An image depicting a patient record with personal data which is being sold by data brokers to the highest bidder
Paul Rogers Author & Data Privacy Consultant

Whose Selling me Out?

– A Look at Data Broker Exploitation –

The ‘data broking’ industry is made up of ad-tech groups, data analytics firms and credit reference agencies all with the sole aim of monetising your personal data with maximum efficiency! In this article I explore how your personal is for sale, the extent of what’s happening globally in the data broker market and what you can do to protect yourself!

What they Sell:

In most cases brokers (sometimes referred to as data aggregators) use data such as tastes in books, hobbies, music, political leanings, online dating preferences and increasingly health information which they sell onto banks, retailers, telecoms, insurers, media companies and governments without your approval or knowledge.

Big Players:

According to an article by the Financial Times: Oracle, Salesforce and Nielsen are some of the largest data brokers globally, selling 100’s of points of data which can be bought and added to your file. Oracle claims to sell data on 300 million people globally with 300 data points per individual.

An infographic by the Financial Times showing how consumer data is identified.

An infographic by the Financial Times showing how data brokers identify people

In India:

Data brokers are operating globally, In India for example, brokers are selling your data for 5 Paise to fuel a Covid driven data industry. These brokers can pass on your health data to advertisers, insurance companies and hospitals as a source of lead generation for products and services; read more at: The Times of India.
According to Gartner

“There are an estimated 5,000 data brokers worldwide, and nearly 10 million open datasets published by government agencies and non-governmental organisations (NGOs).” a rapidly growing number of brokers are operating in a population dense market like India.

In Europe:

The European Commission forecasts the data market in Europe could be worth as much as €106.8bn by the end of 2020.

Unsurprisingly, regulators in Europe have started to pay closer attention to their methods and practices, reported in January that the European data protection board has commissioned a privacy expert to provide a legal analysis of 25 mobile applications and 10 data brokers. The study is one of several launched by the EDPB to examine the impact of the GDPR”.

Data Collection Points

The availability of data varies by jurisdiction, in the U.S. (where brokers such as Intelius and Choicepoint (now defunct) main function is/was to buy and sell background reports for under $50 to anyone willing to pay. According to “They and others drew much of their information from public records including court records, motor vehicle records, census data, birth certificates, marriage licenses, voter registration information, bankruptcy records, and divorce records.

[They also collect] …”purchase data” from credit card providers and retailers. This includes such information as the amount of money you owe on your department store credit card, the type of coupons you tend to use, and the items you’ve purchased in the past after swiping a store’s loyalty card. Data brokers might nab personal information from the posts you’ve made or ‘liked’ online, online quizzes you’ve taken, online sweepstakes you’ve entered, and the websites you’ve visited.” But that’s not all, as the US infomercials often say.. read on ->

Data Brokers In The News

CPO Magazine reported that “Social Data”, a data broker appears to have been scraping public social media profiles of up to 235 million social media profiles for information without the knowledge or consent of the host companies YouTube, Instagram etc. (They had been banned on Facebook in 2018 for policy abuses.)

Account information including full names, links to personal and business websites, email addresses, personal images and videos, the content of posts and information about followers among other items were being collected. CPO said that “this is the sort of information that scammers collate into larger “combo files” (often traded on the dark web) as reference for elements of authenticity when engaging in attempts at fraud or social engineering”

LimeLeads ElasticSearch had it’s database of 49 million business contacts sold online to a underground hacking forum last year. And of course not forgetting Equifax and the 145 million peoples personal data exposed by that breach in 2017.


Taking the time to assess whether you really need the service/product is the 1st step to take in any situation where you are being asked for your information. If it’s an app you’re downloading then assess the trustworthiness of the app through online research and reviewing user ratings/comments (if available). In the context of GDPR a principle of data minimisation exists, which alludes to using the minimum amount of personal data to get the job done. In that vein, minimising the information given and speaking up when your privacy rights are not respected to data protection authorities is also important.

And how do you know who’s sold what? If your committed to your privacy, I’ve seen good success when people add in an extra digit or marker of some kind in the user registration process. e.g. add a made-up unique, middle name and record that name in a spreadsheet. Having this marker will help you identify who the culprit was that “sold you out” so to speak.

Also consider, setting up google alerts to “Data Broker” “Data Protection Commission” “Information Commissioners Office” “FTC” or other regulatory authority as per your jurisdiction to stay informed.

Be vigilant with your Data! Knowledge is power and don’t give it to strangers you can’t trust!



Related Articles:

What is GDPR?


What is CCPA?


5 Key Steps to Privacy by Design


Stay Tuned for Future Posts by following Paul Rogers on Linkedin


Visit our DPOaaS Page