What 4,000 Data Brokers Actually Know About You
Your income estimate, political affiliation, health conditions, daily commute, online purchases, and physical movements — all commercially available. Here's who's buying it and what they're doing with it.
There’s a company called Acxiom — rebranded to LiveRamp in 2018, presumably because the old name started showing up in too many investigative reports — that maintains over 10,000 data attributes on roughly 2.5 billion consumers worldwide. Full names, home addresses, phone numbers, income estimates, credit scores, political affiliations, religious affiliations, health conditions, prescription histories, purchase records, device identifiers, and granular location data. All commercially available. All perfectly legal.
Acxiom is one company. There are an estimated 4,000 more.
The industry nobody talks about
The data broker market is worth an estimated $350 billion globally, and it operates almost entirely outside public awareness. Most people have never heard of Acxiom, Epsilon, Oracle Data Cloud, or LexisNexis Risk Solutions — yet these companies hold dossiers on them that would make a Cold War intelligence agency jealous.
Vermont remains one of the only U.S. states requiring data brokers to register. As of 2024, over 640 brokers had filed with Vermont’s Secretary of State. That’s 640 companies in a single small-state registry. The actual global number dwarfs that figure, and most operate with zero registration requirements, zero transparency obligations, and zero accountability to the people whose lives they’re cataloging.
The data categories are exhaustive: date of birth, Social Security numbers, email addresses, browsing history, social media activity, daily commute patterns, online purchase records, loyalty program activity, and IoT device telemetry. When Acxiom says 10,000 attributes per person, they aren’t exaggerating. They’re segmenting you by estimated household income, predicted voting behavior, likelihood of divorce, chronic health conditions, and whether you’re probably pregnant.
How the pipeline works
The supply chain is elegant in its ruthlessness. Free apps request location permissions. Embedded SDKs from data companies silently transmit that data to aggregators. Aggregators package it into structured datasets. Brokers buy those datasets, merge them with public records, credit applications, retailer purchase data, and social media scrapes, then sell the enriched profiles to anyone with a budget.
Individual records go for $0.005 to $0.50 depending on granularity. Bulk datasets sell for thousands. The economics are straightforward: the product is you, the customer is everyone else, and the margin is enormous.
Loyalty programs are a key feeder. Every swipe of a grocery store rewards card generates purchase data that flows directly into broker databases. Credit applications get harvested. Public records — property filings, voter registrations, court records — are scraped and cross-referenced. And then there’s the phone in your pocket, reporting location coordinates to dozens of entities you’ve never heard of.
When the buyers are cops — and worse
In 2022, the Electronic Frontier Foundation exposed Fog Data Science, a company that had been quietly selling phone location data to hundreds of law enforcement agencies across the United States — no warrant required. Fog’s product let police track individual devices across time and geography, effectively building movement histories on anyone whose phone pinged a cell tower or connected to an app with location access.
Fog wasn’t alone. Babel Street and Near Intelligence offered similar capabilities to government agencies. The business model was simple: buy commercially available location data, repackage it for law enforcement, and sidestep the Fourth Amendment entirely. Why get a warrant when you can just buy the data?
Then there’s X-Mode, now rebranded as Outlogic. VICE Motherboard reported that X-Mode harvested location data from Muslim prayer apps — apps like Muslim Pro, with tens of millions of users — and sold it to U.S. military contractors. People using an app to find the direction of Mecca were unknowingly feeding their coordinates to defense agencies.
After the Dobbs decision overturned Roe v. Wade, SafeGraph was caught selling location data that could show exactly where abortion clinic visitors traveled from and returned to. Researchers demonstrated they could identify individual visitors’ home neighborhoods. SafeGraph eventually said it would stop selling the data. Eventually.
The opt-out illusion
The standard advice is to submit opt-out requests to each broker individually. It’s a nice idea. In practice, brokers re-acquire your data from other sources within 30 to 90 days. You’d need to submit removal requests to thousands of companies, repeatedly, forever — and that’s assuming you can identify them all, which you can’t, because most don’t register anywhere.
The Consumer Financial Protection Bureau proposed a rule under the Biden administration that would have regulated data brokers under the Fair Credit Reporting Act, treating them as the consumer reporting agencies they functionally are. The rule’s status is uncertain. The industry lobbied hard against it. Nobody should be surprised.
Some states have passed limited privacy laws. California’s CCPA gives residents the right to request deletion. But enforcement is thin, compliance is inconsistent, and the fundamental business model remains untouched. The data keeps flowing because the economic incentives are massive and the regulatory framework is decades behind the technology.
The math doesn’t work in your favor
Here’s the core problem: every app permission granted, every account created, every device connected, and every online purchase completed adds another data point to broker profiles that already contain thousands. Opting out one company at a time while simultaneously feeding data into the pipeline from every direction is like bailing water from a boat with no hull.
The leverage point isn’t downstream — it’s upstream. It’s the data you generate in the first place. A stock Android phone pings Google services roughly 340 times per day, transmitting location, app usage, device state, and network information. That telemetry feeds directly into the ecosystem that brokers exploit. Every “free” service extracting behavioral data in exchange for convenience is another tributary feeding the $350 billion river.
The most effective countermeasure isn’t chasing brokers with opt-out forms. It’s cutting the supply. Devices that don’t phone home. Tools that don’t feed the pipeline. Hardware that treats your data as yours by default rather than as inventory for the next buyer.
Understanding this pipeline — how data flows from your pocket to a broker’s database to a buyer’s dashboard — is what gives you the power to cut yourself out of it. Not by asking permission. Not by filing opt-out forms with companies that will re-acquire your data in 90 days. By changing the architecture at the source.
That’s why we build de-Googled phones. Not because opting out is hopeless — but because the less data that enters the pipeline, the less there is to sell. The knowledge of how the system works is the first step toward not feeding it.