The digital age has fundamentally transformed how personal information flows through society, creating a complex ecosystem where government-maintained public records and private data brokerage operations intersect in ways that present both opportunities and significant privacy challenges. While public records and data brokers both involve the collection and dissemination of personal information, they operate under fundamentally different legal frameworks, with distinct purposes, accessibility mechanisms, and regulatory oversight structures. This distinction becomes increasingly critical as individuals seek to understand where their personal information resides, who can access it, and how it may be used against them. The emergence of sophisticated data brokerage practices that aggregate public records alongside commercial and online-derived data has created an unprecedented information infrastructure that raises profound questions about the balance between transparency, privacy, and democratic accountability.
Fundamental Definitions and Conceptual Distinctions
Defining Public Records
Public records represent a cornerstone of democratic governance and civic transparency, serving as official documents and information maintained by government agencies that are legally required to be accessible to the general public upon request. These records encompass a remarkably broad range of government-generated materials, including legislative proceedings, administrative decisions, official policies, government reports, financial documents, and judicial records. At the federal level in the United States, the Freedom of Information Act (FOIA), established in 1967, provides the framework through which citizens and entities can request access to federal agency records. Additionally, each state has enacted its own comparable laws governing state and local government records, which carry various names including Open Records Acts, Sunshine Laws, Access to Public Records Acts, and state-specific designations like California’s Public Records Act.
Within the category of public records, vital records hold special significance, providing essential legal and personal documentation through birth certificates, death certificates, marriage licenses, and divorce decrees. Property records constitute another critical category, encompassing real estate transactions, ownership deeds, land surveys, lien records, and tax assessments that document the transfer and ownership of real property. Law enforcement maintains extensive records including incident reports, arrest records, criminal investigations, public safety alerts, and police logs that are typically accessible to the public, though with certain sensitive information sometimes redacted. Additionally, government records include corporate filings containing information about businesses and corporations such as articles of incorporation, annual reports, and business registrations. The digitization of these records has dramatically expanded their accessibility, transforming what were once accessible only through in-person visits to government offices into searchable online databases.
Defining Data Brokers
Data brokers represent a distinct category of private enterprises whose primary business model centers on the collection, aggregation, analysis, and resale of personal information about individuals. The Federal Trade Commission has defined data brokers as “companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers for various purposes, including verifying an individual’s identity, differentiating records, marketing products, and preventing financial fraud”. Critically, data brokers do not typically interact directly with the individuals whose information they collect and sell; instead, they operate as intermediaries acquiring data from other entities through a business-to-business model.
The data brokerage industry has grown into an enormous commercial enterprise estimated to be worth approximately $200 billion annually, with between 3,000 and 4,000 data brokering companies operating globally. Major data brokers include companies such as Experian, Equifax, Acxiom, Epsilon, CoreLogic, TransUnion, and LexisNexis. The industry comprises two distinct categories: public data brokers, also known as people-search sites, which maintain openly accessible directories searchable by the general public, and non-public data brokers, which operate under a strictly business-to-business model with restricted access available only to authorized organizations. Examples of public data brokers include Whitepages, BeenVerified, Truthfinder, FastPeopleSearch, and Spokeo, while non-public brokers like TransUnion, Acxiom, and Epsilon serve specific industries with regulated access.
Data Sources and Collection Methodologies
Where Public Records Originate
Public records originate from the legitimate governmental functions of agencies at federal, state, and local levels. Birth certificates and death records emerge from vital statistics offices that document the fundamental demographic events in citizens’ lives. Court systems generate extensive records through their adjudication processes, including case filings, judgments, and proceedings, which become part of the public record except in limited circumstances involving sealed or confidential matters. Property records are created and maintained by county assessors, recorders, and tax assessors as part of the property tax and real estate transfer systems. Law enforcement agencies create records through their investigative and enforcement activities, generating arrest records, criminal convictions, and incident reports. The United States Census Bureau produces demographic data about population characteristics, which is compiled into public records accessible in aggregated form. Professional licensing boards maintain records documenting licensed professionals in fields such as medicine, law, and architecture. Voter registration systems, operated by state election officials, create records of registered voters that are often accessible as public records.
The deliberate maintenance of public records by government agencies serves multiple critical societal functions. These records enable transparency and governmental accountability by allowing citizens to monitor the actions and decisions of their elected officials and government agencies. Public records support the functioning of the legal system by providing documented evidence of transactions, decisions, and events. They facilitate business and economic activity by providing verifiable information about property ownership, professional credentials, and legal status. Researchers rely extensively on public records to conduct studies on topics ranging from public health to environmental quality to criminal justice. The systems of real property ownership and real estate transactions fundamentally depend on public records to establish and verify property title and ownership.
Data Collection Methods Employed by Data Brokers
Data brokers employ a remarkably diverse and multifaceted array of collection methods to accumulate vast quantities of personal information on individuals. The primary methodologies include direct collection, indirect collection, inference, government sources, and commercial sources. Direct collection occurs when data brokers collect information directly from individuals through online agreements, terms of service, and other consent mechanisms, though such consent is frequently buried in fine print and often provided unknowingly by users. Web scraping represents another direct collection methodology, involving specialized software that automatically extracts data from websites across the internet. Indirect collection encompasses the acquisition of information from sources with which the data broker has no direct relationship, including the scraping and purchase of data from public records, commercial databases, and other data brokers.
Online tracking mechanisms enable data brokers to monitor and record individuals’ digital activities with sophisticated precision. Social media profiles provide readily accessible information about users’ interests, connections, and activities. Web browsing history, collected through cookies, plugins, and tracking pixels embedded on websites, reveals the specific online activities and interests of users. Mobile applications frequently incorporate software development kits (SDKs) that collect location data, device information, and behavioral patterns. Purchase history and loyalty card data provide transaction-level information about what individuals buy, when they buy it, and how much they spend. Commercial sources including retailers, catalog companies, financial services, and other data brokers provide purchase information, warranty registrations, credit information, employment registration, and membership data.
Critically, data brokers employ algorithmic inference to predict and derive additional information about individuals that those individuals have never directly provided. This inference capability allows data brokers to create assumptions about health status based on product purchases, infer political affiliation from browsing behavior, or estimate income based on spending patterns. Location data tracking represents one of the most invasive collection methodologies, with data brokers obtaining geolocation information from smartphone applications, GPS devices, and mobile carrier networks that enables precise tracking of individuals’ movements and frequented locations. The aggregation of these data streams from multiple sources allows data brokers to construct extraordinarily detailed consumer profiles that span nearly every aspect of an individual’s life.
Legal and Regulatory Frameworks
Public Records Legislation and Access Rights
The legal framework governing public records in the United States operates on multiple levels, with the federal Freedom of Information Act providing baseline protections for access to federal agency records while individual states maintain their own distinct public records laws. The FOIA, enacted in 1966 and effective in 1967, established the principle that Americans have a fundamental right to access federal agency records, subject only to nine enumerated exemptions protecting matters such as national security, deliberative process, attorney-client privilege, and confidential business information. This statute operationalized the democratic principle that an informed citizenry requires access to information about government activities and operations. Upon receiving a FOIA request, federal agencies typically have twenty days to determine whether to grant the request, with limited extensions available under specified circumstances.
State laws governing public records vary significantly across jurisdictions in their procedural requirements, timelines, exemptions, and accessibility mechanisms. Some states permit any individual to request records, while others restrict requests to state residents. Response timeframes vary dramatically, ranging from as little as three days under Colorado’s Open Records Act to thirty days under Maryland’s Public Information Act. State laws also differ substantially in their specific exemptions from mandatory disclosure and in the fees that agencies may charge for responding to requests. These variations in state law create a fragmented landscape where the accessibility and availability of public records depends heavily on state-specific statutory frameworks.
Public records laws explicitly recognize certain categories of individuals who may merit heightened privacy protections despite the general principle of public accessibility. For example, California’s “Safe at Home” address confidentiality program provides victims of stalking, domestic violence, and sexual assault with the ability to request their information be removed from people search sites that compile public records. Similarly, public safety and elected officials in some jurisdictions receive protection from having certain personal information published online by data brokers derived from public records. Despite these protections, the general legal principle remains that information legitimately compiled in official government records is accessible to the public unless specifically exempted by statute.
Data Broker Regulation: Federal Framework
The United States federal regulatory framework governing data brokers remains fragmented and incomplete, with no comprehensive federal statute explicitly regulating the data brokerage industry as such. However, multiple federal laws address aspects of data broker activities through indirect regulation of the industries and individuals affected by data brokerage. The Fair Credit Reporting Act (FCRA), enacted in 1970 and still the primary federal statute regulating certain data broker activities, provides important protections for consumers whose information is compiled for certain purposes but applies only to specific categories of data and use cases. Despite claims by some commentators that data brokers operate in an unregulated environment, the FCRA has effectively regulated the collection and licensing of data used for broadly defined “consumer reports” for more than fifty years. The FCRA’s definition of “consumer report” encompasses information prepared for specific purposes including credit decisions, employment determinations, insurance underwriting, and other specified uses.
Recently enacted federal legislation has targeted specific dimensions of data brokerage activity. The Protecting Americans’ Data From Foreign Adversaries Act (PADFA), passed in 2024 and effective as of June 23, 2024, explicitly prohibits data brokers from licensing personally identifiable sensitive data to foreign adversaries, defined to include China, Iran, North Korea, and Russia. Under PADFA, the FTC possesses enforcement authority to seek civil penalties of up to $50,120 when a data broker commits a violation. The Final Rules on Preventing Access to U.S. Sensitive Personal Data by Countries of Concern, published on December 27, 2024, prohibit or restrict U.S. persons and companies from engaging in covered data transactions that permit countries of concern or covered persons to access government-related or bulk sensitive personal data.
The Consumer Financial Protection Bureau (CFPB) has recently issued a proposed rule to significantly expand FCRA obligations for data brokers. If finalized, this proposed rule would cast a much wider net regarding which entities qualify as consumer reporting agencies and would subject substantially more data brokers to FCRA compliance requirements. The proposed rule would prohibit data brokers from selling consumer information containing credit history, credit scores, and debt payment information to any person lacking an FCRA permissible purpose, fundamentally restricting the secondary market for data broker products.
Data Broker Regulation: State Framework
At the state level, only four states have enacted data broker laws that directly target data brokerage activities: California, Oregon, Texas, and Vermont. Vermont pioneered data broker regulation with the nation’s first data broker legislation in 2018, requiring data brokers to register annually with the Secretary of State and provide information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches. California followed in 2019 with the California Delete Act, which required data brokers to register with the California Attorney General and provide information about how consumers may exercise their privacy rights. Oregon enacted a data broker registration law in 2023 that took effect on January 1, 2024, requiring data brokers to register annually with the Department of Consumer and Business Services. Texas passed its Data Broker Act in 2023, which took effect on September 1, 2023, with narrower scope than most other state laws in that it only applies to businesses that derive more than fifty percent of revenue from data brokerage or derive revenue from processing data of more than fifty thousand individuals.
These state laws establish registration requirements that mandate data brokers to register their name and contact information, disclose their practices to competent authorities, and pay required fees. Each state’s requirements contain nuanced distinctions reflecting different policy choices. California requires data brokers to provide a link to their website explaining how consumers may exercise privacy rights and to disclose whether they or their subsidiaries are regulated by specific laws such as the FCRA. Oregon requires data brokers that provide consumers the option to opt out to disclose information about which activities this opt-out function applies to. Texas and Vermont require data brokers to provide statements about whether they implement a purchaser credentialing process, report the number of security breaches experienced in the prior year, and provide information about their data collection and sales practices applicable to minors.
Additionally, states have enacted broader consumer privacy laws that apply to data brokers alongside other businesses. California’s California Consumer Privacy Act (CCPA) and its successor California Privacy Rights Act (CPRA) establish comprehensive privacy protections for California residents, including specific provisions addressing data brokers. Under the CCPA, a data broker is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship”. The CCPA exempts certain businesses regulated under the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act from the definition of data brokers. Similar consumer privacy laws have been enacted in Colorado, Connecticut, Nevada, and Virginia, each establishing their own frameworks for regulating data brokers and protecting consumer privacy.
International Regulatory Approaches
The regulatory approach to data brokers in the European Union presents a stark contrast to the fragmented U.S. framework, reflecting fundamentally different philosophical commitments regarding privacy as a human right. EU legislation comprehensively covers all private sector processing of personal data through the General Data Protection Regulation (GDPR), establishing that consumers have the right to access, correct, and object to the processing of their personal data. GDPR prohibits the processing of sensitive information unless an individual explicitly opts in to such processing, or the processing is allowed under specific cases listed in the regulation. This represents a profound distinction from the U.S. approach where data brokers may collect and sell personal information unless specifically restricted by law, placing the burden on individuals to opt out.
The EU framework imposes ex ante control on data controllers, requiring that when collecting data, the controller must inform the consumer of the controller’s identity and the reasons why the data are processed. Additionally, data minimization principles forbid the acquisition of more data than necessary, which helps protect consumer data from the risk of breach. Ex post control mechanisms allow consumers the ability to access, monitor, and correct personal data post-processing and to challenge data processing through rights including erasure (the “right to be forgotten”), data portability, and the right not to be subject to decisions based solely on automated processing and profiling. EU legislation provides strong sanctions and compensation mechanisms that incentivize companies to take regulation seriously. Other jurisdictions including Canada, Australia, Brazil, India, and Japan have enacted data protection laws that similarly cover data brokers within broader privacy regulatory frameworks.
Accessibility, Transparency, and Privacy Implications
Public Records: Accessibility and Transparency
Public records are inherently designed to be accessible to the public as an operational requirement of transparent democracy. The accessibility of public records occurs through multiple channels depending on the type of record and the government agency maintaining it. Federal records can be accessed through FOIA requests submitted to individual federal agencies, with the requesting party having twenty days to receive a response. State and local public records are typically accessed through requests submitted to the specific government entity maintaining the records, with timelines and procedures varying by jurisdiction. Many government agencies now maintain websites allowing citizens to search and download public records directly without submitting formal requests, dramatically increasing accessibility compared to historical paper-based systems.
The digitization of public records has fundamentally expanded their accessibility while simultaneously creating new privacy concerns. Historically, accessing public records required individuals to physically visit government offices during business hours, interact with government officials who would retrieve the requested documents, and potentially leave a paper trail documenting the request. This in-person process created natural friction that limited casual access to public records and created a record of who accessed specific information. Digital systems have eliminated this friction, allowing anyone with an internet connection to search, retrieve, and download vast quantities of public information in seconds. While this democratization of information access serves important transparency and accountability functions, it has simultaneously enabled the wholesale collection of public records by data brokers for commercial purposes on a scale previously impossible.
The transparency value of public records derives from their fundamental purpose of enabling democratic accountability and supporting legitimate research, journalism, and civic oversight. Reporters rely on public records to investigate government activities and potential wrongdoing. Civil rights organizations use public records to monitor compliance with laws and regulations. Academic researchers depend on public records for studies addressing public health, environmental protection, criminal justice, and other matters of public concern. Businesses rely on public records for legitimate functions including location planning, environmental assessment, and economic forecasting. This legitimate use of public records stands in tension with the ease with which data brokers can now aggregate and repurpose public records for commercial profit.
Data Brokers: The Transformation of Public Information into Commercial Profiles
The distinction between public records themselves and data broker compilations of public records represents a critical analytical point that remains often overlooked in policy debates. While the underlying information in public records is admittedly public in one sense—it is government-generated and designated for public access—the transformation of dispersed public records into aggregated, digitized, linked, and commercially available profiles represents a fundamental change in context and risk. Data brokers accomplish this transformation through several mechanisms. First, they systematically digitize public records that may exist in physical form at various government locations. Second, they aggregate these records from multiple disparate sources into consolidated databases, matching records across jurisdictions that previously required separate searches in different locations. Third, they link public records to specific individuals, making it trivially easy to search for all information about any particular person by name or other identifier. Fourth, they sell access to these aggregated, linked, and searchable profiles to any entity willing to pay, dramatically expanding access from those willing to perform research to any organization willing to purchase access.
This transformation from dispersed public records to commercially available profiles represents what has been termed a change in “data context,” where the availability, aggregation, and linkage of information creates substantially different risks than the underlying information provided individually. The Federal Trade Commission acknowledged in its 2014 report on data brokers that “people search products can be used to facilitate harassment, or even stalking, and may expose domestic violence victims, law enforcement officers, prosecutors, public officials, or other individuals to retaliation or other harm”. The practical impact of this contextual change became tragically evident in multiple documented cases where abusive individuals purchased data broker profiles to locate and murder former partners. In one particularly tragic case involving Stephen Boyer, a domestic violence survivor located through a people search website was murdered by a stalker who had purchased information from the data broker.
Data brokers’ business model explicitly relies on the value-add of this transformation. The companies market their services by emphasizing their ability to compile, digitize, and aggregate information that would otherwise require researchers to manually conduct searches in multiple government offices and databases. Data broker websites explicitly promote their ability to provide “scary” amounts of information about individuals that can be discovered with just one piece of identifying information. This value proposition fundamentally depends on the change in context—the ease, speed, and comprehensiveness of searching for information about individuals. Yet simultaneously, data brokers and some legal commentators argue that since the underlying information is already public, their aggregation and commercial sale of it represents no meaningful change from the public records themselves. This argument fundamentally mischaracterizes the practical and contextual differences between publicly available information existing in dispersed form and information aggregated, linked, and sold commercially for searching individuals’ comprehensive profiles.
Privacy Implications and Risks
The aggregation of personal information by data brokers creates substantial privacy implications and security risks that extend far beyond the original context of government-maintained public records. Data brokers compile and maintain extraordinarily comprehensive dossiers on individuals encompassing names, addresses, telephone numbers, email addresses, gender, age, marital status, information about children, education and employment history, profession, income, political preferences, property ownership information, purchase history, health information, websites visited online, advertisements clicked, and real-time location data. The mere collection and maintenance of such comprehensive information on millions of Americans creates security vulnerabilities, as data brokers themselves become lucrative targets for malicious actors and foreign governments seeking access to this aggregated personal information.
Data breaches affecting data brokers can expose enormous quantities of personal information on millions of individuals. The 2017 breach of Equifax exposed personal information on approximately 143 million U.S. consumers, including names, Social Security numbers, birth dates, addresses, and in some cases driver’s license numbers. Criminals who gain access to data broker information can impersonate individuals to open fraudulent accounts, take out loans, file false tax returns, and engage in other identity theft activities that cause substantial financial losses and damage to individuals’ credit and financial status. Detailed consumer profiles enable scammers to craft highly convincing phishing emails, fraudulent phone calls, and other social engineering attacks that exploit personal details and vulnerabilities.
Data brokers’ activities also facilitate harassment and stalking by making it trivially easy for abusive individuals, stalkers, and other bad actors to locate and monitor targeted individuals. The availability of comprehensive profiles containing current addresses, family member information, and employment information dramatically increases the risk that domestic violence survivors, law enforcement officers, prosecutors, and other vulnerable individuals can be located and harmed. Additionally, data brokers’ profiling and scoring activities can result in discrimination when their inferred or scored categories are used to determine eligibility for credit, insurance, employment, or other opportunities. Black and Latino communities have been documented to receive lower credit scores as a group than white communities, potentially reflecting discriminatory algorithmic practices or discriminatory patterns in the underlying data.
The Role of Digitization in Changing Information Context
From Physical Records to Digital Aggregation
The transformation of public records from physical documents stored in government offices to digitized, aggregated, and searchable databases fundamentally altered the relationship between information accessibility and privacy. When public records existed primarily in paper form at local government offices, accessing them required substantial effort and left a potential trail. To research an individual’s property history, one would need to visit the county assessor’s office, review property records manually, and potentially interact with government officials who would record that a request had been made. To research criminal history, one would need to visit the courthouse in the relevant jurisdiction, submit formal requests, and wait for documents to be retrieved and provided. The distributed nature of records across multiple jurisdictions meant that researching a comprehensive profile of an individual required visits to multiple government offices in different locations. This friction inherently limited casual searches while preserving legitimate access for those willing to invest the effort.
Digital systems have eliminated this friction almost entirely. Today, a person with an internet connection can instantly search for comprehensive information about any individual across multiple jurisdictions, accessing aggregated profiles that would have required days or weeks of physical research in the pre-digital era. Data brokers have built their entire business model on this transformation, employing web scraping technologies to automatically harvest vast quantities of digitized public records from government websites and combining them with commercial and online-derived data into consolidated searchable databases. The scale of this collection and aggregation is breathtaking—data brokers maintain databases containing billions of records on individuals, collected from thousands of sources, allowing them to construct detailed profiles on virtually every American.
Government Digitization and Data Broker Exploitation
The digitization of government records, undertaken primarily to improve public access and governmental efficiency, has simultaneously created an enormous resource for data brokers to exploit. Many courts have begun publishing both indexes of court records and the full documents and case files to the internet, often without providing notice to citizens or options to restrict web access. Government property records, voter registration information, and other public records have been digitized and placed online by government agencies seeking to provide public access. While these digitization efforts serve important transparency and access functions, they have also created comprehensive digital repositories from which data brokers can systematically extract and aggregate public records.
The exploitation of digitized government records by data brokers raises important questions about the intended versus actual consequences of government digitization efforts. Government agencies have justified their digitization of public records primarily through transparency and democratic accountability rationales—making information more accessible to journalists, civil rights organizations, and concerned citizens. However, by making this information available in easily searchable digital form, government agencies have simultaneously enabled data brokers to mechanically harvest vast quantities of information at scale for commercial profit. Some policy analysts have argued that this represents an unintended consequence of well-intentioned digitization efforts, where the infrastructure created for transparency and access has been repurposed for commercial surveillance and profiling.
Consumer Rights and Protections
Opting Out and Deletion Rights
Federal and state law increasingly recognize that individuals should have the ability to limit data brokers’ collection and sale of their personal information through opt-out and deletion mechanisms. Under the California Consumer Privacy Act, consumers have the right to know what personal information data brokers have compiled about them, to request that the information be erased, and to opt-out of having their data sold. California’s Delete Act, enacted in 2023 and effective January 1, 2024, requires data brokers to register with the California Privacy Protection Agency and to provide information about how consumers may exercise their privacy rights. Starting in 2026, California’s groundbreaking Deletion and Request Opt-Out Portal (DROP) will enable Californians to submit automated deletion requests simultaneously to every registered data broker through a single portal, completely free of charge.
However, the practical reality of exercising these rights remains dauntingly difficult for most consumers. Privacy Rights Clearinghouse identified 750 unique data broker groups operating across the country based on analysis of state registries in California, Texas, Oregon, and Vermont. To opt out individually from each data broker typically involves visiting each broker’s website, locating the privacy policy or consumer request form, submitting opt-out requests, verifying identity through providing additional personal information, and waiting for responses typically required within 45 days. According to research cited in the sources, the average opt-out process requires approximately 47 minutes of work per data broker site to complete, including verifying removal and resubmitting requests if not initially removed. Multiplied across hundreds of data broker sites, the total time investment becomes prohibitively burdensome for most individuals.
Complicating this process further, many data brokers deliberately obscure their opt-out mechanisms or make the process intentionally cumbersome. CalMatters and The Markup reported that 35 data brokers injected code into their websites that hid their opt-out pages from internet searches, making it substantially more difficult for people to discover how to delete their data. Many opt-out pages require scrolling multiple screens, dismissing pop-ups for cookie permissions and newsletter sign-ups, and locating links that are a fraction the size of other text on the page. Furthermore, data brokers retain the legal ability to re-obtain and re-publish individuals’ information if it reappears in their data sources, meaning that even after successful deletion requests, information may reappear on data broker sites as brokers re-scrape public records or purchase updated data.
Paid Removal Services and Alternative Approaches
The difficulty and burden of individually opting out from numerous data brokers has spawned an entire industry of paid removal services that offer to handle the deletion process on consumers’ behalf. Services such as DeleteMe, Tall Poppy, Optery, EasyOptOuts, and Incogni provide various tiers of service ranging from approximately $20 to $250 annually, offering to automatically initiate and resubmit opt-out requests across dozens to hundreds of data broker sites. While these services can substantially reduce the burden on individuals, they do not eliminate it entirely and introduce additional complexity in that consumers must evaluate which service offers adequate coverage for the particular data brokers that possess their information.
Some researchers and consumer advocates argue that the need for paid services to exercise statutory privacy rights represents a fundamental failure of data broker regulation and should catalyze more aggressive regulatory intervention. If privacy rights are difficult or impossible to exercise without paying private companies to handle the process, then the practical effectiveness of those rights comes into serious question. This critique gained resonance when the California Privacy Protection Agency announced in February 2025 that it had reached a settlement with Background Alert, Inc., a California-based data broker, requiring the company to shut down its operations through 2028 for failing to register and pay required fees. The agency’s enforcement action demonstrated that even state-registered data brokers sometimes deliberately evade compliance obligations when facing enforcement costs.
Limitations of Current Consumer Protections
Despite the expansion of data broker registration requirements and consumer opt-out rights, substantial limitations remain in the protections offered to individuals. First, many state laws include exemptions for data brokers whose data comes from publicly available sources or who are regulated under other federal laws such as the Fair Credit Reporting Act. This creates significant regulatory gaps where data brokers dealing in sensitive data from public records may avoid state data broker requirements. Second, even when consumers successfully opt out from data brokers, their information may continue appearing in the reports of relatives, neighbors, and associates, meaning that comprehensive deletion is impossible for individuals connected to others. Third, exemptions built into privacy laws based on “public records” status mean that data brokers can continue selling aggregated profiles derived entirely from public sources despite consumers’ deletion requests.
Fourth, the fragmented state-level regulatory approach means that consumers face substantially different protections depending on their state of residence, with the vast majority of Americans living in states that have not enacted data broker-specific legislation. Fifth, non-public data brokers operating under business-to-business models remain almost entirely unregulated except where specific federal statutes apply, with little transparency about what data they collect or sell. Sixth, the emergence of increasingly sophisticated data inference techniques allows data brokers to continue profiting from inferred information about individuals even when direct data collection is restricted. For example, a data broker might sell information inferred about an individual’s political affiliation based on web browsing patterns, even if the individual’s actual political donations and affiliations remain protected.
Practical Implications for Privacy and Security
National Security and Law Enforcement Concerns
The availability of comprehensive personal data from data brokers has created serious national security implications when foreign actors or hostile governments gain access to this information. Researchers at the NATO Strategic Communications Centre of Excellence conducted a proof-of-concept study in which they purchased data from multiple data brokers and performed red-team analysis to demonstrate how such data could be exploited for intelligence purposes. Foreign governments with access to comprehensive profiles of U.S. military personnel, government officials, and civilians can use this information for targeting, recruitment, espionage, and other hostile purposes. The availability of individualized location data about military servicemembers and government officials creates particular vulnerabilities, with researchers having purchased individually identified data on U.S. military members for as little as $0.125 per servicemember.
Additionally, U.S. law enforcement and intelligence agencies have exploited data broker data to circumvent constitutional protections against warrantless surveillance. The Secret Service and other law enforcement agencies have purchased location data from data brokers for purposes that would ordinarily require a warrant under the Fourth Amendment. Since data brokers operate in the private sector and their data is purchased rather than compelled through legal process, outdated regulatory frameworks place no limitations on public agencies seeking to purchase data that would otherwise require a warrant, effectively short-circuiting civil rights protections. Researchers documented that three data brokers—Epsilon, Macromark, and KBM—were criminally prosecuted by the Department of Justice for knowingly selling lists of vulnerable Americans, including elderly Americans and people with Alzheimer’s, to criminal scammers for approximately a decade, profiting from the sale of data that enabled scammers to steal millions of dollars from vulnerable populations.
Accuracy and Inaccuracy Issues
A critical distinction between public records and data brokers relates to accuracy and the mechanisms available to correct errors. Public records maintained by government agencies typically include systems for correction and verification, as individuals interact directly with government agencies when events occur that generate records—they personally provide information to government offices that generates birth certificates, property records, and other government-maintained documents. When errors occur in government records, individuals typically have legal remedies available to petition for correction, expungement, or sealing of records through legal process.
By contrast, data brokers compile their information from numerous dispersed sources and aggregate information from multiple different entities, creating multiple points at which errors can be introduced and compounded. A 2004 study by the National Association of State Public Interest Groups found that 54% of credit reports contained incorrect identity information and 79% contained at least one serious error. The Federal Trade Commission estimates that over 40 million consumers have an error on a credit report. Errors in data broker databases frequently result from matches among individuals with common names, data quality issues from source records, duplicate entry of the same information under different names, and failure to properly update when criminal records are sealed or expunged. For example, a person named “Mark Johnson” in Cleveland was misidentified as having been convicted of a sex offense in one background check and of having a drug conviction in a completely different background check a year earlier. When private sector data brokers report erroneous information, individuals face substantial difficulty in identifying the error, locating which data broker holds the inaccurate information, proving the inaccuracy, and compelling the data broker to correct it.
Accessibility, Comprehensiveness, and Depth Issues
Public records obtained through free online searches often suffer from significant limitations related to completeness, comprehensiveness, currency, and accuracy. Free public records search platforms often provide incomplete information, as few if any platforms can offer comprehensive public records searches capturing data from multiple sources simultaneously. All available public records databases are not centralized in a single location, requiring researchers to visit dozens or even hundreds of jurisdiction-specific websites to guarantee sufficiently inclusive searches. Additionally, free public records resources frequently contain outdated information, with many services listing outdated information alongside current data without clearly distinguishing between them. This is particularly problematic for criminal records, where outdated services may still list criminal records that have been expunged without noting that fact, making it impossible for users to distinguish between valid current records and erased historical records.
By contrast, data brokers maintain current, regularly updated databases where they can invest in matching algorithms, data validation, and verification processes that many free resources cannot afford. This creates an ironic situation where individuals attempting to access comprehensive information about themselves or others might have better access through a data broker database than through free public records resources. However, this accessibility advantage comes at the cost of commercial mediation, lack of transparency about data sources and methods, and alignment with profit motives rather than accuracy or fairness motives.
Public Records & Data Brokers: A Clear Distinction
The distinction between public records and data brokers represents one of the most fundamental and consequential dividing lines in contemporary discussions of privacy, surveillance, and democratic governance. While both involve personal information that is in some sense accessible to the public, they operate under fundamentally different legal frameworks, with distinct purposes, regulatory oversight, and privacy implications. Public records emerge from the essential governmental functions of documenting vital events, recording property transactions, maintaining court proceedings, and administering elections and professional licensing—activities that create a natural byproduct of government operations that democratically must remain accessible to ensure transparency and accountability. Data brokers, by contrast, represent private commercial enterprises whose entire business model centers on the collection, aggregation, inference, and resale of personal information extracted from public records, commercial sources, and online tracking—activities driven by profit motives rather than governmental necessity.
The digitization of public records, undertaken primarily to improve public access and government efficiency, has simultaneously enabled the wholesale commercialization of personal information on an unprecedented scale. Data brokers have built enormous commercial empires by systematizing the harvesting, aggregation, and marketing of digitized public records combined with commercial data and online tracking. The transformation of dispersed public records into aggregated, linked, searchable, and commercially available profiles represents a fundamental change in context and risk, despite the underlying information being publicly available in disaggregated form. The ease with which individuals can now locate comprehensive personal information about any person through data broker searches fundamentally exceeds the practical access possible in the pre-digital era when public records existed in paper form at distributed government offices.
The regulatory frameworks governing public records and data brokers reflect different policy priorities and face ongoing tension. Public records laws prioritize transparency, governmental accountability, and citizen access, recognizing that open government requires public information about governmental activities and operations. Data broker regulation, still in nascent stages except in a handful of forward-thinking states, prioritizes consumer privacy and protection from misuse, recognizing that comprehensive commercial profiles enable discrimination, harassment, stalking, fraud, and other harms. The federal framework remains fragmented and incomplete, with only limited statutes addressing specific aspects of data brokerage while no comprehensive federal regulation exists. State frameworks have begun establishing data broker registration requirements and consumer opt-out rights, though these protections remain geographically unequal, often riddled with exemptions, and frequently difficult or impossible for consumers to exercise without paying private companies.
The challenge facing policymakers involves balancing legitimate public access to government records necessary for democratic accountability against the risks posed by private commercial aggregation and sale of personal data derived from public records combined with commercial and online-derived information. This balance cannot be achieved by simply treating data brokers’ aggregated, linked, and marketed profiles as identical to the dispersed public records from which they derive, as doing so would effectively eliminate consumer privacy protections by characterizing all personal information in data broker databases as “public” simply because some component may derive from public records. Conversely, completely restricting access to public records would undermine transparency, accountability, and the democratic functions that public records serve. The resolution likely requires nuanced policy distinguishing between legitimate public access to public records for transparency purposes and commercial data brokerage activities, recognizing that context matters and that aggregation, digitization, and sale of information fundamentally changes its nature and risk profile even when the underlying information is public. Forward-looking regulation should continue expanding consumer rights to access, correct, and delete personal information held by data brokers while implementing robust purchaser credentialing to limit access to those with legitimate purposes, preventing exploitation of data broker information for harassment, discrimination, stalking, or unlawful purposes. The establishment of comprehensive federal privacy legislation creating baseline national protections, combined with continued state-level innovation and the creation of centralized deletion and opt-out mechanisms as California’s DROP system demonstrates, offers the most promising path forward for protecting individual privacy while preserving the democratic functions that public records serve.
Protect Your Digital Life with Activate Security
Get 14 powerful security tools in one comprehensive suite. VPN, antivirus, password manager, dark web monitoring, and more.
Get Protected Now
