In this guide you’ll learn:
- What are data brokers
- What types of personal data they collect and process
- How they collect personal data
- Why you don’t want your personal data in their hands
- How to protect yourself from data brokers
Media abounds with articles about Googles and Facebooks of the world earning tons of money on our data. They often call it “selling your personal information to other businesses,” “selling your identity for money,” and so on.
While it is true that Google, Facebook, and the likes are business platforms where people’s attention and business ads meet based on personal information, there are businesses whose business model involves collecting personal information and simply selling it.
By selling data, we don’t mean a platform that people use for free, and businesses pay for access to pools of these people based on online tracking. Nor do we talk about companies disclosing personal data to third-party apps.
We talk about one business collecting personal information and selling it to another one for money. As simple as that.
These companies are called data brokers.
Related guide: GDPR fines list
Related guide: The Ultimate Guide to Data Subject Rights Under the GDPR
Related guide: ProtonMail review
Data brokers are companies that collect people’s personal information, package it well, and sell it to other companies for money. Other companies buy it because they need the data to make better business decisions.
People whose personal data is being sold often have no idea about it. In the meantime, data brokers grow into billion-dollar businesses.
To give you an idea of how big these companies are:
All that from harvesting, packaging, and selling personal data.
And to give you an idea of how good they are in their business, check out this piece of one person’s quest to figure out how some companies on the internet knew his data.
In the end, he learned that even Facebook bought data from a data broker. Yes, Facebook, the company we think has the most superior algorithms for automated data processing, has purchased data about its users from data brokers.
Data brokers are serious about data processing. Acxiom, for example, has over 23.000 servers processing data of more than 500 Million people worldwide. That’s about 7% of the total world’s population.
They do not agree, though, and claim to process data of 10% of the world’s population. Only two countries – China and India – have more population than Acxiom’s list of persons whose personal data they have processed.
Data brokers collect and process just about any data category they can collect. Whatever data is good for them. Acxiom processes 1500 data points per person.
Aside from the basic personal information, such as name, email address, home address, phone number, or SSN, they also process massive amounts of data related to your behavior.
This may include your political views, philosophical views on the world, online purchase behavior, family life, etc.
For example, when analyzing your online purchase behavior, they may analyze multiple data points. For example, a simple purchase of a t-shirt online may give them information about:
These are less than 1500 data points, but you get the idea.
It is mighty. And the next time, you’ll be served a relevant ad by a random online company that has bought this data.
As you may know already, just by getting yourself online, some categories of your personal information are already exposed. If you are not one of them, you are exposed. Although private browsing is possible, very few people opt for it.
When you get your data exposed, data brokers await with arms wide open.
They get their hands on your data in two ways: buy it, or harvest it themselves. Purchase data is self-explanatory. Harvesting is done mainly through web scraping.
Web scraping is an online activity with which someone can send a small piece of software or a script that extracts data from any website on the internet.
So, data brokers send web scrapers to any website that could contain personal data. It collects the data and sends it back to the data broker in a format ready for processing. Then the processing begins. They match many data points about the person, eventually building a person’s profile.
In most cases, they collect the data by scraping:
Public records. Your data from court records, voting records, divorce records, and city/state/federal records made at least partially available to the public. Data brokers take advantage of it to collect everything they can in their databases.
< firm>Social network profiles. They won’t hesitate to scrape the public parts of your social media profiles, such as your name, phone number, email address, or others.
So, if they send a scraper to LinkedIn, aside from scraping public data, they wouldn’t hesitate to access the data visible only to members and collect it.
< vital>Scraping public data breaches. When personal data leaks from a website, data brokers have work to do – sending the scraper straight to the accident scene to get what they need. It may include sensitive data as well.
Other data brokers. There is a Latin proverb: “A man is a wolf to another man (Homo homini lupus est)” . Well, a data broker is not a wolf to another data broker. They scrape each other’s databases, which never results in legal action.
So, if one data broker has many data points about you, it is likely that many others, sooner or later, will get that data as well – without your consent and your knowledge.
When scraping is not enough or not possible, data brokers pay for the data out of their own pockets.
Email list aggregators. There are companies whose sole purpose of existing is to collect email addresses of people based on their interests, segment them, and sell the data packaged based on specific characteristics of the users.
For example, you can approach them and buy an email list of 30+ men who use personal finance apps. Or an email list of people interested in paleo diets.
Some businesses buy these lists, but data brokers buy them, too.
Just other companies that have collected your data. Many online businesses who did not intend to sell users’ data manage it for their own needs. However, if data brokers come to them with the right opportunity at the right time, some of them may opt to sell it.
Data brokers operate in the wild west, but you can challenge them by exercising your data subject rights. But, you have such rights only if the applicable laws grant you so.
As of publishing this article, the GDPR, the CCPA, Nevada NRS63, Brazil LGPD, Canada PIPEDA, and some others protect users from sales of their information.
Keeping in mind that there are two major trends in data privacy laws worldwide – laws similar to the GDPR and regulations identical to the CCPA (only US state laws), there are two primary paths to protection. Both lead through users’ consent. One of them requires it; the other doesn’t.
The laws that require consent to collect users’ personal information usually require approval for selling the data as well. Such laws include the EU GDPR, non-EU European countries, the rules on Brazil, Argentina, Thailand, South Africa, Dubai, Australia, New Zealand, Japan, China, Russia, and other countries that have passed new data protection laws or updated the old ones in the last few years.
Take the following steps:
This should give you an idea about what they do with data. However, it would help if you were prepared to struggle a bit. If you are an EU citizen and send a data subject request to a US business or an Indian business, these businesses may not be compliant with the GDPR.
That would mean that you have to explain that the GDPR applies to them when interacting with EU users, and they should be compliant. If they ignore your request, submit a complaint to your national data protection authority. They will make them give you the requested information.
Consent is not required where:
If the applicable law does not grant you any personal data protection, there is no way to protect yourself. You can request the data broker to delete your information, but they can shut the door in your face if they want to. So, you are left on your own.
If the California CCPA or the Nevada NRS603A applies to you in this particular case, do the following:
Bonus step: Check out Brand Yourself. It is a company that scans for your data in the databases of major data brokers—the scan results in a report on where your data has been found. Then you’ll know where to start.
On the other hand, if the Canada PIPEDA applies to your case, i.e., you or the business in question is Canadian, make sure you give a “negative consent.”
This means contacting the data controller and asking them to cease selling your data to other parties. In addition, you can submit a request to know to whom your data has been disclosed and then request all of them to erase your personal information from their records.
Your data is likely on someone’s servers without your consent and knowledge. And it is likely being sold for money.
If you are comfortable with that, you can go on with your life. But if it makes you anxious, it may be just about the right time to act.