharing clauses buried in terms of service. The only reliable way to reduce phone spam is to remove your number from the brokers that sell it.

3. Targeted phishing and social engineering

Generic phishing emails are easy to spot. But when an attacker knows your full name, home address, employer, and the names of your family members, the message gets much more convincing. "Hi Robert, this is Chase Fraud Prevention calling about unusual activity on your account ending in 4821. We show your address as 142 Maple Street -- can you confirm?" That level of detail comes from data listings.

The FBI's Internet Crime Complaint Center (IC3) ranks phishing as the #1 cybercrime by victim count, with over 300,000 complaints filed annually. Spear phishing -- targeted attacks using the victim's real personal information -- has a significantly higher success rate than generic phishing.

Business email compromise (BEC) cost organizations over $2.9 billion in 2023. These attacks begin with reconnaissance, and data brokers provide the raw material. An attacker looks up a company executive's home address, phone number, and family members, then uses that information to impersonate them or build a pretext that bypasses security training.

4. Price discrimination

Insurers, online retailers, and financial services firms use broker data to segment customers and adjust pricing. High-income zip code? You may see higher prices. Profile flags health conditions or risky behaviors? Premiums get adjusted. This happens without your knowledge, and in most cases without breaking any law.

A 2023 FTC report found that major data brokers sell consumer data categorized by inferred income, health conditions, and financial vulnerability. These segments are used for pricing decisions that consumers cannot see, challenge, or opt out of.

Credit reports are regulated by the Fair Credit Reporting Act (FCRA). Broker data used for marketing and pricing often falls outside it. No disclosure requirement, no dispute process, no right to see your profile. Different customers pay different prices based on information they never agreed to share.

Wondering how exposed you are? Delist scans for your exposure and shows exactly where your personal information appears.

Check your exposure free

5. Employment and housing discrimination

Landlords and employers increasingly turn to people-search sites for informal background screening. A quick search reveals arrest records, past addresses, known associates, and estimated income. Unlike formal background check services, which are regulated under the FCRA and require disclosure and consent, people-search sites operate without those protections.

When a landlord uses a people-search site to screen tenants, the applicant has no right to know the search occurred, no right to see the results, and no process to dispute inaccurate information. Using broker data this way likely violates the FCRA, but enforcement is rare.

The impact falls hardest on people with common names (confused with strangers who share their name), people with old arrest records that never led to convictions, and people whose listings contain outright errors. A 2021 Consumer Reports study found a significant percentage of people-search profiles contain inaccuracies that could affect employment or housing decisions. Because these searches happen informally, the subject never learns why they were passed over.

6. Identity theft facilitation

Identity theft needs surprisingly little. A full name, date of birth, and current address are often enough to open a credit card, file a fraudulent tax return, or take over an existing account. Broker listings expose all three, plus partial Social Security numbers, relatives, and previous addresses — the same information used to answer security verification questions.

The FTC received 1.4 million identity theft reports in 2023. "Fullz" packages -- complete identity profiles sold on dark web markets -- are assembled partly from data brokers, AI services, and public records that anyone can access.

The connection between broker data and identity theft is well-documented. Security researchers have demonstrated that data listings provide enough information to pass "knowledge-based authentication" -- the security questions your bank asks when you call in. "What street did you live on in 2015?" is not a security question when the answer is published on a dozen people-search sites. Every piece of personal information a broker exposes is one more tool for an identity thief.

7. Reputation harm from inaccurate records

Data brokers do not verify the information they publish. They aggregate it from public records, commercial databases, and other brokers, then publish it under your name. When the data is wrong -- and it frequently is -- you bear the consequences.

Independent analyses estimate that 20-30% of data listings contain meaningful errors -- wrong addresses, incorrect ages, criminal records belonging to a different person with the same name, or merged profiles that combine two people into one.

Name collisions are especially damaging. If a stranger with your name has an arrest record, that record can land on your profile. Old data sticks around: addresses you left a decade ago, employers you have not worked for in years, phone numbers you no longer own. Errors get sold and resold across the broker ecosystem, propagating from one site to dozens.

Correcting a record is slow. There is no single point of contact. You must dispute each broker separately, and corrected data often gets overwritten the next time the broker refreshes its database.

What you can do

The industry is not going away, and waiting on legislation means years more exposure. Concrete steps you can take now:

1. Opt out of the major brokers

The top 40-50 people-search sites cover most consumer lookups. Each offers an opt-out, though difficulty ranges from a simple email to multi-step verification that takes weeks. Start with the sites that rank highest in search results for your name. Our removal guide walks through the most common ones.

2. Use a removal service for ongoing coverage

Opt-outs are not permanent. Brokers re-list within 3-6 months as they ingest new data. A removal service monitors your presence across broker sites and re-submits as needed. The only practical way to stay off dozens of sites without sinking hours into it every month.

3. Minimize new data exposure

Every form, loyalty program, and app is a potential data source. Reducing new exposure limits what brokers can collect about you going forward. Our data minimization guide covers practical steps without making you a hermit.

Frequently asked questions

Can data brokers be held liable for harm caused by their data?

In most cases, no. Data brokers generally enjoy legal protection because they aggregate publicly available information. The Fair Credit Reporting Act (FCRA) imposes liability on companies that sell data for credit, employment, or housing decisions, but most people-search sites include disclaimers stating their data should not be used for those purposes -- even though they know it is. Some state laws, particularly California's Delete Act (SB 362), are beginning to create enforcement mechanisms, but federal regulation remains minimal. A few lawsuits have succeeded when brokers were shown to have directly facilitated stalking or harassment, but these cases are rare and expensive to pursue.

Are data brokers responsible for stalking?

Data brokers are not legally classified as responsible parties in stalking cases, but they provide the tools. When someone uses a people-search site to locate a victim's current address, the broker facilitated the harm even if they did not intend it. Some brokers offer expedited removal for victims of domestic violence or stalking, but this requires the victim to proactively find and contact each broker individually -- often dozens of sites. Several advocacy organizations have called for mandatory expedited removal processes, but no federal law currently requires it.

How do I protect myself from phishing that uses my broker data?

The most effective defense is reducing the amount of personal data available to attackers. Remove your profiles from the major broker sites to eliminate the most accessible source. Beyond removal, treat any unsolicited contact that references your personal details with suspicion, even if the details are accurate. Banks and government agencies will never ask you to verify sensitive information over an inbound call. If in doubt, hang up and call the organization directly using the number on their official website or your card.

Can I remove criminal records from data broker sites?

If the records are accurate and sourced from public court records, brokers are generally not required to remove them (and most will not). However, if the records are inaccurate -- for example, they belong to a different person with your name, or they reflect a charge that was dismissed or expunged -- you can request removal and cite the inaccuracy. The process is often slow and frustrating. If you have had a record expunged by a court, you may have legal grounds to compel removal, but enforcement varies by state. For records that are accurate but old, some brokers will remove them voluntarily if you can show the record has been sealed or enough time has passed.

Do data brokers sell information about children?

Most major people-search sites do not intentionally publish profiles for minors, but children's information can appear in other ways. They may be listed as "known associates" or "possible relatives" on a parent's profile, or their data may be collected through apps, games, and online services that share information with data brokers. The Children's Online Privacy Protection Act (COPPA) restricts data collection from children under 13, but enforcement is inconsistent, and brokers that aggregate public records rather than collecting data directly from children may not fall under COPPA. Several state laws are expanding protections for minors' data, but gaps remain.

What is the FTC doing about data brokers?

The FTC has taken several enforcement actions against data brokers, including cases against companies that sold data to stalkers, failed to protect sensitive information, or misrepresented their data practices. In 2024, the FTC took action against multiple brokers for selling geolocation data that could be used to track visits to sensitive locations. The agency has also published reports calling for stronger regulation of the industry. However, the FTC's enforcement authority is limited without new legislation. The American Data Privacy and Protection Act (ADPPA) and similar proposals have been introduced in Congress but have not passed. For now, the FTC acts on a case-by-case basis rather than through comprehensive industry regulation.

Find out what data brokers know about you

Run a free scan to see which brokers are exposing your personal information -- name, phone, address, email, and more.

Start your free scan

Related pages