If there’s one thing all data brokers have in common, it’s that they don’t like being called data brokers.
And it’s no wonder why, considering the term has become as sensitive as the data some of these companies collect for advertising purposes.
But the legal definition of a data broker is fairly straightforward.
In a 2014 report, the Federal Trade Commission broadly defined a data broker as any company that monetizes by collecting consumer data and selling it to third parties. Recent examples include X-Mode Social and its successor, Outlogic, which settled FTC allegations in January, and Kochava, the subject of a recently refiled FTC lawsuit.
Several state laws have an even narrower definition of what makes a data broker. California’s Delete Act, signed into law in October, defines a data broker as any company that collects and sells data about consumers with whom it has no direct relationship.
Both federal and state regulators have recently begun to ramp up their efforts to prevent data brokers from misusing personal data in ways consumers don’t expect.
If it walks like a duck (then it’s probably a data broker)
This heightened regulatory attention has certainly given the term “data broker” a negative connotation.
But being called a data broker is not necessarily an accusation. The term simply refers to a business practice that can be problematic from a privacy perspective if engaged in improperly (as in, without proper consent).
Still, the implication is why data brokers typically don’t refer to themselves as such, even when selling data is a core part of their business.
Take Experian, which acknowledges that data brokering is “an ingredient in Experian’s recipe,” said Chris Feo, SVP of global sales. But it’s not the only part of its business.
Credit reporting aside, Experian’s primary focus, according to Feo, is helping other companies connect their own data across multiple sources – which is why it prefers to position itself as a “connectivity company,” thank you very much.
TransUnion has similar reasons for calling itself an “information and insights company,” while Equifax opts for “a trusted global leader in data, analytics, and technology.”
Brokering a peace
But regardless of what companies prefer to call themselves, “data broker” is a term defined by law, including new state laws with special requirements.
Four states currently have laws aimed at data brokers: California, Vermont, Texas and Oregon. California’s Delete Act is an update to an existing state law, and Vermont passed a data broker act in 2018, while Texas’s and Oregon’s laws went into effect in September 2023 and January 2024, respectively.
These laws require data brokers to register with the state, which means disclosing the types of personal information they collect from consumers and for what business purpose. Registration also puts the onus on data brokers to demonstrate adequate consumer consent verification and data collection disclosures.
But some laws aren’t stopping at disclosure requirements. California, for example, just updated its data broker statute with the Delete Act. The law, which goes into effect in January 2026, requires the California Privacy Protection Agency to create an easy way for California residents to request that their personal data be removed from the databases of all data brokers based in the state.
“Companies are no longer in a position where they can just collect [and sell] everything they want,” said Daniel Rosenzweig, founder and principal attorney at boutique law firm DBR Data Privacy Solutions.
State and federal regulators are specifically cracking down on data collection practices that “arguably [fall] outside the expectations of a typical consumer,” Rosenzweig said.
When people swipe their credit card at the store, for instance, they don’t expect that transaction data to end up in a third-party company’s identity graph. Yet one of the most common data broker tactics is to aggregate consumer credit data and sell it to businesses for targeted advertising purposes, Rosenzweig said.
Signaling sensitivity
Intensifying public concern about the risks of collecting and sharing sensitive data in particular is behind the push for more stringent governance of data brokers.
For example, the Supreme Court’s decision in 2022 to overturn Roe v. Wade has made many women reasonably fearful that information about their reproductive health – from using period-tracking apps to visiting a Planned Parenthood clinic – could land in the wrong hands.
“There’s a big focus on sensitive information, particularly precise geolocation and health [data],” Rosenzweig said. When data brokers sell sensitive personal information, there is the potential for consumer harm, and it certainly goes against the expectations of the average person.
What consumers do expect, however, is the ability to easily opt out of data collection and remove any personal information previously collected by data brokers.
Cause for concern
Considering the heightened scrutiny, data brokers are bracing themselves for harsher regulation by making sure their business practices can pass muster from a legal perspective.
For example, when a user in Experian’s identity graph opts out of data tracking on one of their devices, Feo said, Experian removes all device identifiers connected to that user’s entire household from its identity graph.
The online ad industry’s signal loss problem will likely become more acute as data brokers continue to rein in their behavior and take a more restrictive approach to data collection.
Whether companies like it or not, “consumer-first” is the only appropriate way to handle data collection and sharing in a “privacy-first” world.
