*Reports and articles online reported mostly a 200-billion-dollar valuation of the data brokerage industry, with approximately 4,000 players.
Other reports put the data brokerage industry at $257b in 2021.
Suffice it to say, the range spreads approximately from $100b to $370b depending on how you cook up and slice the pie chart and over how long.
With those billions in potential revenue behind 800-page reports on a single user’s data on Tinder, the regulation and legalese on the data brokerage industry remains “in construction.”
The EU General Data Protection Regulation (GDPR) and the California Consumer Protection Act of 2018 are recent examples of headway in regulating the data industry.
The Consumer Privacy Rights Act of 2020 remains the most recent version of California’s attempts to regulate companies operating both in California and for users using California-based services from international locations.
As a matter of fact, the interconnectivity of these three regulatory acts in personal data continues a main subject of study in UCLA’s LLM in Cybersecurity Law.
How data is collected, shared, and sold on a technical level represents a “gray-area-yet-to-be-cleared-up” for a vast percentage of lawyers and judges worldwide. Combined, the legalese on the GDPR, CCPA, and CRPA is at least 400 pages of regulatory verbiage.
Upon deeper analysis, the definitions with which a user’s data is treated…are still convoluted.
For example, users are clients who are brokers that sell to other brokers and share their data or sell it after bankruptcy.
What?
One of the glaring discrepancies across documents runs is simply the definition of a user. Sometimes, a user is an entity. Throughout different regulatory acts, a user is also an Individual. Other times, an entity is a group that deals with the data but doesn’t have the right to sell or transfer it, but it happens anyway.
Lastly, it also depends on where you’re accessing the data from and what you’re doing online. If you’re outside of California, but using a California-based company, you and your data (actions online) are subject to two different regulations, both the GDPR and CCPA.
As a result, lawyers (corporate and private alike) and judges (locally or internationally) continue to be left to scratch their heads and muddle through the definitions before getting to the obvious purpose: protecting that person’s data.
The data brokering industry exists as a complex and diverse industry that deals with a wide range of data types. Data brokers are businesses that we don’t directly work with but gather information about you from numerous offline and online sources. These sources include tracking of online web and mobile app activity as well as property records, purchase histories, social media profiles, and online web activity.
After collecting our data, data brokers either sell or share it with third parties.
Or build algorithms designed to impact/predict our behavior.
Then, place ads before that impacted/predicted action.
What Data is Brokered?
Personal Information
Personal information can include a variety of data points that can be used to identify an individual, such as full name, address, phone number, email address, and social security number.
Data brokers frequently get hold of this data from public documents including voter registration, property sales, and court filings.
For example, in 2019, it was reported that a data breach at First American Financial Corp.—a large title insurance company—exposed the personal data of over 885 million individuals.
The breach was caused by a vulnerability in the company’s website that allowed anyone with a web browser to access sensitive documents containing personal information.
Personal information is often obtained from public records and can be vulnerable to data breaches.
Demographic Information
Demographic information includes data points such as age, gender, ethnicity, income level, marital status, and education level.
For marketing and advertising purposes, complete profiles of individuals can be created using demographic data.
Data brokers can use demographic data to target specific consumer groups with tailored advertising campaigns. In 2019, it was reported that a data broker named Exactis had exposed a database containing over 340 million records, including detailed information on individual consumers’ interests, habits, and preferences.
Demographic information can be used to create detailed profiles of individuals for targeted advertising.
Online Activity
Online activity data includes information such as browsing history, search history, social media activity, and purchases made online. This data can be used to create detailed profiles of individuals for targeted advertising and marketing purposes.
A data broker may use browsing and search history data to target individuals with ads for products or services related to their interests. In 2020, it was reported that the data broker company, Epsilon, suffered a data breach that exposed the personal information of millions of individuals, including email addresses, home addresses, and other data points.
Online activity data is highly valuable to data brokers and can be vulnerable to data breaches.
Financial Information
Financial information data includes data related to financial transactions, such as credit scores, bank account information, and credit card information.
Used for risk assessment and fraud detection purposes, banks and financial institutions may use credit scores and financial transaction data to assess an individual’s creditworthiness and eligibility for loans or credit cards.
In 2017, it was reported that the credit reporting agency, Equifax, suffered a massive data breach that exposed the personal and financial information of over 143 million individuals.
Financial information is highly sensitive and can be vulnerable to data breaches.
Health Information
Health information data includes data related to health and medical history, such as medical diagnoses, prescription medications, and health insurance information.
This data can be used for medical research and public health purposes, but it is highly sensitive and subject to strict privacy regulations.
For example, the Health Insurance Portability and Accountability Act (HIPAA) sets strict standards for the collection, storage, and use of personal health information by healthcare providers and health insurance companies.
Health information is highly sensitive and subject to strict, separate privacy regulations beyond the GDPR, CCPA, and CRPA.
Location Data
Location data includes data related to the physical location of individuals, such as GPS data from mobile devices or IP addresses from internet connections.
Location-based marketing and advertising strategies take advantage of this data.
For example, a data broker may use location data to target individuals with ads for nearby businesses or services. In 2018, it was reported that the data broker company, LocationSmart, had exposed the real-time location data of millions of individuals, including their precise location coordinates. The company had sold this data to a variety of businesses, including car rental companies and banks.
Location data can be highly sensitive and can reveal a lot of information about an individual’s movements and activities.
Professional Information
Professional information data includes data related to employment and job history, such as job titles, employers, and work history.
A data broker may use professional information data to create targeted lists of job candidates for employers.
In 2018, it was reported that the job search website, Indeed, had suffered a data breach that exposed the personal information of millions of job seekers, including names, email addresses, and employment histories.
Professional information data can be valuable for job recruitment and background-checking purposes, but it can also be vulnerable to data breaches.
Data brokers offer products in these categories: financial information, risk mitigation, marketing and advertising, people search, and personal health.
What Are Some Types of Data Brokers?
Risk Mitigation Brokers offer products to verify customers’ identities and detect fraudulent purchase patterns. Other companies in this category provide background checks for employment and tenant screening. For example, employment screening companies “provide background and verification information such as credit history, employment, salary, and education and professional license verification to employers and others including non-profit volunteer organizations.”
Examples of employment screening companies include ADP, backgroundcheck.com, and Checkr. Tenant screening companies include RealPage, Rent Grow, and Transunion.
Some screening companies must comply with FCRA based on whether they analyze credit histories. In addition, they typically will provide copies of background or tenant screening reports to consumers upon request.
Marketing and Advertising Brokers have various products and services that help businesses engage in targeted marketing. They will segment and categorize consumers based on demographics or behavior and offer up these buckets of consumers to be targeted by advertisers. Marketing and advertising will also provide “append” services. This is when a business may have partial information about a consumer, and the data broker will add additional information to the consumer profile, such as address or purchasing history. Data brokers in this category can also help third parties with market analysis.
A recent FTC report highlighted how Internet Service Providers (ISPs) use data brokers and is illustrative of the products that data brokers can offer in this category.
As an alarming example on how AI is trained, an ISP used data brokers’ data to market products to new customers by getting lists of new homeowners in a particular geography.
The ISP also bought additional data on their existing customers by sending their customer names and addresses to the data broker.
The data brokers appended demographic information (gender, age range, race and ethnicity information, marital status, parental status) and interest data (hiking, biking, gardening, bodybuilding, high-end spirits) for those subscribers.
Then, they used data broker data combined with their data to create their custom segmentation of customers to market to, which often revealed sensitive data about their customers. Examples of segments developed include “viewership-gay,” “pro-choice,” “African American,” “Assimilation or Origin Score,” “Jewish,” “Asian Achievers,” “Gospel and Grits,” “Hispanic Harmony,” “working class,” “unlikely voter,” “tough times,” “investor high-value,” and “seeking medical care.”
Acxiom, Epsilon, and Oracle are some of the more significant players in this category.
In addition, a new set of data brokers have emerged around providing location data to advertisers and marketers.
Examples include Safegraph and Placer.AI, both of which generated controversy in the Spring of 2022 when reporters were able to purchase data from them that could track phones going to and from Planned Parenthood.
While location brokers may not provide the names of users associated with the location data, many of the location brokers will provide the Mobile Advertising IDs (MAIDs) associated with the phone location data.
People search data brokers provide websites that enable searches for information about consumers. The FTC says that “users can use these products to research corporate executives and competitors, find old friends, look up a potential love interest or neighbor, network, or obtain court records or other information about consumers.”
Some are designed like a phone directory, allowing you to view consumer data by name, mailing address, phone number, or email address. They can also do reverse phone lookups to map who owns a phone number. But because they also collect data from government records, social media, and commercial sources, the information is much more detailed than a phone book. For example, it can show relationships between family members even though they may not be living at the same address or share the same last name. They will also publish your age.
In addition, even though you may have opted out to be published in a telephone directory or specified in the FTC’s Do Not Call Registry to not be telemarketed to, these sites will still publish your address and phone number.
The people search websites will also offer, for a fee, a “full” background check. This will include arrest and criminal records, misdemeanors and felonies, warrants, and police records, evictions and foreclosures, professional licenses, marriage and divorce records, birth and death records, and more.
Well-known data brokers in this space include Spokeo, ZoomInfo, White Pages, PeopleSmart, Intelius, PeopleFinders, BeenVerified, and PeekYou.
Personal Health Brokers collect, share and sell consumer health data to pharmaceutical and health insurance companies. Data collected includes purchases of over-the-counter drugs, geriatric supplies and weight loss supplements, contact lenses, and health-related magazine subscriptions. Other data elements include if a consumer buys disability or supplemental insurance, and any online searches related to a specific ailment.
Data brokers will also collect purchase history or reported interest in particular health topics, including allergies, arthritis, cholesterol, diabetes, and senior needs.
Even though health data is supposed to be strictly regulated, the data broker firm Epsilon claims they track over 100 medical conditions, procedures, or ailments, including colitis, depression, or anorexia.
As these data providers are not “covered entities” under the Health Insurance Portability and Accountability Act (HIPAA), there is no restriction on the collecting and selling of this highly sensitive data.
Conclusion
It is estimated that the global data broker market was valued at $257,160,000,000 in 2021 and the total data brokerage revenue is expected to grow at 4.5% from 2022 to 2029, reaching nearly $365,710,000,000—from a market research website selling a 5,000-dollar-108-page data brokerage report.
Overall, data brokers collect a wide range of data types, and this data can be used for a variety of purposes, including targeted advertising, risk assessment, and fraud detection. However, this data is also highly sensitive and can be vulnerable to data breaches and misuse.
It is important for individuals to be aware of their data privacy rights and to take steps to protect their personal information.
California Privacy Rights Act (Full Text) | EU General Data Protection Regulation | California Consumer Privacy Act