{"id":6235,"date":"2025-04-15T05:27:00","date_gmt":"2025-04-15T10:27:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=6235"},"modified":"2025-07-16T13:24:18","modified_gmt":"2025-07-16T18:24:18","slug":"data-brokers-impact-data-privacy","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/data-brokers-impact-data-privacy\/","title":{"rendered":"Understanding the Work of Data Brokers and Their Impact on Data Privacy"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tarticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

Understanding the Work of Data Brokers and Their Impact on Data Privacy<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tConnie Lam<\/strong>\n\t\t\t\t\t\t\t\t\t\t\t\tPrivacy Knowledge Researcher<\/span>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

Data brokers are organizations that collect large amounts of raw personal information online and offline, analyze it, and then sell it to other companies (e.g., advertisers, financial entities, and insurance providers), who will mostly use it for marketing purposes. This practice may not be as well-known as other privacy topics. Still, it\u2019s almost certain that everyone has had their personal information fall into the hands of a data broker along the data supply chain.<\/p>\n

Remember when you skimmed through your personal email account and noticed several advertisements from a company you have not done business with trying to pitch an exclusive rewards card to one of your favorite coffee shops, and wondered how the company knows your name and email address? That\u2019s the work of a data broker.<\/p>\n

The data broker industry is not as new as some people may think, but it creates data protection and privacy concerns, especially when there is a lack of rules regulating this industry. This article will break down what data brokerage entails, highlight key enforcement actions, and explore what legislation and guidance are currently in place.<\/p>\n

How data brokers collect personal information<\/h2>\n

Data brokers collect all types of personal information ranging from basic information (e.g., name, contact information, email address) to sensitive and intrusive personal information<\/a> (e.g., gender, income level, geolocation, health data). They have a variety of means to collect personal information, including:<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Source<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
Direct collection<\/td>\nData brokers may:<\/p>\n
    \n
  • Purchase companies, apps, and websites that collect users’ personal information, which is subsequently transferred into their databases;<\/li>\n
  • Pay app developers to install their software development kits (SDKs) into the app, so when users install the app into their phone and customize the app\u2019s access permissions, the data broker\u2019s SDK will also gain access to the user\u2019s data.<\/li>\n<\/ul>\n

    Online agreements and terms of service may state in fine print that the company has the right to collect and share personal information from its users, but these disclosures may not be clear to users.<\/td>\n<\/tr>\n

Indirect collection<\/td>\nData brokers will search for personal information from a variety of sources, such as public records, including voter registration, birth certificates, and criminal records, and data from online browsers, internet searches, and users\u2019 interactions with apps or websites.<\/span><\/td>\n<\/tr>\n
Inference<\/td>\nData brokers may use algorithms to make predictions or draw inferences from seemingly non-personal data or consumers who have never directly shared such information.<\/span><\/td>\n<\/tr>\n
Government sources<\/td>\nPostal services may be leveraged to collect information about a person\u2019s address and\/or determine if someone changed their address, and the U.S. Census Bureau can be used to gather data about certain demographics of a particular location, income levels, etc.<\/span><\/td>\n<\/tr>\n
Commercial sources<\/td>\nData brokers can also acquire personal information from various commercial sources, such as retailers, catalog companies, financial services, and other data brokers.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

How do data brokers impact data privacy?<\/h2>\n

Individuals who enjoy the convenience of receiving personalized ads and services could argue that there is little harm in data brokers collecting and sharing personal information<\/a> with companies. However, this practice may lead to multi-faceted impacts of mistreatment in other industries.<\/p>\n

For example, a data broker collects an individual’s personal and geolocation data and infers that they are a car enthusiast and spend their weekend at a race track. A car dealership purchases this information to offer the individual special deals, but an insurance company analyzing that same information might infer that the individual is a reckless driver and may impose a higher insurance rate.<\/p>\n

Data brokerage can present cybersecurity concerns. Data brokers retain large volumes of personal information, which increases the risk of data being susceptible to a data breach and becoming compromised in the event of a cyberattack on their database.<\/p>\n

And here\u2019s the kicker:<\/strong> consumers are increasingly aware and fed up. According to new research<\/a>, 91% of people support stronger regulation of data brokers, and most want clear notification when their data is acquired. Explore the consumer perspective in our companion piece on data broker expectations versus corporate realities<\/a>.<\/p>\n

Enforcement actions<\/h2>\n

The Federal Trade Commission (FTC) has been doubling down on irresponsible data brokerage and has finalized several settlements with companies such as Mobilewalla, Inc. and Avast Limited.<\/p>\n

On January 14, 2025, the FTC finalized a settlement with Mobilewalla, Inc.<\/a> after the company collected over 500 million unique consumer identifiers with precise location data that were not anonymized. Mobilewalla failed to remove sensitive location data from the identifiers, making identifying individuals and their visited locations possible. The company also analyzed and created audience segments\u2014for example, targeting pregnant women based on their visits to pregnancy centers\u2014and sold this data to third parties such as advertisers and other data brokers.<\/p>\n

On June 27, 2024, the FTC also finalized an order against Avast Limited<\/a>, banning the company from selling or licensing data for advertising purposes. Avast falsely claimed their software product blocked tracking cookies, but in reality, they collected and sold consumer browsing data in an identifiable format without notice or consent.<\/p>\n

What\u2019s being done to regulate data brokerage in the U.S. federally?<\/h2>\n

Two federal legislations curb data brokerage:<\/strong> the final rules from the Department of Justice (DOJ) on Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern of Covered Persons (Final Rules), pursuant to EO 14117<\/a>, and the Protecting Americans\u2019 Data from Foreign Adversaries Act.<\/p>\n

The Final Rules on preventing access to U.S. government-related data and bulk sensitive data<\/h3>\n

Published on December 27, 2024, the Final Rules<\/a> prohibits or restricts U.S. persons or companies from engaging in covered data transactions that allow a country of concern or covered persons to access government-related or sensitive personal data of specific thresholds. Countries of concern include China, Cuba, Iran, North Korea, Russia, and Venezuela, and covered persons are foreign persons or entities located in or owned by residents of countries of concern if they participate in covered data transactions.<\/p>\n

Covered data transactions include prohibited transactions and restricted transactions. Specifically, prohibited transactions include:<\/p>\n