You never signed up. You never agreed to anything. But right now, there are companies that know your home address, your phone number, your relatives' names, your approximate income, your political affiliation, and the names of your neighbors — and they're selling that information to anyone willing to pay for it.
These companies are called data brokers, and in 2026, the industry is bigger, more sophisticated, and more dangerous than most Americans realize.
A February 2026 report from the U.S. Senate Joint Economic Committee found that data broker breaches alone have cost American consumers more than $20.9 billion in identity theft losses — tied directly to just four major hacks at companies that exist solely to collect and resell your personal data.
This article explains exactly what data brokers are, where they get your information, what they do with it, and — most importantly — what you can actually do about it.
What Is a Data Broker?
A data broker is a company that collects personal information about private individuals from dozens of sources, aggregates it into detailed profiles, and sells access to those profiles to advertisers, marketers, insurance companies, employers, landlords, law enforcement agencies, and anyone else willing to pay.
Most people have never heard of these companies. That's by design. The industry operates largely in the background, invisible to the people whose data it's trading.
According to privacy researchers, there are over 4,000 active data brokers operating in the United States as of 2026. Roughly 200 of them — including names like Whitepages, Spokeo, BeenVerified, Intelius, and LexisNexis — account for the majority of public exposure risk. These are the companies that appear in Google search results when someone types your name.
Where Does Your Data Come From?
Data brokers don't hack your accounts to get your information. They don't need to. Almost everything they collect is technically "public" — it's just that most people have no idea how much of their life is publicly accessible, or how damaging it becomes when it's all assembled in one place.
Sources data brokers use include:
- Public records — Property deeds, voter registrations, court filings, business licenses, and marriage and divorce records are all publicly accessible and freely scraped
- Social media profiles — Anything you post publicly on Facebook, LinkedIn, Instagram, or X is fair game
- Retail purchase histories — Loyalty programs, store cards, and online retail transactions are frequently sold to data brokers by the retailers themselves
- Website tracking — Cookies, pixels, and behavioral tracking across the open web build a profile of your browsing habits, interests, and purchase intent
- Other data brokers — Brokers buy data from each other constantly, layering profiles to fill in gaps and increase accuracy
- Data breach leak markets — Some less scrupulous brokers incorporate data from previous breaches, meaning stolen information can end up in legitimate-looking background check databases
The result is a profile that may include your full name, current and past addresses, phone numbers, email addresses, relatives and roommates, estimated income, property ownership, vehicle history, professional background, political donations, religious affiliation, and buying habits.
What Does $20.9 Billion in Losses Actually Mean?
The Senate Joint Economic Committee's February 2026 report put a dollar figure on something privacy researchers have warned about for years. Four major data broker breaches — including the 2024 National Public Data breach that exposed approximately 2.7 billion records — fed criminals with ready-to-use personal profiles that enabled identity theft at industrial scale.
The danger isn't just that your address is somewhere online. It's that data brokers combine dozens of data points into a single, accurate profile that makes social engineering and identity theft trivially easy.
When a criminal has your full name, current address, phone number, the names of your siblings and parents, your approximate age, and your employer — they can impersonate you to your bank. They can answer your security questions. They can convince your cell carrier to port your number to their device. They have everything they need, and they probably got it from a service you've never heard of.
Your data is already out there. CyberFence Breach Monitor continuously scans the dark web for your email address and credentials — and alerts you the moment your information appears in a known breach.
Start Monitoring Your Data →The People Search Site Problem
The most visible face of the data broker industry is the "people search" website — platforms like Whitepages, TruePeopleSearch, Spokeo, and BeenVerified that let anyone look up detailed personal information about any private citizen for a small fee (or sometimes for free).
These sites weren't designed to enable stalking and harassment. But that's increasingly how they're being used. Research cited in the Senate report indicates that 60% of cybercrimes against seniors are at least partly fueled by personal information available through data brokers and people search sites.
The data is also used for more mundane but still damaging purposes: spam calls, targeted scam texts, insurance discrimination, and employer background checks that surface inaccurate or outdated information.
AI Is Making the Problem Significantly Worse
Here's what's changed in 2026: artificial intelligence systems are now scraping people search websites at a scale and speed that individual users can't match.
What once took human operators weeks to aggregate — building a profile of a specific person from dozens of sources — can now be done in minutes by automated AI crawlers. These systems don't care whether your data is accurate, outdated, or already removed from one site. They capture snapshots, store them, and redistribute the information across new platforms and commercial data products.
This creates a fundamental asymmetry. You operate in manual, reactive mode. The data broker industry operates in automated, proactive mode. Even if you successfully opt out from one site today, an AI system may have already copied your profile to five other databases yesterday.
The European Data Protection Board published its first market study on the data broker ecosystem in March 2026, describing this dynamic as a "structural privacy threat" — one that individual opt-out efforts alone cannot solve.
What Can You Actually Do About It?
The honest answer is that completely removing yourself from data broker databases is extremely difficult and, in most cases, temporary. New data is continuously added as public records update and as brokers scrape new sources. But there are meaningful steps you can take to reduce your exposure.
1. Submit Opt-Out Requests to Major Brokers
Every major data broker is required by law to offer an opt-out mechanism — though many make it intentionally difficult to find. A 2026 CalMatters investigation found that multiple brokers were using "noindex" tags to hide their opt-out pages from search engines, preventing people from finding the removal process via Google.
Start with the highest-risk brokers: Whitepages, Spokeo, BeenVerified, Intelius, TruePeopleSearch, and PeopleFinder. Each requires a separate opt-out request. The process is time-consuming — typically 15–20 minutes per site — and you'll need to re-submit requests periodically as your information reappears.
2. Use California's DELETE Act (Even If You Don't Live in California)
California's SB 362 DELETE Act went fully operational in 2026, creating a single mechanism that allows California residents to request deletion of their data from 500+ registered data brokers simultaneously. If you have a California address — even a historical one — you may qualify.
Four states now require data brokers to register: California, Vermont, Texas, and Oregon. Residents of these states have the strongest legal tools for removal.
3. Audit Your Social Media Visibility
Data brokers scrape everything that's publicly visible. Go through your Facebook, LinkedIn, and Instagram profiles and set anything personal — your phone number, your city, your employer, family connections — to "Friends only" or private. This won't remove data that's already been harvested, but it reduces the surface area for future scraping.
4. Use a VPN to Prevent Ongoing Behavioral Profiling
One of the ways data brokers build and update your profile is through behavioral tracking across the web — the websites you visit, the products you look at, the content you read. Your IP address is one of the primary identifiers used to link this activity to a real person.
A VPN with a zero-log policy replaces your real IP address with a server IP, breaking the link between your browsing activity and your personal identity. It won't remove data that's already been collected, but it significantly limits how much new behavioral data brokers can attribute to you going forward.
Equally important: a VPN with DNS filtering (like CyberFence's Web Shield) blocks tracking scripts and ad pixels at the DNS level — before they even load. These are the tools data brokers and their advertising clients use to profile your online behavior in real time.
5. Monitor for Breach Exposure
Because data broker databases are high-value targets for hackers, your information is at elevated risk of appearing in breach leak markets. Dark web monitoring tools continuously scan known breach databases and notify you when your email address, phone number, or other credentials appear.
CyberFence includes both VPN protection and dark web breach monitoring in every plan. AES-256-GCM encryption stops behavioral profiling at the network level. Web Shield blocks tracking scripts before they load. Breach Monitor alerts you when your data appears in a breach.
See CyberFence Plans →The Legislative Landscape Is Shifting — But Slowly
There is still no comprehensive federal privacy law in the United States as of 2026. The Federal Trade Commission has described the data broker industry's lack of transparency as "fundamental" — a core structural problem, not a fringe issue. But federal legislative action has been slow, and the rules remain a patchwork of state-by-state regulations.
The states moving fastest are California, Texas, Vermont, and Oregon. Twelve states now require businesses to honor the Global Privacy Control signal — a browser-level setting that automatically opts users out of data sales. If your browser supports it and you're in one of those states, enabling GPC is one of the easiest privacy wins available to you.
The European Union is significantly further ahead. The EDPB's 2026 market study on data brokers is expected to lead to enforcement actions under GDPR, and Clearview AI is now facing criminal charges in multiple EU jurisdictions for data collection practices that would be legal in most US states.
The Bottom Line
Data brokers are a real, present threat to your privacy and financial security — not a theoretical concern. The $20.9 billion in losses documented by the Senate in early 2026 is not an abstract number. It represents real people whose identities were stolen, whose accounts were drained, and whose information was weaponized against them by criminals who got it from companies you've never heard of.
You can't eliminate the risk entirely. But you can reduce it meaningfully: submit opt-out requests to the major brokers, limit what's publicly visible on your social profiles, use a VPN to stop new behavioral profiling, and monitor for breach exposure so you know immediately when your data appears somewhere it shouldn't.
The data broker industry profits from your ignorance. The best thing you can do is stop being ignorant about it.