Personal information represents one of the most valuable commodities in the modern digital economy, with data brokers operating at the intersection of privacy erosion and commercial opportunity. Data brokers—companies that collect, aggregate, and sell personal information about individuals without direct consumer relationships—have constructed comprehensive digital profiles on virtually every American citizen, capturing thousands of data points per person derived from public records, commercial transactions, social media activity, and sophisticated web scraping techniques. With the data broker industry valued at approximately $200 billion annually and containing an estimated 4,000 companies worldwide, individuals face unprecedented challenges in controlling their personal information and shrinking the profiles that these companies maintain. The scope of this problem extends beyond mere inconvenience; data broker profiles enable identity theft, targeted fraud, unwanted manipulation, national security threats, and discriminatory practices that can affect employment, housing, insurance, and credit decisions. This comprehensive analysis examines the multifaceted challenge of reducing data broker profiles through manual opt-out procedures, automated removal services, proactive privacy protection measures, and emerging regulatory mechanisms such as California’s groundbreaking Delete Request and Opt-Out Platform launching in 2026, providing evidence-based guidance for individuals seeking to reclaim control over their personal data in an increasingly transparent yet unregulated digital marketplace.
Understanding Data Broker Profiles: Scope and Scale
The data broker industry operates largely invisibly to most consumers, with the vast majority of individuals unaware that companies maintain detailed profiles about them or that these profiles are actively being bought and sold to third parties for commercial gain. The opacity of this industry represents a fundamental challenge to privacy rights, as data brokers have little financial incentive to interact transparently with the subjects of their data collection activities. Recent comprehensive analysis by Privacy Rights Clearinghouse identified 750 unique data broker groups operating across the United States by systematically collecting and analyzing registration data from five state registries in April 2025. This identification of 750 brokers represents only those operating in states with registration requirements—California, Oregon, Texas, and Vermont—suggesting that the actual number of data brokers operating nationally may be substantially higher, as many companies fail to register even in states where registration is legally mandated.
The compliance gaps revealed by this research underscore a critical vulnerability in the regulatory landscape. Privacy Rights Clearinghouse’s analysis discovered that hundreds of data brokers registered in some states failed to register in others despite legal requirements, with California’s registry containing 459 brokers while Vermont’s registry showed only 441, Oregon’s 275, and Texas’s 226. This fragmented registration pattern indicates that companies are strategically avoiding compliance obligations or exploiting definitional ambiguities in state laws to evade accountability. Furthermore, the study did not account for data brokers operating without registering in any state, suggesting the true scope of the industry is substantially larger than the visible registries indicate. The scale of this problem becomes even more apparent when considering that each data broker may maintain billions of data records and conduct millions of transactions annually, as exemplified by LexisNexis Risk Solutions, which processes over 270 million transactions per hour.
The economic drivers behind this explosive data broker growth are compelling and multifaceted. Businesses generate enormous financial incentives to collect and monetize consumer data, while data brokers have comparatively little financial incentive to protect that data or limit its collection. The industry’s fundamental business model depends on continuous data acquisition, aggregation, and distribution to maximize revenue opportunities. This economic structure creates perverse incentives where data brokers profit from information collection regardless of whether consumers consent or benefit, and where limiting data collection would directly undermine their business model. As the data broker industry is projected to grow from approximately $250 billion in 2022 to $561 billion by 2029, the urgency of developing effective strategies to shrink personal profiles intensifies.
The Architecture of Personal Profiling: What Data Brokers Collect
Data brokers construct remarkably comprehensive profiles through systematic collection from multiple sources, both online and offline, creating detailed portraits that can include thousands of individual data points per person. The breadth and depth of information collected extends far beyond basic demographic details, incorporating behavioral data, financial information, health indicators, location history, and even inferred characteristics that data brokers derive through algorithmic analysis. Understanding the specific types of information collected is essential for individuals seeking to shrink their profiles and understand what information requires protection.
Public records represent one of the most accessible and comprehensive data sources available to brokers. These include birth certificates, marriage licenses, divorce records, voter registration information, court records, bankruptcy filings, motor vehicle records, census data, and property ownership information. Unlike private consumer data, public records are legally available for purchase and aggregation, making them a primary foundation for data broker profiles. When aggregated across multiple states and time periods, public records create a historical timeline of an individual’s major life events, financial status, legal circumstances, and geographic movements.
Commercial data sources provide another critical input stream for data broker profiles. These include purchase history documenting what consumers have bought, when they made purchases, how much they spent, and whether they used coupons or loyalty cards. Retailers, credit card companies, financial institutions, and online merchants all generate transaction records that flow into data broker databases through both direct partnerships and secondary market purchases. Loyalty programs represent particularly rich data sources, as consumers often provide detailed personal information when enrolling in these programs and then authorize data sharing through terms of service that are rarely read thoroughly.
Web-based data collection has become increasingly sophisticated through web scraping techniques that automatically extract information from websites at scale. Data brokers deploy specialized software and scripts that harvest information from public-facing websites, capturing browsing patterns, search histories, and activity on visited sites. Cookies installed on websites track online behavior across multiple platforms, creating comprehensive records of which sites individuals visit, what products they view, what articles they read, and what advertisements they click. Social media platforms represent particularly valuable targets for web scraping, as users often post personal information about their interests, relationships, location, employment, education, and activities without fully understanding how that information will be used.
The specific categories of personal information collected demonstrate the granular nature of modern data broking. Data brokers compile names, current and historical addresses, telephone numbers, email addresses, dates of birth, gender, marital status, information about children including their ages and names, Social Security numbers, driver’s license numbers, education levels, employment history, occupation, estimated income levels, assets and property ownership, purchasing behavior and transaction history, web browsing activity, email addresses, credit score ranges and financial indicators, political affiliations and interests, health-related conditions and medical information, criminal records and legal filings, vehicle ownership and registration information, and religious affiliations and lifestyle preferences. This comprehensive cataloging extends to what data brokers call “inferred characteristics”—predictions about individuals based on behavioral patterns, such as presumed political leanings, estimated likelihood of particular health conditions, or predicted financial stress levels.
The most troubling aspect of data broker profiling involves the creation of detailed consumer segments that explicitly target vulnerable populations or exploit sensitive circumstances. Data brokers have been documented maintaining profiles of “economically anxious elders,” “frequent purchasers of pregnancy kits,” people experiencing financial distress, individuals struggling with substance abuse issues, and people seeking mental health services. These categories enable sophisticated targeting by bad actors who wish to exploit vulnerable populations through scams, predatory lending, or inappropriate marketing. In one documented case, data brokers were marketing lists of military personnel identified by military base proximity and characterized by financial vulnerability indicators, creating dangerous exposure for national security personnel.
Categories and Operations of Data Brokers
The data broker industry is not monolithic but rather comprises several distinct categories of companies operating under different business models and serving different customer bases, though many large brokers operate across multiple categories simultaneously. Understanding these distinctions is essential for comprehending how brokers operate and which profiles pose particular threats to individuals.
People search sites represent the most visible and arguably most troubling category of data brokers. These companies, including prominent examples such as Spokeo, Whitepages, PeopleFinders, BeenVerified, and Intelius, specialize in making personal information readily accessible to any individual willing to pay a fee. People search sites compile information from public records, commercial sources, and other data brokers to create searchable databases where users can look up individuals by name or phone number and retrieve detailed personal information including addresses, phone numbers, email addresses, and family member connections. These sites deliberately market to individuals without professional qualifications or legitimate purposes, creating easy access to personal information for stalkers, harassers, identity thieves, and other malicious actors. Unlike other data broker categories that sell information to defined customer groups with claimed legitimate purposes, people search sites explicitly serve the general public without meaningful screening or verification.
Marketing and advertising data brokers operate by segmenting consumers into detailed categories based on demographics, interests, purchasing behavior, and inferred characteristics, then selling access to these segments to advertisers and marketers. Companies like Acxiom, Epsilon, and Oracle dominate this category, building profiles that enable targeted marketing campaigns, direct mail campaigns, telemarketing, and online advertising. These brokers often provide “appending services,” where a business with partial information about a consumer (such as an email address) can pay to have additional information added, including home address, purchasing history, and estimated income. While the marketing purposes may seem less immediately threatening than people search sites, the targeting capabilities enable manipulation, discrimination, and exploitation at scale.
Risk mitigation data brokers provide services to verify customer identities and detect fraudulent purchase patterns. Companies in this category include LexisNexis Risk Solutions, which processes hundreds of millions of transactions hourly for identity verification and fraud detection. Employment screening companies like ADP, backgroundcheck.com, and Checkr provide background information to employers, including credit history, employment verification, salary information, and professional license verification. Tenant screening companies like RealPage, Rent Grow, and TransUnion use similar databases to evaluate prospective renters. These brokers operate under the regulatory authority of the Fair Credit Reporting Act when their information is used in employment or credit decisions, providing some consumer protections absent in other categories.
Health and financial data brokers represent increasingly concerning categories that compile sensitive information about consumers’ health status and financial circumstances. Companies like Experian Health and Healthcare.com collect information about prescription purchases, healthcare provider visits, symptoms searched online, and health app usage, then score consumers based on predicted health risks and expected healthcare costs. Financial data brokers track income levels, debt obligations, credit histories, and financial distress indicators. These categories pose exceptional risks because health and financial information can enable discrimination in insurance and credit decisions and expose individuals to identity theft and fraud targeting their financial vulnerabilities.
Shrinking Your Digital Profile: Manual Opt-Out Strategies
The most direct approach to shrinking data broker profiles involves manually contacting individual brokers to request data removal, though this method is extraordinarily time-consuming and requires significant persistence given the structural barriers that brokers deliberately maintain. The manual opt-out process generally follows a consistent sequence of steps, though each broker implements variations designed to complicate and discourage removal requests.
The first step in manual opt-out requires identifying which data brokers maintain profiles containing an individual’s personal information. This represents a substantial initial challenge because data brokers do not voluntarily advertise that they hold specific individuals’ data, and most people are entirely unaware of which brokers have compiled profiles about them. Individuals can begin by searching their own names in people search sites and noting which sites return results, though this approach only identifies the most accessible and least sophisticated brokers. Resources such as the Privacy Rights Clearinghouse Data Broker Database provide comprehensive lists of registered brokers, though this database captures only those brokers operating in states with registration requirements and not the broader universe of companies operating without registration. After identifying target brokers, individuals must then locate the specific opt-out mechanisms, which brokers deliberately obscure through dark patterns and technical barriers.
Locating opt-out pages and procedures represents the second significant hurdle in manual removal. Recent investigations revealed that at least 35 of 499 California data broker websites employ search-blocking code that prevents their opt-out pages from appearing in search engine results, making it substantially more difficult for individuals to find removal instructions. Many brokers bury opt-out options deep within privacy policies, terms of service, or FAQ pages, requiring users to navigate multiple screens, dismiss pop-up cookie permission requests, and contend with newsletter sign-ups before finding the actual opt-out link, which is frequently displayed in a substantially smaller font than other text. Some brokers intentionally hide opt-out links entirely, requiring individuals to contact brokers through email or phone to initiate removal.
Once located, opt-out request procedures vary significantly by broker, creating a labyrinthine landscape with no standardized process. Some brokers provide simple checkbox-based opt-out forms that require minimal information, while others demand multi-stage processes including notarized affidavits, government-issued identification uploads, or comprehensive verification questions. Many brokers ask users to provide additional personal identification information—including photo IDs, driver’s license copies, Social Security numbers, or answers to security questions—as part of the verification process. This requirement creates a perverse catch-22 situation where individuals seeking to remove personal information must first provide additional identifying information to prove the profile belongs to them, thereby creating additional data exposure vectors. Some brokers unscrupulously use this verification process to capture additional personal information that they subsequently market to other buyers.
Identity verification requirements demand particular caution from individuals pursuing manual opt-outs. When brokers require government-issued identification to verify removal requests, individuals should limit what they provide by blacking out or blurring sensitive information such as photographs, dates of birth, and document numbers while leaving only name and address visible to satisfy verification requirements. Adding a watermark stating “For data removal only” prevents the submitted documents from being reused elsewhere. Some individuals reasonably decide they would rather tolerate their information remaining on data broker sites than provide additional sensitive information to companies that have already demonstrated they will monetize personal data without consent.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected NowThe submission of removal requests represents merely the beginning of a potentially lengthy process. According to legal requirements in states with privacy protections, data brokers typically have 30 to 45 days to process removal requests. However, many brokers delay responses, request extensions, require additional information, or simply ignore requests entirely. Consumer Reports research found that only 18 percent of individuals who submitted opt-out requests received confirmation that their data would no longer be sold in the future. After submitting requests, individuals must follow up persistently to verify that removal actually occurred. Using people search engines to verify removal requires multiple checks as some brokers process requests over extended periods.
Perhaps most frustratingly, data removed from broker sites frequently reappears months later as brokers refresh their databases from the same public and commercial sources. Once data is removed, brokers can legally republish that same information if they re-obtain it from original sources, meaning removal is not permanent unless individuals take ongoing action. This creates what privacy researchers describe as a “whack-a-mole game” where individuals must continuously monitor brokers for data reappearance and repeatedly submit removal requests. The California Consumer Privacy Act, the most comprehensive state privacy law, actually permits data brokers to stop honoring opt-out requests after one year, meaning individuals may need to submit requests annually to maintain removal status.
The temporal and effort investment required for manual removal is staggering. On average, removing personal information from all major data brokers requires approximately 47 minutes of work including verification of removal and re-submission if initial requests are not honored. When multiplied across potentially hundreds of data brokers and accounting for the time investment in locating brokers and identifying which ones maintain profiles about specific individuals, manual opt-out for a single person could easily consume 50 to 100 hours of labor. For families with multiple members or individuals with extensive prior online history, the burden becomes effectively prohibitive. These factors explain why automated data removal services have emerged and proliferated—they exist to solve a problem that manual removal has made practically insurmountable.
Automated Data Removal Services: Effectiveness and Limitations
Automated data removal services offer the promise of dramatically simplifying the data removal process by systematically submitting opt-out requests across hundreds of data brokers on behalf of consumers, then monitoring for data reappearance and re-submitting removal requests on an ongoing basis. The market for these services has grown substantially, with prominent options including DeleteMe, Optery, Incogni, Kanary, PrivacyBee, and others. These services typically operate through a similar process: consumers provide basic personal information including name, email address, and current and previous addresses; the service scans databases to identify which brokers maintain profiles about the consumer; the service provides a report detailing findings; the service then automates the submission of opt-out requests to identified brokers; the service monitors for data reappearance and resubmits requests; and the service provides ongoing reports to consumers documenting removal progress.
The coverage claimed by these services varies substantially, with different companies asserting responsibility for different numbers of data brokers. Incogni claims coverage of over 420 data brokers, DeleteMe asserts removal from 850+ sites with custom requests, Optery advertises coverage of 385+ data brokers depending on plan selection, and PrivacyBee claims responsibility for 300–600 brokers. However, recent independent testing reveals that these coverage claims require careful scrutiny and that actual removal effectiveness often falls significantly short of advertised capabilities. Consumer Reports’ comprehensive 2025 study testing seven removal services found removal success rates varying dramatically, with the most effective services achieving only 65-68 percent success rates after four months, while the least effective services achieved removal rates below 10 percent. Critically, even the labor-intensive manual opt-out process achieved only 70 percent success after four months, suggesting that the inherent difficulty of removal transcends the removal method employed.
The pricing structure for automated removal services ranges widely, creating a complex marketplace where consumers must balance cost against coverage and effectiveness. Incogni begins at $7.99 monthly for its Standard plan with annual pricing of $95.88, DeleteMe starts at $8.60 monthly or approximately $103 annually, Optery ranges from $3.25 to $24.99 monthly depending on plan selection, and Aura begins at $7 monthly. Many services offer family plans covering multiple household members at modest incremental cost, though the cost-benefit calculation depends entirely on how effective the service proves for a given user. Some services offer money-back guarantees ranging from 30 to 60 days, allowing consumers to test services before committing to extended subscriptions.
The actual effectiveness of automated services requires closer examination than marketing claims suggest. DeleteMe, which emphasizes that cybersecurity experts manually review removal from over 100 data broker sites, reported that on average users’ information appeared on 2,389 separate data broker instances across a two-year subscription period. However, the Consumer Reports study found that DeleteMe, while performing reasonably well, still achieved only moderate removal success rates. Optery, which scored well in Consumer Reports testing with a 68 percent success rate, uses a “humans plus machines” approach combining automated technology with human privacy agents. Incogni received strong independent verification from the Big Four auditing firm Deloitte, confirming that Incogni’s automated process actually removed data from over 420 brokers and that recurring requests are sent every 60-90 days to prevent data reaccumulation. However, even services performing well in independent testing achieved less than complete removal, indicating that the structural challenges to data removal transcend any individual service provider’s capabilities.
The persistence of data following removal attempts underscores a fundamental reality about the data broker ecosystem: removing information from any single broker only addresses that broker’s database while thousands of other brokers continuously re-acquire and republish the same information from source data. When data brokers refresh their databases using the same public records and commercial sources from which they originally obtained information, that data automatically repopulates even after removal requests were honored. This means that removal is perpetually temporary unless individuals maintain continuous removal services over extended periods. This necessity for ongoing monitoring and repeated removal requests explains why most customers using these services choose to maintain subscriptions long-term rather than using them for one-time cleanup.
Research on the effectiveness of paid removal services reveals additional concerning patterns. Some removal services have been found to maintain financial relationships with the people-search sites whose databases they claim to be cleaning, raising potential conflicts of interest. For example, some removal services advertise on people-search sites or maintain explicit partnerships with them, which some researchers characterize as creating perverse incentives to maintain the data broker ecosystem rather than genuinely minimizing it. Additionally, investigation into removal services’ claims about coverage numbers revealed that some services count dead websites no longer in operation, count state-specific database variations as separate sites to inflate coverage numbers, or include sites with sophisticated technical barriers that the services acknowledge they cannot effectively remove from.
Despite these limitations and caveats, automated removal services nonetheless provide substantial practical value for most consumers seeking to shrink their data broker profiles. The time savings alone justify the modest annual cost, as manually pursuing hundreds or thousands of removal requests would consume dozens of hours that most individuals cannot reasonably spare. Even imperfect removal dramatically reduces the ease with which malicious actors, stalkers, or identity thieves can access personal information, providing meaningful privacy and security benefits. For individuals in particular danger, such as survivors of domestic violence or stalking, the risk reduction achieved through data removal—even if incomplete—can be genuinely life-saving.
Proactive Prevention: Limiting Data Collection at the Source
While shrinking existing data broker profiles through removal efforts provides important immediate relief, the most effective long-term approach to limiting data broker profiling involves proactive measures that prevent data collection before it begins or limit the types of information available for brokers to collect. These prevention strategies operate at multiple levels, from individual behavioral choices to systemic platform modifications and regulatory interventions.
At the individual behavioral level, consumers can substantially reduce the information available to data brokers by exercising restraint in what personal information they voluntarily share online and offline. This begins with being highly selective about information disclosed on social media platforms, recognizing that data brokers extensively scrape social media profiles to capture employment history, interests, relationships, location information, and other personal details. Making social media accounts private substantially restricts scrapers’ access to this information, though it does not provide complete protection given that brokers can infiltrate private accounts using various techniques. Avoiding participation in online quizzes, surveys, sweepstakes, and contests prevents the capture of personal preferences and interests that data brokers systematically aggregate. Deleting unused accounts removes information repositories that data brokers actively monitor for profile information.
Controlling permission settings on mobile applications and devices prevents one particularly powerful data collection mechanism. Mobile applications extensively collect location data, which data brokers purchase and aggregate to track individuals’ movements, identify patterns, and determine visits to sensitive locations such as abortion clinics, drug treatment facilities, mental health providers, or other locations revealing sensitive information. Disabling location services on phones prevents many—though not all—forms of location tracking. Similarly, selectively granting permissions for camera and microphone access only when applications genuinely require these capabilities prevents applications from harvesting unnecessary information.
Using virtual private networks (VPNs) when browsing on public Wi-Fi prevents trackers from easily connecting IP addresses to personal identity, though VPNs do not prevent cookie-based tracking or identification of logged-in accounts. Enabling “Do Not Track” features in web browsers and blocking cookies provides a partial defense against web-based tracking, though many websites ignore these signals. Using privacy-focused browsers like Firefox Focus or LibreWolf that include enhanced tracking protection provides greater defense against data collection than default browsers.
Stopping the flow of new information into data broker pipelines requires addressing the commercial and retail sources that provide brokers with transaction data. Opting out of direct marketing and telemarketing through centralized opt-out services like DMAchoice.org limits marketing lists flowing into data broker databases. Declining prescreened credit offers by visiting optoutprescreen.com or calling 1-888-5-OPT-OUT prevents credit bureaus from generating prescreened lists to data brokers. Discussing data privacy options with phone carriers, recognizing that carriers only need to collect information for billing and legal purposes while not requiring permission to collect other data for sale, can limit the information that carriers sell to brokers. Checking privacy policies at the Department of Motor Vehicles and limiting what information the DMV shares about drivers prevents vehicle and personal information from flowing into data broker networks. Checking with financial institutions and declining unnecessary data sharing permissions prevents financial information from being aggregated by brokers. These individual behavioral modifications, while collectively helpful, face the fundamental constraint that much personal information flows into data broker networks through sources outside individuals’ direct control, such as court records, property ownership, voting records, and third-party transactions.
At the systemic level, changes to how platforms and service providers handle data can substantially limit what information becomes available for brokers to collect. California’s recent legislation requiring social media companies to make account deletion straightforward and to ensure deletion triggers complete removal of user personal data represents progress in this direction. Governor Newsom’s signing of Assembly Bill 656 requires social media platforms to make canceling accounts straightforward and clear while ensuring deletion triggers full deletion of personal data, directly addressing one pipeline through which data brokers access information. Additional California legislation, including Senate Bill 361 by Senator Josh Becker, strengthens data broker registration requirements by requiring brokers to provide consumers with more information about what personal data they collect and who may access it. Assembly Bill 566 requires browsers to include settings enabling users to send websites an opt-out preference signal, allowing Californians to opt out of third-party data sales at one time rather than on individual websites.
The most significant systemic development involves California’s groundbreaking Delete Request and Opt-Out Platform (DROP), mandated by the California Delete Act and scheduled to launch by August 1, 2026. DROP represents a seismic shift in how individuals can exercise deletion rights by enabling Californians to submit a single verified deletion request through an official state platform that compels all registered data brokers to delete the requestor’s information within 45 days. Starting August 1, 2026, data brokers must access DROP every 45 days to retrieve and process deletion requests, with brokers facing administrative fines of $200 per day for failures to comply. This centralized mechanism eliminates the requirement for individuals to contact each broker individually and provides regulatory teeth through enforcement mechanisms and third-party audits required by January 1, 2028.
The DROP platform also enables individuals to designate authorized agents to submit deletion requests on their behalf, streamlining the process and ensuring professional handling of complex deletion requirements. California residents should begin preparing now for DROP’s launch by documenting their current digital footprint, evaluating data removal services based on DROP readiness, gathering personal information and documentation needed for identity verification, and considering the designation of authorized agents to manage deletion requests.
Regulatory Frameworks and Compliance Gaps
The regulatory landscape governing data brokers remains fragmented and inadequate, with significant compliance gaps limiting individuals’ ability to exercise deletion rights and enforcement mechanisms failing to hold brokers accountable. The United States lacks a comprehensive federal privacy law equivalent to Europe’s General Data Protection Regulation or Brazil’s Lei Geral de Proteção de Dados, leaving regulation to individual states with dramatically varying approaches and enforcement capabilities.
Only five states have enacted comprehensive consumer privacy laws providing broad protections for consumer data: California, Colorado, Connecticut, Virginia, and Utah. These five states grant consumers rights to access, correct, or remove personal information collected about them, though the scope and effectiveness of these rights vary considerably. The vast majority of states provide minimal protection, limiting regulations to children’s privacy, biometric and facial recognition restrictions, or no privacy protections whatsoever. This patchwork creates a landscape where individuals’ privacy rights depend substantially on their state of residence, with California residents receiving substantially stronger protections than residents of most other states.
California’s legal framework provides the most comprehensive existing state-level protections and therefore offers important lessons about both the possibilities and limitations of state-based regulation. The California Consumer Privacy Act of 2018, amended by the California Privacy Rights Act of 2020, created the California Privacy Protection Agency to implement and enforce these laws. The Delete Act, enacted in 2023, specifically addresses data brokers by requiring them to register with the California Attorney General (later transferred to the CPPA) and establish mechanisms for consumers to delete their personal information. However, implementation of these requirements has revealed substantial compliance gaps, with data brokers deliberately evading registration obligations and hiding opt-out mechanisms from search engines.
California’s attempt at enforcement demonstrates both the potential and limitations of regulatory approaches to data broker oversight. The California Privacy Protection Agency has undertaken an aggressive enforcement sweep, with multiple actions against data brokers failing to register or pay annual fees. In February 2025, Background Alert, Inc., a California-based data broker that compiled billions of public records into detailed profiles advertising “it’s scary how much information you can dig up on someone,” agreed to shut down its operations through 2028 or face $50,000 daily fines after failing to register as required. This case illustrates both that enforcement action is possible and that consequences can be meaningful, yet the Background Alert settlement also reveals the limited effectiveness of enforcement actions—the company was merely required to cease operations, not to delete existing data or provide compensation to affected individuals.
Beyond California, Vermont passed the first comprehensive state data broker law in 2018, requiring data brokers to register and implement reasonable data security measures. However, Vermont’s law did not include deletion rights mechanisms or the sophisticated enforcement infrastructure that California has subsequently developed. Texas and Oregon have passed their own data broker registration requirements, though with varying details and enforcement approaches. Texas’s law includes data security requirements treating violations as deceptive practices under consumer protection law with penalties up to $10,000 per violation. Oregon’s law allows civil penalties of $500 per day capped at $10,000 annually per violation. These state-level approaches, while representing progress compared to complete absence of regulation, create compliance challenges for brokers operating across multiple states with different definitions of “data broker,” different registration timelines, and different enforcement mechanisms.
The federal Fair Credit Reporting Act provides the only existing federal framework addressing certain data brokers, specifically those functioning as “consumer reporting agencies” by compiling reports used in credit, employment, insurance, or housing decisions. The FCRA requires these agencies to allow consumers to access reports about them and dispute inaccuracies, provides some accuracy safeguards, and limits what information can be sold and to whom. However, most data brokers have successfully claimed exemption from FCRA requirements, arguing they do not fit the consumer reporting agency definition even while selling the precise sensitive information the FCRA was designed to protect. Recent enforcement actions suggest this may be changing. The Consumer Financial Protection Bureau announced proposed rulemaking to expand FCRA applicability to data brokers selling income, financial tier, credit history, credit scores, or debt payment information, addressing the widespread evasion of FCRA protections.
The Consumer Financial Protection Bureau’s proposed rule would additionally ban the sale of personal identifiers such as Social Security numbers, home addresses, and full names when used outside legitimate purposes like fraud detection, directly targeting the “credit header” data that criminals actively purchase for identity theft and stalking. This proposed enforcement action demonstrates recognition that data broker practices pose national security concerns, with research finding that data brokers track U.S. military personnel with enough precision to identify movements around sensitive military facilities. The same concern extends to federal law enforcement, with researchers demonstrating purchases of location data enabling tracking of federal law enforcement conducting confidential investigations.
Critically, the proposed CFPB rule explicitly preserves law enforcement access to data brokers’ information, recognizing legitimate governmental uses while attempting to restrict commercial and personal misuse. This balance acknowledges the genuine tension between privacy protection and legitimate security, though it also creates ongoing risks given the difficulty of distinguishing legitimate law enforcement requests from other uses.
Recent Developments and Future Protections
The evolving regulatory and enforcement landscape reflects growing recognition of data broker harms and emerging strategies to constrain the industry. Beyond California’s DELETE Act and the CFPB’s proposed expansion of FCRA applicability, additional legislative and enforcement developments are reshaping data broker regulation and individuals’ ability to shrink their profiles.
In October 2025, California Governor Newsom signed multiple data privacy bills strengthening existing protections and establishing new requirements. Assembly Bill 656 requires social media companies to make account deletion clear and easy and ensure deletion triggers complete removal of user personal data, directly addressing one major pipeline through which data brokers access information. Senate Bill 361 strengthens data broker registration by requiring brokers to provide consumers with more information about what personal information is collected and who may access it. Assembly Bill 566 requires browsers to include settings enabling users to send opt-out preference signals to websites, allowing consumers to opt out of third-party data sales at one time rather than individually on each website.
Recent enforcement actions signal increased regulatory focus on data broker misconduct. The Federal Trade Commission reached settlements with Truthfinder and Instant Checkmate for deceptive advertising claims that their reports contained “the most accurate information available to the public” when the companies failed to verify accuracy of information obtained from third-party sources. The $5.8 million civil penalty includes requirements for comprehensive compliance programs addressing accuracy verification and consumer dispute investigation. The same enforcement action alleged the companies employed dark pattern deception through fake “Remove” and “Flag as Inaccurate” buttons on their websites that appeared functional but merely hid information from consumer view rather than actually removing or correcting it. This FTC enforcement demonstrates recognition that data accuracy is itself a privacy concern, not merely a separate data quality issue.
The scale of recent data broker violations suggests enforcement intensity may be increasing. In October 2024, the FTC and Consumer Financial Protection Bureau reached a $15 million settlement with TransUnion and its subsidiary for inaccurate tenant screening reports that prevented consumers from obtaining housing, marking the largest financial settlement in a tenant-screening matter. These escalating enforcement actions and penalties suggest regulatory agencies are treating data broker misconduct with greater seriousness than in previous periods.
Colorado’s regulatory evolution also demonstrates movement toward stronger data protection frameworks. On August 28, 2025, Governor Polis signed Senate Bill 4, delaying implementation of the Colorado AI Act by five months and moving the effective date from February to June 30, 2026. This extension provides affected companies additional time to ensure compliance with regulations affecting algorithmic decision-making, including those affecting how data brokers use artificial intelligence for profiling and scoring.
Maryland’s Online Data Protection Act, which goes into effect October 1, 2025, establishes comprehensive protections for consumer data, while Oregon’s Consumer Privacy Act became effective July 1, 2025 for nonprofit organizations, with universal opt-out requirements beginning January 1, 2026. These expanding state-level regulatory frameworks create a patchwork of requirements that pressures companies toward stronger privacy protections even absent federal law, though businesses and consumers alike struggle with the compliance complexity resulting from multiple overlapping regulatory regimes.
The most significant near-term development remains the launch of California’s Delete Request and Opt-Out Platform (DROP) by August 1, 2026. This mechanism promises to revolutionize how individuals exercise deletion rights and presents both opportunities and challenges for data broker compliance. By August 1, 2026, data brokers must begin accessing DROP every 45 days to retrieve and process deletion requests, with brokers failing to comply facing $200 daily fines. The platform requires brokers to create accounts, implement technical infrastructure capable of matching deletion requests against their records, and maintain reasonable security procedures protecting the data they process. This centralized mechanism should dramatically simplify the deletion process compared to current manual opt-out procedures requiring individual contact with hundreds of brokers.
However, DROP’s effectiveness depends on comprehensive broker participation and adequate regulatory enforcement of compliance obligations. Given the compliance gaps revealed by Privacy Rights Clearinghouse’s April 2025 analysis finding 750 registered brokers operating across five state registries with many brokers failing to register in multiple states despite legal requirements, uncertainty remains about whether all brokers will register with DROP or whether some will exploit definitional ambiguities or jurisdictional technicalities to evade compliance. Enforcement mechanisms requiring triennial independent third-party audits beginning January 1, 2028 will test whether CPPA resources prove sufficient to verify widespread compliance.
Sustaining a Shrunken Profile
Data brokers have constructed an industrial-scale apparatus for extracting, aggregating, and selling personal information at remarkable profitability, with the resulting profiles enabling identity theft, targeted fraud, discriminatory practices, national security vulnerabilities, and sophisticated manipulation at scale. The comprehensive analysis presented in this report demonstrates that shrinking data broker profiles requires multifaceted strategies combining manual opt-out procedures, automated removal services, proactive privacy protection measures, and emerging regulatory frameworks. No single approach provides complete protection, and individuals seeking genuine privacy must layer multiple strategies while accepting that complete data removal is likely impossible given the decentralized nature of data collection and the continuous re-acquisition of information from source records.
For individuals pursuing immediate personal privacy improvement, the most practical approach involves combining automated data removal services with proactive limitation of future data collection. Individuals should select removal services based on transparent reporting of coverage, effectiveness studies from independent researchers, and ongoing monitoring capabilities rather than relying on marketing claims alone. Services like Incogni, DeleteMe, and Optery have undergone independent verification demonstrating actual removal success rates, though even these services achieve less than complete removal. These services provide substantial value through time savings and ongoing monitoring for data reappearance, justifying their modest annual costs for most individuals. Simultaneously, individuals should implement proactive prevention measures including tightening social media privacy settings, opting out of marketing lists, declining unnecessary permission grants to mobile applications, using VPNs on public networks, and deleting unused accounts.
Individuals in particular danger, such as survivors of domestic violence or stalking, should prioritize comprehensive removal efforts and consider utilizing authorized agents or professional privacy services to manage the process while maintaining maximum personal safety. The Privacy Rights Clearinghouse Data Broker Database provides essential resources for identifying and contacting brokers, while state-level registries in California, Oregon, Texas, and Vermont offer additional information about registered brokers’ claimed practices.
The regulatory outlook suggests substantial improvement ahead for individuals seeking to shrink their profiles, particularly for California residents who will gain access to the DELETE Act’s Delete Request and Opt-Out Platform by August 1, 2026. Individuals should prepare for DROP’s launch by documenting current digital footprints, considering designation of authorized agents to manage deletion requests, and gathering personal information needed for identity verification. Other states should urgently enact comprehensive privacy laws modeled on California’s framework with appropriate adaptations for state-specific conditions, moving toward uniform national baseline protections that would simplify compliance for brokers while providing consistent consumer rights regardless of state residence.
Federal action remains essential. Congress should enact comprehensive privacy legislation establishing national baseline protections, expanding FCRA applicability to cover all data brokers selling sensitive personal information, and creating meaningful enforcement mechanisms with resources matching the scale of the multibillion-dollar data broker industry. The Consumer Financial Protection Bureau’s proposed expansion of FCRA applicability represents important progress but must be accompanied by appropriately scaled enforcement resources and clear statutory authority eliminating broker evasion strategies.
The data broker industry itself must evolve toward greater transparency and accountability. Data brokers should voluntarily register in all states where they operate, comply fully with registration and deletion requirements, implement robust security protections, and establish meaningful accuracy verification procedures. The emerging enforcement actions and penalties demonstrate that regulatory bodies are increasingly serious about holding brokers accountable for misconduct, creating financial incentives for compliance that may ultimately prove more effective than moral or ethical arguments.
Ultimately, shrinking data broker profiles represents not merely a personal privacy concern but a fundamental democratic issue affecting surveillance, discrimination, national security, and the ability of individuals to maintain meaningful autonomy in an increasingly transparent society. The multifaceted approach to profile reduction outlined in this report provides practical guidance for individuals seeking to reclaim privacy while highlighting the urgent need for regulatory reform at state and federal levels to constrain an industry that has grown vastly more powerful than most individuals realize. The coming years will prove critical in determining whether regulatory frameworks can establish meaningful constraints on data brokers or whether the industry continues its explosive growth unchecked, progressively eroding the privacy foundations upon which democratic society depends.
