Your Personal Data Is for Sale: What Europeans Need to Know About Data Brokers

Right now, somewhere on the internet, a company you've never heard of is selling your full name, home address, phone number, estimated income, health interests, and political leanings to the highest bidder. This isn't hypothetical. It's a $278 billion industry with more than 750 registered data brokers operating globally, and the average profile they hold on an individual contains approximately 1,000 separate data points.

Most people have no idea this is happening. The data broker industry has built its business model on invisibility — operating in the background of everyday digital life, collecting and trading personal information at scale. Understanding how it works is the first step to doing something about it.

This article explains what data brokers collect, how they get your information, the real-world consequences, and — for Europeans specifically — why GDPR gives you stronger tools than most people realize.

What Data Brokers Actually Collect

The scope of data broker profiles goes far beyond your name and email address. The industry categorizes personal data into detailed segments that paint a remarkably complete picture of who you are.

Identifiers and contact information: Full name, home address, phone numbers, email addresses, date of birth, government ID numbers where accessible.

Financial data: Estimated income range, credit score estimates, property ownership, mortgage details, investment activity, bankruptcy records. Nielsen alone captures data on roughly 80% of US credit card transactions, and this data flows through broker networks internationally.

Behavioral and purchase data: Online browsing history, purchase history, app usage patterns, subscription services, brand preferences. Data brokers categorize spending habits down to individual product categories.

Health-related data: Prescription histories (where legally accessible), health condition interests inferred from browsing, fitness app data, insurance claims data. While direct medical records are protected under specific health privacy laws, the inferences drawn from behavioral data often reveal the same information.

Location data: GPS coordinates from mobile apps, travel patterns, frequently visited locations, commute routes. Location data is among the most valuable categories because it reveals behavior patterns that other data types can't.

Demographic and psychographic data: Race, ethnicity, religion, political affiliation, household composition, education level, occupation. Brokers create segments like "Expectant Parent," "Financially Distressed," or "Political Conservative" and sell access to these lists.

This isn't just metadata. It's a comprehensive dossier. And for most people, it exists without their knowledge or meaningful consent.

How Your Data Ends Up There

Data doesn't appear in broker databases by accident. There are well-established pipelines that funnel personal information from everyday activities into commercial trading systems.

Public Records

Government databases are a primary source. Voter registration records, property transactions, court filings, business registrations, and marriage/divorce records are often publicly accessible. Brokers systematically scrape these databases and incorporate the information into their profiles. In the US, much of this data is fully public by default. In the EU, access varies by country, but brokers exploit whatever is available.

App SDKs

Many free apps include software development kits (SDKs) from data brokers embedded in their code. When you install and use these apps, the SDK silently collects device identifiers, location data, usage patterns, and sometimes contact lists. App developers receive payment for embedding these SDKs — it's how many "free" apps actually make money. Research has shown that popular apps can contain dozens of tracking SDKs, each sending data to different companies.

Online Tracking and Real-Time Bidding

Every time a webpage loads an ad, an auction happens in milliseconds. During this Real-Time Bidding (RTB) process, information about the user — location, browsing history, device type, inferred interests — is broadcast to hundreds of potential advertisers. Even when an advertiser doesn't win the auction, they've received the data. This system was designed for ad targeting, but it has become one of the largest data leakage mechanisms on the internet.

Loyalty Programs and Purchase Data

Supermarket loyalty cards, airline miles programs, store reward schemes — these exist primarily to capture transaction-level purchase data. That data is aggregated, analyzed, and frequently sold to or shared with third-party data brokers. The discount you receive on groceries is, in effect, a payment for your purchase history.

Social Media and Web Scraping

Publicly available social media profiles, forum posts, review sites, and professional directories are systematically scraped. Even information you consider semi-private — like a LinkedIn profile visible to logged-in users — can end up in broker databases through scraping or data partnerships.

The common thread across all these channels: most of this data collection happens without meaningful, informed consent. Terms of service buried in pages of legal text technically authorize it, but the gap between what people understand and what they've agreed to is enormous.

The Real-World Consequences

Data broker activity isn't an abstract privacy concern. It fuels concrete harms that affect millions of people every year.

Identity Fraud

In 2024, global identity fraud losses reached an estimated $47 billion. Data broker profiles provide the raw material: names, addresses, dates of birth, and financial details that enable account takeovers, synthetic identity creation, and social engineering attacks. The more complete a broker's profile on an individual, the easier it becomes for criminals to impersonate them convincingly. That same year, 1.73 billion individuals had personal records compromised globally, with six mega-breaches each exposing over 100 million records.

Robocalls and Spam

An estimated 56 billion robocalls were made globally in 2024. The phone numbers fueling these calls come overwhelmingly from data broker databases. Once your number enters the broker ecosystem, it circulates indefinitely — which is why blocking individual spam callers never solves the problem.

Targeted Scams

Data brokers create vulnerability segments — "Financially Distressed," "Elderly Living Alone," "Recent Widower" — and sell access to these lists. While the intended buyers are marketers, these same lists are purchased by scam operations that deliberately target vulnerable populations. The specificity of broker data means scammers can craft highly personalized messages that reference real details about a victim's life.

Discrimination and Profiling

Perhaps the most disturbing consequence is the use of broker data for discriminatory targeting. In a documented case, anti-abortion organizations purchased location data associated with visits to approximately 600 Planned Parenthood clinics and used it to serve targeted advertisements to those individuals. Broker data has also been used for discriminatory housing and employment advertising, circumventing civil rights protections by targeting or excluding specific demographic groups.

Doxxing and Harassment

People-search websites — which are essentially consumer-facing data brokers — make it trivially easy to find someone's home address, phone number, and family members. Journalists, activists, domestic abuse survivors, and public figures face heightened risks when this information is freely accessible. Removing yourself from these sites is possible, but the process is deliberately cumbersome, and data frequently reappears after deletion.

The EU Advantage: GDPR vs the American Patchwork

Where you live dramatically affects your legal rights when it comes to data brokers. The difference between the EU and US frameworks isn't marginal — it's structural.

The US Approach: Fragmented and Opt-Out

The United States has no comprehensive federal privacy law. Instead, it relies on a patchwork of state-level legislation and sector-specific rules:

• CCPA/CPRA (California): Gives residents the right to know what data is collected, delete it, and opt out of its sale. Only applies to California residents and companies meeting specific revenue or data volume thresholds.
• Other state laws: Virginia, Colorado, Connecticut, and a handful of other states have enacted privacy laws, each with different requirements and scopes.
• No federal baseline: There is no equivalent of GDPR at the national level. Most Americans have no legal right to know what data brokers hold on them or to demand its deletion.

The US model is fundamentally opt-out: your data is collected and sold by default, and the burden falls on you to stop it — if your state even gives you that right.

The EU Approach: GDPR and Structural Protection

GDPR, which has been in force since 2018, takes the opposite approach. It's opt-in by design and applies uniformly across all 27 EU member states plus the EEA.

Key provisions relevant to data brokers:

• Article 6 — Lawful Basis: Organizations need a legitimate legal basis to process your data. "We bought it from another company" doesn't qualify without proper consent or legitimate interest assessment.
• Article 17 — Right to Erasure: You have the right to request deletion of your personal data. Organizations must comply within 30 days, with limited exceptions.
• Article 15 — Right of Access: You can request a full copy of all personal data an organization holds on you.
• Article 77 — Right to Complain: Every EU country has an independent Data Protection Authority (DPA) where you can file complaints. These are government agencies with real enforcement power.
• Penalties: Violations can result in fines of up to 4% of global annual turnover or €20 million, whichever is higher.

How They Compare

Enforcement Is Real

GDPR enforcement against data brokers is increasing. The French data protection authority (CNIL) fined Tagadamedia for collecting personal data without valid consent through deceptive competition forms — a common broker acquisition tactic. Meta received a €390 million fine for processing personal data for behavioral advertising without proper legal basis. These aren't theoretical penalties; they represent a regulatory framework that's actively being used.

The key message: living in the EU gives you stronger legal tools than almost anywhere else in the world. But those tools only work if you actually use them.

The Opt-Out Problem

In theory, you can remove your data from broker databases manually. In practice, the process is designed to be as difficult as possible.

Scale: With more than 750 known data brokers operating globally, each with its own opt-out procedure, the task is overwhelming. There's no central registry and no unified removal process. Each broker has its own website (if you can find it), its own forms, its own requirements.

Buried processes: Many brokers make their opt-out mechanisms deliberately hard to find. Some require you to create an account before you can request deletion — which means providing more personal data to a company you're trying to remove data from. Others require postal mail, notarized documents, or copies of government ID.

Response times: Under GDPR, organizations have 30 days to respond to deletion requests. Under US state laws like the CCPA, brokers have 45 days. Many brokers push these deadlines to the limit, and some simply don't respond at all unless a formal complaint is filed.

Re-listing: This is perhaps the most frustrating aspect. Even when a broker successfully removes your data, it frequently reappears within months. Brokers continuously acquire new data from their sources, and unless those source pipelines are cut off, your information flows back in. Effective removal requires not a one-time effort but ongoing, repeated submissions — often annually for each broker.

Limited coverage even for professionals: A 2024 Consumer Reports study found that even professional data removal services struggle with comprehensive coverage. The broker landscape is fragmented and constantly changing, with new companies appearing and existing ones rebranding.

California's planned DELETE Act (expected to launch a centralized opt-out system by 2026) is a step forward, but it only covers California residents and California-registered brokers. For Europeans, GDPR provides a stronger legal framework — but the practical challenge of exercising those rights at scale remains.

This is the core tension: the legal right to remove your data exists, especially in the EU. But the practical effort required to exercise it across hundreds of brokers is so high that most people never do.

What You Can Do

Despite the challenges, there are concrete steps you can take to reduce your exposure and exercise your rights.

Step 1: Audit Your Digital Footprint

Start by understanding what's already out there.

• Search your own name on Google, Bing, and DuckDuckGo — with and without your city, employer, or other identifying details.
• Check people-search sites like Spokeo, BeenVerified, and similar services. If your profile appears, that data came from brokers.
• Review data breach exposure at haveibeenpwned.com to see which of your email addresses or passwords have been compromised in known breaches.

Step 2: Exercise Your GDPR Rights Directly

As an EU resident, you have legal tools that most of the world doesn't. For any organization you believe holds your personal data, you can submit an Article 17 (Right to Erasure) request.

This template works for any data broker, people-search site, or company you suspect holds your data. Keep records of when you sent requests and whether you received responses — this documentation strengthens any complaint you might file later.

Step 3: Reduce Future Exposure

Prevention is easier than removal.

• Review app permissions on your phone. Revoke location, contacts, and microphone access for apps that don't genuinely need them.
• Limit loyalty program participation — or use them with a secondary email address.
• Use privacy-focused tools for everyday browsing: a privacy-respecting search engine, a browser that blocks trackers by default, and encrypted email like Proton Mail.
• Be selective about forms and sign-ups. Every field you fill in is a potential data point entering the broker ecosystem.
• Check cookie consent carefully. In the EU, sites must ask before setting tracking cookies — don't just click "Accept All" by habit.

Step 4: Consider Automated Removal

For most people, manually submitting deletion requests to hundreds of brokers isn't realistic. Services exist that automate this process.

Incogni, for example, is a Lithuanian company that submits GDPR Article 17 and CCPA deletion requests on your behalf to over 180 data brokers. It handles the follow-ups, tracks responses, and resubmits requests when data reappears — essentially automating what would take dozens of hours to do manually. Because it's EU-based, it operates under GDPR itself.

Automated removal services don't cover every broker, and they're not a substitute for the prevention measures above. But for reducing the volume of your data actively circulating in broker networks, they address the scale problem that makes manual removal impractical.

Step 5: Use Your Country's DPA

Every EU member state has a Data Protection Authority with the power to investigate complaints and impose penalties. If a broker ignores your deletion request, filing a complaint with your DPA is free and carries real weight. Some notable DPAs:

• France: CNIL (cnil.fr)
• Germany: BfDI (bfdi.bund.de)
• Netherlands: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
• Spain: AEPD (aepd.es)
• Ireland: DPC (dataprotection.ie)

Most DPAs accept complaints online and in your national language.

Knowledge Is the First Step

The data broker industry thrives on invisibility. Most people don't know their data is being collected, don't know it's being sold, and don't know they have the legal right to stop it. That asymmetry of knowledge is the industry's greatest asset.

Europeans have something most of the world doesn't: a unified legal framework that treats personal data as a fundamental right, enforced by independent authorities with real power. GDPR isn't perfect, and exercising your rights still requires effort. But the tools exist, and they work — especially when people actually use them.

Start with awareness. Audit what's out there. Exercise your rights where it matters most. And make informed choices about the tools and services you use every day.

Related Resources

• Privacy & Data Removal
• Why Your VPN's Jurisdiction Matters More Than Its Speed
• Why GDPR Compliance Matters for Your Tech Stack

---

Have thoughts on data privacy in Europe? Reach out on Mastodon, X, or LinkedIn.