Opting Out of People-Search Sites - Cybersecurity Blog & Privacy Tips

Millions of Americans remain unaware that detailed profiles containing their most sensitive personal information are being compiled, bought, and sold by data brokers and people-search sites on a daily basis. These online platforms aggregate information from public records, social media platforms, and third-party data sources to create comprehensive dossiers on individuals, making it remarkably easy for anyone with sufficient financial resources to access extensive details about a complete stranger. The proliferation of people-search sites represents a significant privacy crisis that extends far beyond mere inconvenience, as the data exposed through these platforms creates direct pathways for identity theft, stalking, harassment, and various forms of targeted exploitation. This report provides an exhaustive analysis of the phenomenon of people-search sites, examines the mechanisms through which personal information is collected and disseminated, evaluates both manual and automated strategies for opting out, reviews the evolving regulatory environment surrounding data brokers, and ultimately offers comprehensive strategies for individuals seeking to protect their personal information while maintaining vigilance against identity exposure and breach-related risks.

Is Your Browsing Data Being Tracked?

Check if your email has been exposed to data collectors.

Understanding the People-Search Site Industry and Data Broker Ecosystem

People-search sites, also referred to as people finder websites, represent a specific category within the broader data broker industry that directly commodifies personal information on a massive scale. These platforms collect, organize, and sell information about individuals including names, addresses, phone numbers, email addresses, marital status, employment history, criminal records, family member details, and an extensive array of other personally identifiable information. The business model of people-search sites depends on the continuous acquisition and repackaging of data from numerous upstream sources, creating what amounts to a second-order market in personal information where data itself becomes a standardized product for commercial transaction.

The people-search industry exists within a vastly larger ecosystem of data brokers that collectively maintains profiles on hundreds of millions of Americans with virtually no comprehensive federal oversight. According to research from the Privacy Rights Clearinghouse and the Electronic Frontier Foundation, approximately 750 unique data broker groups currently operate across the United States, with registrations tracked across five state registries including California, Texas, Oregon, and Vermont. Major data brokers include massive corporations such as Experian, which maintains consumer data on over 300 million individuals and generates approximately $9.7 billion in annual revenue, Equifax with data on 220 million consumers and $5.1 billion in revenue, Epsilon serving 250 million consumers with $2.9 billion in revenue, and Acxiom tracking 260 million consumers with annual revenues of $2.7 billion. These largest brokers operate primarily on a business-to-business model, selling data exclusively to other corporations rather than making it directly accessible to the general public, yet their data feeds directly into the people-search sites that consumers encounter online.

The fundamental difference between major data brokers and people-search sites lies in their distribution model and consumer accessibility, yet the distinction becomes semantically blurred when considering the ultimate impact on personal privacy. While major brokers like Experian primarily serve marketing, credit, and verification purposes, they supply the underlying data that people-search sites repackage and make available to individual consumers willing to pay modest subscription fees. This means that a person’s complete financial profile, purchasing history, credit information, and behavioral patterns maintained by a major data broker may simultaneously appear in a people-search site where that information becomes accessible to potential employers, landlords, lenders, and indeed anyone motivated to purchase access. The interconnected nature of the data broker ecosystem ensures that removing information from a single people-search site provides only temporary relief, as the underlying data sources continue to regenerate profiles through perpetual data acquisition and circulation processes.

The Mechanisms and Sources of Personal Information Collection

Understanding how people-search sites and data brokers obtain personal information proves essential for developing effective long-term privacy protection strategies, as prevention at the source remains substantially more effective than remediation after data collection has already occurred. Data brokers employ multiple systematic pathways to acquire personal information, each representing different legal and practical challenges for individuals seeking to limit exposure. Direct collection occurs when individuals voluntarily provide information through online transactions and service agreements, though the fine print of terms of service often contains provisions granting companies explicit rights to collect, analyze, and share personal information with third parties, rendering most users’ consent insufficiently informed. Many people-search sites and brokers acquire data through agreements with commercial sources including retailers, catalog companies, financial services providers, and subscription services, creating scenarios where a purchase made at one company results in personal information flowing to data brokers and ultimately appearing on people-search sites.

Indirect collection represents perhaps the most pervasive and difficult-to-counteract pathway through which data brokers obtain personal information. Public records constitute a primary source of information for the entire people-search industry, including voter registration records, birth certificates, criminal records, bankruptcy filings, property deeds, marriage and divorce certificates, and court proceedings. Unlike private commercial data that theoretically could be restricted at the source, public records exist specifically to be accessible to the general public, creating a scenario where individuals have practically no mechanism to prevent data brokers from harvesting and republishing this information. Data brokers employ sophisticated web scraping technologies to automatically extract information from thousands of online sources including social media platforms, forums, blogs, and other public websites, harvesting data at scales that would be humanly impossible to accomplish through manual searching. Mobile applications and web cookies generate continuous streams of behavioral and location data that data brokers acquire through complex chains of third-party data providers, enabling the creation of detailed pictures of individuals’ daily movements, browsing habits, purchase patterns, and digital behavior.

The inference capability represents a particularly concerning data collection mechanism that extends far beyond information individuals actually share or explicitly provide. Data brokers employ sophisticated algorithms to analyze seemingly non-personal data and make statistical inferences about sensitive personal characteristics including health status, political beliefs, religious affiliation, sexual orientation, financial situation, and propensity to respond to various marketing appeals. A data broker might observe someone’s purchase history, browsing behavior, and social media activity and infer that the person suffers from a specific health condition, possesses particular political beliefs, or experiences financial distress—inferences that can then be packaged and sold to interested parties without the individual’s knowledge or consent. Government sources including postal service records and census data supplement the information that data brokers accumulate, enabling the creation of demographic profiles linked to physical locations and allowing data brokers to update address information as individuals move.

The continuous cycle of data collection, analysis, aggregation, and resale means that personal information existing in the possession of any single data source can propagate across the entire ecosystem exponentially. Once information enters the data broker ecosystem through any pathway—whether public records, commercial transactions, social media activity, or government sources—it becomes available for purchase and redistribution by other brokers who incorporate it into their own datasets and resell it in packaged form. This creates a scenario where individuals cannot realistically prevent all data collection short of completely eliminating their legal identity, financial participation, and digital presence, making opt-out and removal strategies essential for managing privacy exposure in the contemporary information landscape.

Privacy Risks and the Connection Between Data Brokers and Identity Exposure

The compilation and public availability of detailed personal information through people-search sites creates direct connections to multiple categories of privacy violations and security threats that extend significantly beyond abstract concerns about surveillance or marketing. With access to just an individual’s name and home address obtained from people-search sites, malicious actors can engage in numerous harmful activities ranging from identity theft to targeted phishing campaigns to physical stalking and harassment. Data brokers and people-search sites facilitate identity theft by providing criminals with consolidated personal information including Social Security numbers, address history, financial account information, employment details, and family member connections that would otherwise require extensive effort to assemble. Identity thieves can use this information to establish fraudulent accounts, obtain credit in someone else’s name, file false tax returns, or commit other forms of financial fraud with the victim often remaining unaware of the crimes committed in their name until significant damage has already occurred.

The risk of doxxing—the malicious public exposure of personal information intended to facilitate harassment, intimidation, or physical harm—has become substantially more feasible and damaging due to the existence of people-search sites that consolidate sensitive personal data. Doxxers can search a person-search site, obtain multiple forms of identifying information including current and former addresses, and then orchestrate campaigns of harassment involving swatting (reporting false emergencies to dispatch armed police to someone’s home), mail fraud, physical intimidation, or violent attack. Vulnerable populations including domestic violence survivors, abortion seekers, undocumented immigrants, political activists, and government employees face particular risks when their personal information remains readily accessible through people-search sites, as bad actors can use this information to locate and target individuals for harm. Research indicates that women experience higher rates of online violence and doxxing, with 45% of young women having experienced online harassment and violence, much of which is facilitated by the ease with which personal information can be accessed through data brokers and people-search sites.

Stalking has become substantially more feasible in the digital era due to the combination of people-search sites providing current and historical addresses with real-time location tracking capabilities emerging from smartphone apps, social media check-ins, and location data sold by data brokers. An individual concerned about stalking faces a uniquely challenging situation where their address becomes easily discoverable to potential perpetrators through public people-search sites, creating ongoing security vulnerabilities that persist regardless of law enforcement interventions or personal safety measures. The availability of personal information also enables targeted scams and phishing attacks where criminals use knowledge of a person’s address, phone number, employment history, family relationships, and financial status to craft convincing deceptive messages designed to manipulate victims into revealing additional sensitive information or transferring funds.

Government surveillance has been augmented substantially through the proliferation of data brokers and people-search sites, as law enforcement agencies can purchase detailed personal information about citizens without obtaining search warrants or demonstrating legal justification for accessing sensitive data. Foreign governments including those of China and Russia have been reported as purchasing detailed personal information about military service members, government employees, and other Americans to build surveillance dossiers for espionage, blackmail, and intelligence operations. This represents a fundamental national security threat where adversary nations can purchase detailed information about American military and government personnel for small financial investments, enabling the creation of comprehensive espionage operations that were previously substantially more resource-intensive to construct.

Manual Opt-Out Processes: The DIY Approach to Removing Personal Information

For individuals determined to retain full control over the opt-out process and understand exactly which data brokers hold their information, manually opting out from people-search sites and data brokers remains a viable though extremely time-consuming approach. The foundational step in any manual opt-out strategy involves identifying which people-search sites and data brokers actually possess personal information about the individual, a process that itself requires substantial effort given the existence of hundreds of data brokers operating with varying degrees of visibility. Beginning with a search of one’s own name in a standard search engine provides preliminary identification of the most prominent people-search sites displaying personal information publicly, as these high-traffic sites typically rank prominently in search results. However, search engines only capture a fraction of data brokers maintaining personal information, particularly those that operate behind registration walls or restricted databases that do not allow direct public indexing.

Comprehensive identification of data brokers requires consulting specialized resources including the Privacy Rights Clearinghouse’s unified database of 750 registered data brokers across multiple state registries, journalist Yael Grauer’s “Big Ass Data Broker Opt-Out List” maintained on GitHub, and various other curated listings that attempt to catalog the fragmented landscape of people-search sites and brokers. Many free opt-out guides provide step-by-step instructions for specific prominent people-search sites including BeenVerified, Whitepages, Spokeo, TruthFinder, Intelius, FastPeopleSearch, PeopleFinders, and others. The opt-out process varies considerably from one site to another, with some requiring simple form submissions while others demand multiple verification steps, driver’s license copies, or phone calls to complete the removal request.

Once an individual has identified specific people-search sites containing their information, the manual opt-out process typically requires searching for privacy or opt-out links on the website, often located in the footer or within the privacy policy section. Consumer Reports research has documented that many data brokers deliberately obfuscate their opt-out processes, with 35 data brokers analyzed in one investigation having injected code into their websites specifically designed to hide opt-out pages from search engine discovery. After locating the opt-out mechanism, individuals typically must provide personal identifying information to verify that the person submitting the removal request actually has authority to request removal of the specified person’s data. This creates a paradoxical situation where exercising privacy rights requires voluntarily sharing the very personal information one seeks to remove, exposing consumers to new privacy risks by transmitting sensitive data to data brokers that may not implement adequate security protections.

The evidence from research examining manual opt-out effectiveness reveals that many individuals who successfully navigate the opt-out process experience removal of their information within a week to several weeks, though compliance varies considerably among different data brokers. A Consumer Reports analysis comparing manual opt-out approaches with automated removal services found that manual opt-outs achieved 70% removal within the first week, substantially faster than the 0% to 59% removal rates achieved by automated services in their first week of operation. However, this speed advantage must be weighed against the extraordinary time investment required to contact dozens or hundreds of data brokers individually, track progress, submit verification documents, and follow up when removal requests fail to achieve desired results.

Creating a detailed tracking system proves essential for anyone undertaking manual opt-outs, as the process spans multiple weeks and individuals will inevitably forget which brokers they have contacted, when requests were submitted, and whether removal was actually achieved. Consumer Reports recommends creating a comprehensive document tracking the name of each data broker, the date the opt-out request was submitted, the method of submission, any confirmation number provided, and the projected date by which the broker should respond with confirmation of removal. Individuals should plan to set aside substantial uninterrupted time for this process, as navigating through multiple broker websites, entering personal information repeatedly, solving CAPTCHAs, and following unique submission procedures for each individual broker creates a task that realistically requires multiple hours to complete comprehensively.

Automated Data Removal Services: Evaluating Commercial Solutions

Recognizing the impracticality of manual opt-outs for most individuals, numerous commercial data removal services have emerged offering to automate the process of identifying, contacting, and tracking removal requests across the fragmented landscape of data brokers and people-search sites. These services employ automated systems to contact data brokers on an individual’s behalf, often submitting removal requests simultaneously across dozens or hundreds of brokers rather than requiring individuals to perform this labor manually. The major data removal services competing in this market include DeleteMe, Optery, Incogni, Aura, Kanary, and others, each employing somewhat different approaches to broker coverage, automation levels, pricing structures, and reporting mechanisms.

DeleteMe positions itself as the most comprehensive option for international data removal, claiming removal coverage from over 750 data broker sites operating across multiple countries including Australia, Canada, the United Kingdom, and additional jurisdictions. The service operates on a subscription basis billed annually, with pricing starting at approximately $10.75 per month when paid yearly. DeleteMe combines automated removal requests with human review for complex cases and custom removal requests, generating detailed quarterly reports documenting removal progress and status. However, research examining DeleteMe’s stated coverage reveals that while the service claims 750+ data brokers, the actual number of fully automated confirmed removals is substantially smaller at approximately 181, with the remainder representing custom removal requests that require additional manual intervention. DeleteMe employs a hybrid model combining automated standard requests with manual labor for non-standard cases, resulting in removal processes that can take longer than fully automated alternatives but potentially achieving more thorough results through human expert review.

Optery differentiates itself by emphasizing affordability and automation, with entry-level pricing starting at just $3.25 monthly when billed annually. The service offers multiple pricing tiers including a free plan that provides reports without removal requests, a basic plan covering 80+ data brokers with monthly removals, a mid-tier plan targeting 180+ brokers, and a premium plan covering 665+ sites with unlimited custom removal requests. Optery’s approach emphasizes transparency and user control, providing monthly reports with actual screenshots showing where personal information appears online before and after removal attempts. This detailed visual documentation allows users to verify that removal requests are actually being processed and achieving results, addressing concerns about service efficacy that arise when companies simply claim to be submitting removal requests without providing evidence of actual impact. However, Optery’s more affordable entry-level tier covers substantially fewer brokers than the premium option, requiring users to upgrade to premium pricing to achieve comprehensive coverage.

Incogni, owned by VPN service provider Surfshark, employs an automated approach that submits removal requests to 420+ data brokers while offering unlimited custom removal requests for an additional premium tier. Incogni distinguishes itself through independent third-party audit and validation conducted by Deloitte, which confirmed in August 2025 that the service provides removal coverage for 420+ data brokers, sends recurring removals every 60-90 days, and does not sell customer personal data. This independent assurance provides greater confidence in Incogni’s claims compared to competitors that make unverified assertions about their removal capabilities. Incogni’s basic plan costs $7.99 monthly when billed annually, with a premium unlimited tier available for users requiring custom removals from brokers beyond the standard 420+ covered list. The service emphasizes hands-off operation where users simply provide their personal information once and allow Incogni’s systems to handle all subsequent removals and re-submissions automatically, creating an attractive option for individuals unwilling to invest substantial personal time in data removal efforts.

Aura takes a broader approach to identity protection by combining data removal from 140+ brokers with identity theft monitoring, antivirus protection, VPN services, and additional cybersecurity features. The service costs $7.00 monthly when billed annually, representing competitive pricing for the comprehensive bundle of services included. This approach addresses the broader category of identity exposure risk by combining data removal with active monitoring for signs of identity theft or unauthorized account access, recognizing that preventing personal information from appearing in people-search sites represents only one component of comprehensive identity protection.

Research comparing multiple removal services finds that while coverage numbers vary substantially, most major services achieve approximately 70-80% removal of profiles found during initial scanning within the first two weeks of operation. The services differ significantly in their approach to ongoing maintenance, with some offering recurring removals every 45-90 days to combat the problem of data reappearing after removal, while others require consumers to manually resubmit requests or upgrade to higher tiers to access recurring removal functionality.

A critical limitation affecting all data removal services involves their inability to remove information that originates from public records or government sources. Since people-search sites draw heavily from public voter registration records, court documents, property deeds, and other government-maintained records, and these public records remain accessible to the brokers regardless of removal requests, personal information will inevitably reappear as brokers reacquire data from these upstream government sources. This means that data removal services provide ongoing temporary suppression of publicly indexed information rather than permanent deletion from the underlying data sources, requiring continuous re-submission of removal requests as information naturally regenerates through brokers’ data acquisition cycles.

The California Delete Act and Emerging Regulatory Framework

For California residents, the landscape of data broker regulation has shifted substantially with the passage of Senate Bill 362, commonly known as the California Delete Act, which was signed into law in October 2023 and represents the first comprehensive state law specifically regulating data brokers by providing a unified mechanism for consumer deletion requests. The Delete Act requires data brokers to register annually with the California Privacy Protection Agency beginning in 2024, with registration requiring submission of detailed information about data collection practices, opt-out policies, and security measures. More significantly for consumers, the law mandates that beginning August 1, 2026, all registered data brokers must process consumer deletion requests through California’s Delete Request and Opt-out Platform, abbreviated as “DROP,” which will provide a centralized mechanism for submitting deletion requests simultaneously to all registered brokers.

The functioning of the DROP system represents a transformative change in how consumers exercise deletion rights, as historically individuals have been required to contact each data broker separately to request removal of their information, a process as described above that consumes dozens to hundreds of hours for comprehensive coverage. Through the DROP system commencing August 1, 2026, California consumers will theoretically be able to submit a single verifiable deletion request that automatically transmits to every registered data broker, with brokers required to process deletion requests at least every 45 days. The system will accept deletion requests based on consumer identifiers including date of birth, email address, phone number, and combinations thereof, allowing brokers to match submitted identifiers against their databases and delete all personal information associated with matched identifiers.

While the California Delete Act represents significant progress in providing standardized deletion mechanisms, the law contains important limitations and exemptions that reduce its effectiveness. Notably, the law exempts certain types of information from deletion requirements including information lawfully made available from government records, which constitutes a substantial portion of the information people-search sites distribute. This means that even after submitting deletion requests through the DROP system, individuals will likely discover that information continues to appear on people-search sites sourced directly from public records that remain exempt from deletion requirements. Additionally, data brokers that do not register with the California Privacy Protection Agency remain outside the scope of the DROP system’s requirements, potentially creating loopholes where brokers deliberately avoid registration to escape deletion obligations.

The California Consumer Privacy Act (CCPA) and subsequent California Privacy Rights Act (CPRA) amendments provide additional consumer protections beyond those specifically targeting data brokers, granting California residents rights to access, delete, and opt-out of the sale of personal information held by businesses more broadly. However, research examining data broker compliance with CCPA deletion requests reveals substantial noncompliance, with a UC Irvine study finding that 43% of data brokers failed to respond to verifiable consumer requests to access or delete personal information, apparently violating the law. Among those brokers that did respond, many requested highly sensitive personal information such as full names, addresses, and Social Security numbers as part of the identity verification process, creating paradoxical situations where consumers must expose sensitive information to exercise privacy rights.

Vermont and Texas have enacted data broker registration requirements similar to California’s earlier legislation, requiring brokers to register and disclose opt-out procedures, though neither state has yet implemented a unified deletion mechanism equivalent to California’s DROP system. The lack of comprehensive federal regulation means that data brokers operating nationally face a patchwork of state requirements, creating compliance challenges and opportunities for regulatory arbitrage where brokers may comply with only certain state requirements while ignoring others. Research from the Electronic Frontier Foundation and Privacy Rights Clearinghouse found that hundreds of data brokers failed to register in all applicable states despite registration requirements, with 291 companies failing to register in California despite doing so in other states, suggesting widespread noncompliance with existing state registration laws.

Challenges, Limitations, and the Problem of Reappearing Data

One of the most frustrating aspects of opting out of people-search sites involves the phenomenon of personal information reappearing weeks or months after successful removal, requiring individuals to submit repeat removal requests to the same brokers. This repetitive cycle occurs because people-search sites and data brokers continuously reacquire personal information from upstream sources including public records, commercial data sources, and other brokers, meaning that even after removal from a broker’s indexed information, new incoming records from these external feeds cause the same information to reappear. Data brokers often display disclaimers acknowledging in advance that they may accidentally (or more likely deliberately) overwrite opt-out records, causing previously suppressed personal information to resurface where the individual must once again submit deletion requests to achieve removal.

The Consumer Reports study examining data removal services found that even after removal was achieved, information frequently reappeared within the four-month observation period, particularly for individuals with common names where multiple database records might exist under the same identifier. This means that individuals cannot treat data removal as a one-time task but rather must engage in ongoing management, periodically checking whether their information has reappeared on people-search sites and resubmitting removal requests when necessary. This reality has driven the business model of subscription-based data removal services that offer recurring removal submissions every 30-90 days, recognizing that permanent removal through one-time requests is largely impossible given the perpetual recirculation of data through the broker ecosystem.

The distinction between data deletion and data suppression represents another critical limitation affecting removal outcomes. Some brokers offer true deletion of personal information from their databases, while others merely suppress the indexed display of that information for a limited time period, maintaining the underlying data in their systems while simply not making it publicly searchable. Consumers often cannot determine from broker disclosures whether removal requests result in actual deletion or merely temporary suppression, creating uncertainty about whether personal information truly has been removed or simply hidden from view. Additionally, compliance with removal requests varies substantially among different brokers, with some appearing to honor opt-out requests more reliably than others, and some historically ignoring removal requests or reappearing data despite claims of suppression.

Research examining compliance with removal request indicates that smaller and less-scrupulous data brokers frequently ignore removal requests or implement only partial removals that delete some but not all personal information associated with an individual. In some cases, data brokers have been documented as continuing to display personal information even after an individual requested removal and received confirmation that the removal had been processed, suggesting deliberate noncompliance or technical failures in implementation. The lack of centralized enforcement and the reality that individuals have limited ability to verify compliance create scenarios where some individuals invest substantial time or money in removal efforts but experience inadequate results.

Proactive Information Monitoring and Breach Preparedness

Given the complexity and limitations of removal strategies, effective personal privacy protection requires not only opting out of existing data brokers but also implementing ongoing monitoring systems that detect when personal information has been exposed through data breaches, reappears on people-search sites, or becomes vulnerable to exposure through new data brokers and platforms. Proactive monitoring represents a critical complement to removal strategies, as the threat landscape extends beyond information currently indexed on known people-search sites to include the continuous emergence of new brokers, new data breaches, and new mechanisms through which personal information becomes accessible to bad actors.

Google’s “Results About You” tool provides one free mechanism for ongoing monitoring, allowing individuals to search for mentions of their personal information across Google search results and request removal of pages containing specific types of personally identifiable information including addresses, phone numbers, email addresses, social security numbers, financial account numbers, and other sensitive data. By periodically using this tool to scan search results for personal information, individuals can identify when new pages containing their data appear online and request removal from Google search results specifically. However, removal from Google search results only prevents the information from appearing in Google searches; the underlying information remains on the source websites and may remain discoverable through other search engines or direct access.

Dark web monitoring services included with many identity protection packages scan underground forums, marketplaces, and data repositories where cybercriminals typically trade stolen personal information and breached data, alerting individuals when their personal information appears to have been exposed through security breaches or leaked through compromised databases. Services such as IDX Privacy, Aura, and LifeLock include dark web monitoring alongside other identity protection features, providing alerts when personal information associated with an individual’s name, email, or other identifiers appears in dark web repositories where cybercriminals trade stolen data. This proactive detection allows individuals to take remedial action quickly if their information is compromised, potentially enabling faster mitigation of identity theft or fraud before criminals have opportunities to exploit the information.

Continuous scanning of people-search sites themselves represents another critical monitoring approach, where individuals or automated services periodically search known people-search sites for the individual’s information to identify when data has reappeared after previous removal, triggering re-submission of removal requests. Many data removal services emphasize this recurring scanning and resubmission capability, recognizing that the problem of reappearing data requires ongoing active management rather than one-time removal efforts. Individuals undertaking manual monitoring can use services like Spokeo, BeenVerified, and others to periodically search for their own information, though this approach requires significant ongoing effort and may not achieve comprehensive coverage of all brokers maintaining personal information.

Broader Personal Information Protection Strategies

Effective protection against the risks created by data brokers and people-search sites extends beyond opt-outs to encompass comprehensive personal information protection strategies that limit exposure at the source and implement defensive measures against identity theft, fraud, and other malicious uses of personal information. These strategies operate across multiple levels including limiting voluntary sharing of personal information, protecting personal information already held by private companies, monitoring for signs of breach or misuse, and maintaining strict identity verification protections on financial accounts.

Minimizing the voluntary sharing of personal information through social media and online transactions reduces the amount of data available for brokers to harvest and redistribute. Users should regularly audit privacy settings on social media platforms including Facebook, Instagram, and others to limit visibility of personal information to trusted connections rather than the general public. This practice makes it substantially more difficult for web scraping tools employed by data brokers to automatically harvest personal information from social media profiles, reducing the data brokers can acquire through this pathway. Avoiding unnecessary signup for online services and loyalty programs that require personal information reduces the number of commercial entities maintaining personal data that can be sold to brokers.

Using temporary email addresses, virtual phone numbers, and other masked identifiers for non-essential online transactions prevents data brokers from linking diverse online activities and purchases to a single consolidated identity. Services offering email masking, phone masking, and payment card masking allow individuals to interact with online services while preventing those services from capturing personally identifying information that could be shared with data brokers. This approach particularly benefits situations where individuals must interact with commercial services but wish to limit the amount of personal data collected and subsequently sold to brokers.

Protecting personal information through strong password practices and multi-factor authentication becomes critical once an individual recognizes that their personal information is likely already present on people-search sites and accessible to potential identity thieves. If an attacker possesses basic personal information including name, address, and possibly date of birth obtained from a people-search site, that information could be used in account takeover attempts where the attacker gains access to email, social media, or financial accounts by circumventing security questions or password reset processes. Implementing strong unique passwords on all accounts and enabling two-factor authentication provides substantial protection against account compromise even when attackers possess basic personal information.

Removing information from public records where possible provides one mechanism for reducing the upstream sources from which data brokers acquire information. While individuals cannot remove information from many public records including court documents and property deeds, some jurisdictions allow redaction of phone numbers, Social Security numbers, addresses, and other sensitive information from public records through specific petition processes. Contacting the Clerk of Courts and state Attorney General offices to request that sensitive information be redacted from public records can eliminate some data sources that brokers rely upon to populate people-search sites.

Recent Enforcement Actions and Regulatory Developments

The regulatory environment surrounding data brokers has intensified substantially in recent years, with the Federal Trade Commission, Consumer Financial Protection Bureau, state attorneys general, and academic researchers all increasing scrutiny of data broker practices and compliance with existing privacy laws. The FTC finalized settlements with data brokers including Mobilewalla, Inc. in January 2025 after the company collected over 500 million unique consumer identifiers with precise location data that were not anonymized, allegedly making identifying individuals and tracking their movements possible. Mobilewalla analyzed and created audience segments targeting consumers based on their movements and sold this data to third parties including advertisers and other brokers, prompting FTC enforcement action resulting in the company ceasing to sell location data for advertising purposes.

Similarly, the FTC finalized an order against Avast Limited in June 2024 after the company falsely claimed that its software products blocked tracking cookies while secretly collecting and selling consumer browsing data in identifiable format without notice or consent. These enforcement actions demonstrate the FTC’s willingness to pursue data brokers for unfair or deceptive practices, though the enforcement activity remains limited relative to the size of the data broker industry and the scope of potentially problematic practices.

The Consumer Financial Protection Bureau proposed an ambitious rule in December 2024 titled “Protecting Americans from Harmful Data Broker Practices” that would redefine key terms in the Fair Credit Reporting Act to explicitly classify data brokers selling sensitive consumer information as consumer reporting agencies subject to FCRA requirements including accuracy standards, consumer access rights, and safeguards against misuse. The proposal specifically targeted the sale of personal identifiers and financial information to scammers, stalkers, and spies, recognizing that unrestricted data broker activities directly facilitate identity theft, fraud, and national security threats. However, in May 2025, the CFPB withdrew this proposed rule citing concerns from commenters regarding statutory authority and alignment with FCRA provisions, effectively halting the federal regulatory initiative to restrict data broker practices through FCRA reclassification.

Academic research examining data broker compliance with existing privacy laws has documented widespread violations and problematic practices. UC Irvine researchers conducting a seven-month analysis of data brokers registered under the CCPA found that 43% of brokers failed to respond to verifiable consumer requests for data access or deletion, apparently violating legal requirements. Of the brokers that did respond, many requested excessive personal information as part of identity verification, requiring consumers to expose sensitive data to exercise privacy rights. This research demonstrates that even where legal deletion rights exist, enforcement remains inadequate to ensure meaningful compliance, suggesting that future protection of privacy may depend more on technological solutions and market-based mechanisms than on law enforcement of existing statutes.

Your Path to Lasting Digital Privacy

Individuals concerned about privacy exposure through people-search sites and data brokers face complex choices about how to allocate their time and financial resources to achieve meaningful privacy protection. Based on the evidence presented throughout this report, the most effective approach for most individuals involves combining multiple strategies rather than relying on any single mechanism. For those with limited time and financial resources, subscription-based automated data removal services represent the most practical option despite their imperfections and limitations. Services like Incogni, DeleteMe, or Optery can achieve removal of personal information from 50-70% of major brokers within the first few weeks, and maintain ongoing removal efforts through recurring submission cycles that prevent information from accumulating excessively even as new data reappears through upstream sources.

For individuals willing and able to invest substantial personal time, a hybrid approach combining automated services for the most prominent brokers with targeted manual opt-out requests for problematic brokers offers potential advantages. This approach allows leveraging the efficiency of automated services to handle bulk removal requests across hundreds of brokers while reserving manual effort for the subset of brokers that prove most difficult or non-responsive to automated requests, potentially achieving more thorough results than either approach alone.

All individuals should implement ongoing monitoring systems including periodic searches of their names on major people-search sites, use of Google’s Results About You tool to identify new appearances of personal information in search results, and enrollment in dark web monitoring services to detect if personal information has been compromised through data breaches. This ongoing vigilance allows detection of new exposure as it occurs and enables relatively rapid response through targeted removal requests or fraud monitoring before bad actors have opportunities to exploit newly exposed information.

As of August 1, 2026, California residents will gain access to the Delete Request and Opt-out Platform (DROP) provided through the California Privacy Protection Agency, which will substantially simplify the opt-out process by allowing simultaneous submission of deletion requests to all registered brokers. Residents of other states should monitor their state regulatory landscape, as Texas, Oregon, Vermont, and other states have enacted or may enact similar mechanisms that will eventually provide residents with similar centralized deletion options.

The fundamental reality remains that despite all efforts to remove information from data brokers and people-search sites, individuals will likely discover that their personal information remains accessible through various pathways and continues to accumulate through new data collection mechanisms. The most realistic long-term strategy therefore involves accepting that complete data deletion is likely impossible and focusing instead on damage mitigation through continuous monitoring, rapid response to new exposures, and implementation of defensive security measures including strong passwords, multi-factor authentication, and identity theft monitoring that limit the harm that results even when personal information is accessible to bad actors. As the data broker industry continues to evolve and regulatory frameworks gradually expand to provide enhanced consumer protections, the landscape of personal information privacy will continue to shift, requiring ongoing individual vigilance and adaptation to emerging threats and new protective technologies.