Personal information and data brokers

Data brokers

Chart icon.

A data broker is a business that gathers and sells consumer information that the consumer didn’t give them directly.

Data brokers collect and sell personal information and sensitive personal information, including:

  • Social security number
  • Precise geolocation
  • Browsing history
  • Email addresses
  • Phone numbers
  • Interests
  • Health-related information
  • Shopping habits
  • And more

When the data is processed, some data brokers can infer a lot about you, including these sensitive topics:

  • Political views
  • Health data (e.g., pregnancy and other reproductive health, cancer, diabetes, etc.)
  • Family details (including children, divorce)
  • Financial status (e.g., debt, creditworthiness)

These inferences are also considered personal information and can be deleted with a DROP request. For more details on the information data brokers may not delete, go to If data brokers keep your data.

What data brokers do with your information

Data brokers package, trade, and sell information to various organizations, including ones you’ve never heard of before. 

Buyers may include:

  • Advertisers and marketers
  • Employers and recruiters
  • Political campaigns
  • Retail companies
  • Landlords
  • Debt collectors

Malicious buyers sometimes include hate groups, hostile foreign governments, and scammers.

How data brokers obtain your information

Data brokers often collect information from businesses you interact with directly. For example: 

  • Music streaming services may collect your playlists
  • Grocery stores, clothing retailers, or other apps may collect your purchase history
  • Video streaming services may collect your viewing history

When you submit a DROP request, the business you interact with directly will keep the information they have collected about you. However, data brokers that buy or collect that information must delete it. 

DROP and your personal information

User with hashed data icon.

When we collect your data, we immediately encrypt it.

This means your data is:

  • secure and private
  • encrypted before we store it
  • only used to complete your request

Data brokers match you to their records based on the data you submit through DROP. It may take just one piece of data for them to delete and stop selling the information they have about you.

Different data brokers may have different information about you.

The more you submit, the higher the likelihood data brokers will find you and delete your data.

Hashing data

DROP uses hashing so data brokers can match your data without exposing the original information. Once the data has been hashed, it’s almost impossible to turn back into the original data.

Here’s what hashed data looks like.

  • What you enter: emailaddress@email.com
  • What you see: e###s@e###m
  • What data brokers see: IokUeTFtxXZQdmjolr4Kn//apUY5a6J8sVdHyiWqqUk=

If data brokers keep your data

Line art showing data moving into folders

There are cases where data brokers may keep some of your data.

Exempted — These data brokers have data about you but haven’t deleted it because it’s exempt under the law. Examples include:

  • Public records, like vehicle or real estate ownership or voting records
  • Responding to a criminal or civil investigation

Some data is protected under other privacy laws.

  • Sensitive patient health information (governed under HIPAA laws)
  • Information that affects your credit score (Fair Credit Reporting Act)
  • Financial information that would affect your ability to get a loan (Gramm-Leach-Bliley Act)

Review Additional protections for more details.

Opted-out of sale — Data brokers couldn’t find an exact match using the information you provided. Try updating your request with more information. For example, you may share an email account with multiple people. If data brokers aren’t able to match that email to a single person, they will stop selling or sharing the information of everyone using that email. At this stage, they will not delete that data. Once you provide enough details for data brokers to identify your records, they will delete it. You can encourage others to submit their own requests, so data brokers will delete their information, too.

Record not found — These data brokers didn’t find you. This could be because they:

  • Don’t currently have any information about you.
  • Can’t find you based on what you provided in DROP.

Try updating your request with more details.

Partial deletions — Some data brokers also collect information directly from you. For example, if you buy something from them or sign up for their newsletter. Through DROP, they must delete information they got from other sources, but not information you provided directly. However, you can still request they delete that information through a privacy request.

If data brokers don’t follow the law

Data brokers may face fines if they do not comply with the law.

  • Failure to register — $200 per day plus unpaid fees and enforcement costs
  • Failure to delete consumer personal information — $200 per day, per consumer request plus enforcement costs

About

Businesses

Website Accessibility Certification