The business you never see
Data brokers — also known as information brokers or data resellers — are companies that collect, analyse, aggregate and sell or license personal data about people to third parties. In most cases, the people concerned neither know about it nor have consented.[05][06]
They are also referred to as Information Product Companies, Data Resellers, Data Suppliers or Data Vendors. The system is entirely invisible to most people: there is no direct business relationship between the broker and the person whose data is being collected. The people concerned are the product, not the customer.
According to forecasts, the market is expected to grow to $448–617 billion USD by 2030–2031.[01][02] For comparison: the total revenue of the German automotive industry in 2024 was around €460 billion.
How to make billions from other people's data
Data brokers make money in several ways:[01][07][13]
- Bulk sale of entire datasets — companies purchase millions of profiles at once, e.g. all women aged 30–45 in Bavaria with children
- Subscription-based direct access for corporate clients — paying customers get a permanent live connection to the database and can retrieve up-to-date profiles at any time (41% of the market, 2025)
- Online data marketplaces — digital exchanges where data packages are offered and traded like goods; the fastest-growing segment (+14% per year)
- Analytics services: ScoringScoringThe calculation of a metric expressing your creditworthiness, risk profile or value as a customer. In Germany via SCHUFA: 0–100%. Determines access to loans, housing, phone contracts — often without your knowledge., profiling, risk assessment
- Usage fees for permanent access — similar to a software subscription, except it grants access to other people's personal data
The business model is vertically structured:
- First-party providers: Collect data directly from you — these are platforms like Facebook, Google or online retailers that record your behaviour on their own sites
- Third-party resellers: Buy data from many first-party providers, combine it into detailed comprehensive profiles and sell it on — these are the actual data brokers (e.g. Acxiom, Experian, Epsilon)
- People-search engines: Websites where anyone can, for a fee, search for a specific person and obtain their address, relatives and phone numbers (e.g. Spokeo, Intelius)
What brokers know about you
An average data brokerData BrokerCompanies that collect personal data, compile it into profiles and sell it to third parties — without the people concerned knowing or having consented. There are around 5,000 such firms worldwide. profile contains approximately 1,500 data points per person. Acxiom claimed in 2023 to hold data on 2.5 billion people with over 3,000 data points per person.[07][08]
Basic information
Name, address, phone number, email, date of birth, age, gender, Social Security number (USA), ID numbers.
Demographic & socioeconomic data
Marital status, household size, children, education level, occupation, income, assets, creditworthiness, homeowner or renter status.
Behavioural & purchase data
Purchase history (online & offline via loyalty cards), browsing behaviour, search history, consumer preferences, brand affinities, subscriptions, donation behaviour.
Location data
GPS movement profiles from advertising SDKsSDKSoftware Development Kit — a programming toolkit that app developers embed in their apps. Advertising SDKs collect location data, device information and usage behaviour in the background and send it to ad networks or data brokers. in apps — frequently visited places such as home, work, church, doctor's surgery, school.[09][12]
Health & lifestyle data
Inferred from purchase data: plus-size clothing → body status, tendency toward illness. LexisNexis offers a health scoring product that calculates expected healthcare costs from consumer behaviour.[08]
Political & religious data
Voter registration, donation history, inferred religious affiliation, political leaning.
Psychographic & life-event data
Life events: marriage, divorce, house move, new baby, university, job change. Personality types, interests, hobbies. Experian sells weekly updated lists of "names of expectant parents and families with newborns".[08]
Where does the data come from?
Public sources
Voter registrations, census data, land registry records, court files, vehicle registrations, driving licence databases, death certificates, marriage certificates.
Commercial sources
Retailers and loyalty card programmes — Datalogix holds data on over $1 trillion USD in consumer spending from 1,400+ brands. Also: banks, credit institutions, insurance companies, estate agents, landlords, telecoms companies.[08]
Digital sources
Social media platforms, online quizzes, prize draws, surveys, ad networks & cookiesCookiesSmall text files that websites store in your browser. Third-party cookies track you across different websites and send your browsing behaviour to ad networks and data brokers., mobile apps with embedded advertising SDKs — including prayer apps and dating apps, e-commerce transactions.[09][12]
Data purchases from other brokers
Brokers also buy from one another — creating a data chain that is practically untraceable. Acxiom, Experian and Epsilon refused to disclose their specific data sources or buyers to the US Senate.[14]
The world's biggest data traders
| Company | Annual revenue | Core business |
|---|---|---|
| Experian | ~$9.7B USD | Credit reportingCredit ReportingThe systematic collection and analysis of financial data about consumers: payment behaviour, outstanding loans, debt collection proceedings. In the US dominated by Experian, Equifax and TransUnion — in Germany by SCHUFA., marketing |
| Equifax | ~$5.1B USD | Credit reporting, analytics |
| Epsilon | ~$2.9B USD | Marketing, advertising data |
| Acxiom / LiveRamp | ~$2.7B USD | Consumer data, profiling |
| CoreLogic | ~$2.3B USD | Real estate, insurance |
Estimates ~2022–2024. Sources: [07][15]
Who buys the data?
67% of companies purchase external data for customer targeting (2025).[11][33]
| Sector | Purpose |
|---|---|
| Advertising & marketing | Targeting, segmentation, personalised advertising. Largest sector — all major brands plus Google, Meta, Amazon Advertising. |
| Banks & insurance | Creditworthiness checks, fraud detection, risk assessment before contract. Also landlords (credit checks before tenancy) and employers (background checks before hiring). |
| Healthcare sector | Risk assessment of insured individuals. Blue Cross Blue Shield of North Carolina purchased data on the consumer habits of 3 million of its own members for health risk calculations.[08] |
| Real estate sector | Mortgage lenders, estate agents (CoreLogic). |
| Other brokers | Brokers buy from each other and combine datasets. |
When the state buys your data
This is one of the most explosive chapters. US authorities exploit the so-called "data broker loopholeLoopholeA legal gap: since commercially sold data is considered "publicly available", US authorities need no court order to buy it. This is how the FBI, ICE and DHS circumvent the 4th Amendment.": because publicly available data requires no court order, agencies buy data from brokers to bypass the privacy protections enshrined in the 4th Amendment4th AmendmentFourth Amendment to the US Constitution: protects citizens against unreasonable searches and seizures. For physical searches, police need a court order — for purchasing data from brokers, they currently do not. of the US Constitution.[17][20][22]
| Agency | Data purchased | Purpose |
|---|---|---|
| DHS / CBP | Mobile phone location data | Tracking migrants |
| ICE | Location data, utility data, licence plate reader data | Deportation operations |
| FBI | Location data (Venntel), automated alerts on social media activity of specific individuals (ZeroFox) | Law enforcement; investigated >1,000 media outlets, politicians, religious groups |
| DEA | Location data | Drug investigations |
| US Special Operations Command | Location data | Military intelligence operations |
| Defense Intelligence Agency | LexisNexis contract | Intelligence analysis |
| US Navy | Sayari Analytics (network analysis service) | Tracking individuals and companies violating international sanctions |
| DHS | Web of Science (world's largest academic database) | Identifying and monitoring foreign researchers working at US universities |
Particularly explosive cases
When data traders get hacked
According to a report by the US Congress Joint Economic Committee (February 2026), just four data broker breaches cost American consumers an estimated $20.9 billion USD through identity theft.[25][26]
| Company | Year | Affected | Data |
|---|---|---|---|
| Equifax | 2017 | 147.9M | Names, SSN, dates of birth, addresses, driving licences, credit cards |
| Exactis | 2018 | 230M | Phone, email, interests, children |
| National Public Data | 2023/2024 | 270M (2.9B records) | Names, addresses, SSN, dates of birth, phone numbers |
| TransUnion | 2025 | 4.4M | Not fully documented |
| LexisNexis | March 2026 | ~3.9M DB records | Names, addresses, government accounts (incl. US federal judges, DoJ attorneys, SEC staff). AWS misconfiguration exploited. Confirmed 4 March 2026. |
Equifax 2017 — In detail
Cost to Equifax: $1.38 billion USD (security upgrades + settlement). FTC settlement: $575 million + free credit protection for those affected. Notable: to this day, no one from the stolen data has been demonstrably harmed by identity theft — China apparently used the data for intelligence purposes, not fraud.[27][29][31]
National Public Data 2024 — In detail
USA vs. Europe: Two worlds
US states: Leading legislation
| State | Law | Key content |
|---|---|---|
| California | Delete Act (2023) + SB 361 (2025) | All brokers must register. From January 2026: a single central deletion request is sufficient to be removed from all registered brokers simultaneously. Brokers must comply within 45 days. |
| California | CCPACCPACalifornia Consumer Privacy Act — California's data protection law since 2020. Gives consumers the right to know what data is collected and to prohibit its sale./CPRA (consumer protection laws) | Right to access, right to erasure, right to object to the sale of one's own data |
| Vermont | Data Broker Registration | Mandatory registration + disclosure |
| Texas | Data Broker Law | Registration requirement; AG investigation with fines up to $1.4B |
| Colorado | Privacy Act | Opt-out rights |
| Oregon | Consumer Privacy Act | Similar to CCPA |
New EU legal developments 2025/2026
- EU Data Act (fully applicable since 12 Sept. 2025): Regulates who may access data from connected devices (smart TVs, fitness trackers, smart home) and how.[36][39]
- Digital Omnibus (Nov. 2025): The European Commission proposes consolidating several data protection laws (GDPR, cookie rules, Data Act) into a single simplified package; to be debated by the EU Parliament in 2026.[38]
- Coordinated EU data protection action 2026: European data protection authorities are jointly examining whether brokers are fulfilling their obligations to inform people about data collection — an issue that directly affects brokers.[37]
- New EU procedural rules (Nov. 2025): Data protection authorities from different EU countries will be better able to cooperate when a broker is active in multiple countries.[36]
What you can do — and what you can't
LexisNexis: risk.lexisnexis.com/consumer-and-data-access-policies
Experian (marketing): experian.com/privacy/opting_out
⚠️ Having yourself removed from LexisNexis risks some security questions with bank accounts or government services no longer working — because these services use LexisNexis data to verify your identity.
Art. 17 GDPR: Right to erasure ("right to be forgotten")
Art. 21 GDPR: Objection to data processing for advertising purposes
Art. 22 GDPR: Protection against exclusively automated decisions[41]
The German data broker ecosystem
Germany has its own established data broker industry — divided into two categories: credit reference agenciesCredit Reference Agency (Auskunftei)Companies that collect creditworthiness data about consumers and sell it to banks, landlords and retailers. In Germany: SCHUFA, Creditreform, CRIF, infoscore. They indirectly determine access to loans, housing and contracts. (credit data) and address/marketing data traders (consumer profiles for advertising).[57]
The major credit reference agencies
Credit reference agencies are the most powerful data brokers in Germany. They indirectly determine whether someone gets a flat, can sign a mobile phone contract or receives a loan. All are members of the association "Die Wirtschaftsauskunfteien e.V."
What is stored: Bank accounts, credit cards, mobile phone contracts, instalment loans, payment defaults, debt collection proceedings, insolvency proceedings.
Data error problem: A Stiftung Warentest sample (2010) found ~37 million outdated and 4.6 million simply incorrect records. More recent studies confirm high error rates.[47]
Positive dataPositive DataData about regular contract agreements (mobile phone contract, bank account) — as opposed to negative data (payment defaults, debt collection). Controversial: mobile providers transmit contract agreements to SCHUFA without consent. The Munich Regional Court ruled this unlawful. controversy: Vodafone, Telekom, Telefónica/o2, Blau.de, Aldi Talk and Freenet transmit contract agreements to SCHUFA without the consent of those affected. The Munich Regional Court ruled: this transmission is unlawful.[60]
Data protection criticism (NDR Info): Unauthorised parties could retrieve sensitive data on millions of consumers using just a name, date of birth, address and a mobile number (not necessarily their own) — for around €20 per query. The Baden-Württemberg data protection commissioner described this as a "serious data protection violation".[55]
Address and marketing data traders
Alongside credit reference agencies, there is a second category: companies that sell consumer profilesProfilingThe automated creation of detailed personality profiles from collected data: purchase behaviour, income, health, political leaning. Defined and regulated as "profiling" under GDPR — but difficult to enforce. for direct marketing. Their legality under GDPR is highly contested.[61][63]
Scandal: NOYBNOYBNone Of Your Business — a European privacy organisation founded by Max Schrems. Systematically files GDPR complaints against companies that violate data protection. Has sued Facebook, Google and data brokers, among others. complaint: AZ Direct allegedly sold millions of consumer addresses to the credit agency CRIF without consent.[61]
The SCHUFA scoring scandal and ECJ rulings
The SCHUFA scoring system was completely opaque for years: neither those affected nor courts knew how the score was calculated. A series of ECJ rulings and German court decisions have shaken the system.[47][50]
Federal Cartel Office sector inquiry
The Federal Cartel Office (Bundeskartellamt) investigated creditworthiness scoring in online retail in 2024 and found that scoring — largely unnoticed by consumers — runs automatically in the background and affects a significant part of German e-commerce.[54]
The Databroker Files — Germany and Europe
The Databroker Files is an investigative research project running since summer 2024 by netzpolitik.org and Bayerischer Rundfunk as well as international partners (WIRED, Le Monde, L'Echo, BNR). Awards: Grimme Online Award 2024, Data Protection Media Prize 2024, European Press Prize 2025.[42]
EU Commission: "We are concerned." Axel Voss (CDU/EPP): "In the current geopolitical situation we must take this very seriously." Alexandra Geese (Greens): "Europe must ban large-scale data profiling." NATO: "We are aware of the general risks" — concrete measures unknown. An internal EU circular email subsequently warned EU staff of tracking risks.[43][44]
Legal assessment by the Bundestag Research Service: The Federal Criminal Police Office (BKA) and Federal Police lack a legal authorisation basis for purchasing data from brokers. No explicit legal basis found for intelligence services (BND, Verfassungsschutz, MAD) — purchase could be justified in individual cases under very limited circumstances.[45]
GDPR in Germany: Theory vs. practice
Your rights: requesting your credit file
| Credit agency | Self-disclosure (free of charge, Art. 15 GDPR) |
|---|---|
| SCHUFA | meineschufa.de — free once per year. ⚠️ Caution: the paid version is visually highlighted! |
| infoscore | experian.de/selbstauskunft |
| CRIF Bürgel | crifbuergel.de/konsumenten/selbstauskunft |
| Creditreform | creditreform.de (for business owners) |
Conclusion
Data brokers are not a fringe phenomenon. They are a global industry with hundreds of billions in revenue that intervenes in every life situation — from credit applications to flat-hunting to the surveillance of political activists. In Germany, GDPR in theory provides strong protection, but rights only become truly enforceable through ECJ rulings and legal pressure.
The fundamental problem remains: the system is designed to be invisible. Most people do not know it exists — let alone what is stored about them. The simplest form of resistance is knowledge.