Data Broker
What is Data Broker?
Data BrokerA business that aggregates personal data about consumers from public, commercial, and observed sources and sells it onward — increasingly regulated under California's Delete Act, U.S. state data-broker registries, EU privacy law, and CFPB Section 1033 rules.
A data broker is a business whose primary activity is the collection, aggregation, and resale of personal information about consumers with whom it has no direct relationship. Inputs include public records (court filings, voter rolls, property), commercial sources (loyalty programs, retailers, telcos, ISPs), observed online behavior (advertising IDs, location SDKs), and people-search scrapes. Outputs range from people-finder sites to enterprise marketing, debt-collection, risk-scoring, and increasingly to private intelligence and national-security buyers. Regulation has accelerated. California's SB 362 (Delete Act, 2023) requires data brokers to register and to honour deletion requests via a single central interface starting in 2026. Vermont, Texas, Oregon, and other U.S. states maintain registries. The EU GDPR treats brokers as 'controllers' subject to data-subject rights and Article 14 information obligations even when data is collected indirectly. The U.S. CFPB has pursued data brokers under FCRA, and federal proposals continue to address bulk data sales to foreign adversaries. For privacy programs, data brokers are an underestimated source of PII and a documented vector for executive-protection and physical-safety risks.
● Examples
- 01
An executive-protection team submits deletion requests to dozens of U.S. people-search data brokers via the upcoming California Delete Act central registry to suppress home-address exposure.
- 02
A privacy review of a free mobile app finds that a third-party SDK silently sells precise GPS coordinates to a location-data broker.
● Frequently asked questions
What is Data Broker?
A business that aggregates personal data about consumers from public, commercial, and observed sources and sells it onward — increasingly regulated under California's Delete Act, U.S. state data-broker registries, EU privacy law, and CFPB Section 1033 rules. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Data Broker mean?
A business that aggregates personal data about consumers from public, commercial, and observed sources and sells it onward — increasingly regulated under California's Delete Act, U.S. state data-broker registries, EU privacy law, and CFPB Section 1033 rules.
How does Data Broker work?
A data broker is a business whose primary activity is the collection, aggregation, and resale of personal information about consumers with whom it has no direct relationship. Inputs include public records (court filings, voter rolls, property), commercial sources (loyalty programs, retailers, telcos, ISPs), observed online behavior (advertising IDs, location SDKs), and people-search scrapes. Outputs range from people-finder sites to enterprise marketing, debt-collection, risk-scoring, and increasingly to private intelligence and national-security buyers. Regulation has accelerated. California's SB 362 (Delete Act, 2023) requires data brokers to register and to honour deletion requests via a single central interface starting in 2026. Vermont, Texas, Oregon, and other U.S. states maintain registries. The EU GDPR treats brokers as 'controllers' subject to data-subject rights and Article 14 information obligations even when data is collected indirectly. The U.S. CFPB has pursued data brokers under FCRA, and federal proposals continue to address bulk data sales to foreign adversaries. For privacy programs, data brokers are an underestimated source of PII and a documented vector for executive-protection and physical-safety risks.
How do you defend against Data Broker?
Defences for Data Broker typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Data Broker?
Common alternative names include: Information broker, People-search broker.
● Related terms
- privacy№ 914
Personally Identifiable Information (PII)
Any data that can identify a specific individual on its own or when combined with other information, such as names, identifiers, or biometric records.
- privacy№ 306
Data Classification
The process of labeling data by sensitivity and value so that the right protection, handling, and retention controls can be applied consistently.
- privacy№ 315
Data Retention
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
- privacy№ 1039
Right to Be Forgotten
The right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17.
- compliance№ 488
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- compliance№ 167
CCPA
The California Consumer Privacy Act, a U.S. state privacy law granting California residents rights over their personal information held by businesses.