For Sale: Your Data

Data brokers are tracking you all over the internet to buy and sell your profile along with millions of other users.

Photo illustration of Google Maps on a phone screen with a location pin and price tag popping out
Photo illustration by Connor Lin / The Daily Upside

Sign up for smart news, insights, and analysis on the biggest financial stories of the day.

When it comes to privacy scandals, it’s the usual Big Tech suspects and their billionaire CEOs making headlines. But there’s another species feeding off your privacy that garners much less attention: the data brokers who amass as much information as they can about you and then sell it in a neat bundle that includes the millions of other people they track. The data brokerage industry is an obscure, unglamorous, yet undeniably massive part of the attention economy, and it’s gone a long time without attracting the same legislative and media scrutiny as the Big Tech platforms. 

That’s starting to change, with more US lawmakers turning their gaze to what they’re learning is an enormous business.

Who Are The Data Brokers?

A data broker is any company that collects, aggregates, and sells data about internet users. That data can be used for both legal and nefarious reasons, but perhaps the biggest commercial use is marketing. You have a product to sell, so you go to a data broker and buy a segment of users that somehow match the audience you’re trying to reach.

Data brokering is a densely populated industry with thousands of different companies participating at different levels in the ecosystem. Some companies specialize in brokering very specific kinds of data, like location data, while some old legacy companies, like Experian and Thomson Reuters, bolted data brokering onto their existing businesses. 

Getting a sense of how many data brokers might be tracking you around the internet is sort of like trying to count raindrops in a monsoon. A recent study done by nonprofit consumer watchdog Consumer Reports and tech publication The Markup pored over the Facebook data of 709 volunteers to see how many separate companies were sending user information to the social media platform. On average, each volunteer had 2,230 separate companies sending information to Facebook. For some users, more than 7,000 companies were doing so. 

This complexity is part of why lawmakers and government agencies are starting to make noises about curtailing the industry’s powers. Kirk Nahra, partner at law firm WilmerHale, told The Daily Upside: “If you’re online dealing with The Gap, or with a newspaper or whatever, there’s a one-on-one there to some extent. They know lots of things about you in a one-on-one relationship. The data brokers are doing a 20-to-1 relationship.” In addition, data brokers are rarely household names. “Nobody knows who they are,” Nahra said. “It’s hard enough to think about your privacy in connection with companies you deal with directly.”

The Politics of Location Data

Over the course of 2023, multiple state and federal agencies became specifically interested in how data brokers collect and sell location data. Journalists at The New York Times demonstrated in 2018 that while data brokers say their aggregated data means you’re just an anonymous point in a big data blob, it is in fact possible to de-anonymize people within those datasets and follow where their phone has been going.

After the overturning of Roe v. Wade in June 2022, privacy activists became particularly concerned that location data, purchasable on the open market, could then be used to track people seeking abortions or other reproductive care. Those concerns trickled into legislative action, both on a state and federal level, last year:

  • In July 2023, Massachusetts said it was considering banning the sale of location-based cell phone data altogether.
  • In October, California tightened privacy regulations, requiring that data brokers permanently delete all data they have about California residents who request it. This law won’t come into effect until 2025.
  • Texas and Oregon enacted laws requiring data brokers to put themselves on a state registry, making it slightly easier for citizens to see who might be following them online.

Earlier this month, the Federal Trade Commission banned a data brokerage Outlogic from selling “sensitive location data.” The FTC’s order gave a rare glimpse into exactly how companies cobble together so much data, as Outlogic was both purchasing data from other data brokers and generating its own data on people through its own apps. One app, “Drunk Mode,” was designed to stop users from texting their friends, loved ones, and exes while inebriated. Especially the exes. 

Reem Suleiman, US advocacy lead at Mozilla, told The Daily Upside that the enforcement order against Outlogic sets a good precedent, but she added that Mozilla is pushing for more comprehensive legislation resembling Europe’s general data protection regulations to properly enforce against the industry’s sheer complexity.

“There’s just so many intricate connections, there’s so much that people don’t even realize,” she said. “The Internet of Things is in everything, you don’t know if the toothbrush you’re using can end up raising your dental insurance.”

What Else Do You Need to Know?

It isn’t just location data that’s sensitive. According to testimony given to Congress last year by Justin Sherman, senior fellow at Duke University’s Sanford School of Public Policy, data brokers build and advertise incredibly detailed profiles of people and categorize them in ways that can leave them vulnerable. “Our research at Duke University has found data brokers advertising data on hundreds of millions of Americans, including their demographic information, political beliefs, home addresses, smartphone locations, and health and mental health conditions,” said Sherman. He added that the data of elderly Americans with Alzheimer’s was for sale and that potential financial scammers have bought tranches of that data from brokers.

In addition to fueling scammers, data brokers also expose private information to stalkers and abusers, to marketers of predatory products such as high-interest payday loans, and to malicious attackers.

Not to mention that the data of government officials and military personnel also can be found for sale. “There’s no need for the Chinese government or any other foreign state to hack many [US] databases when so much data can be bought on the open market from data brokers,” Sherman said.

Back to Eye-holes Cut Out of Newspapers: Data brokers have such detailed tranches of information that the US’s own spies don’t want to lose access to the market. Last year, the House of Representatives approved an amendment that would ban government agencies from buying data off brokers that would ordinarily require a search warrant, and according to a report from Wired, members of the National Security Agency have lobbied lawmakers about nullifying the amendment. Why practice actual espionage when you can just buy all the information you could ever want about a target?

The Inevitable AI of It All

Just like every other industry, data brokering has a whole new lease on life with the proliferation of generative AI. There’s increasing potential for AI chatbots to glean even more information about our lives than is already out there. Samuel Woodhams, a researcher at Top10VPN, told The Daily Upside that the company had reviewed the privacy policies of ChatGPT and its various clones that sprung up after it went viral. Woodhams described ChatGPT’s privacy policy as “relatively robust,” but said the clones that sprang up in its wake were far less watertight. “The privacy implications were ridiculous. They had no privacy policies, and anything you said there could have been used,” said Woodhams. 

Even in the age of AI, it pays to remember the credo from World War II: Loose lips sink ships.