The US data broker market is the largest and least regulated in the developed world. There is no federal opt-out law, no equivalent of the GDPR, and no single registry that lists every broker collecting and selling information about you. What exists is a patchwork of state-level rules — California, Oregon, Texas, Vermont — and a handful of paid services that try to navigate it on your behalf.
This guide compares those services using the same evidence base as our European edition: the August 2024 Consumer Reports field test of seven removal vendors against thirteen people-search sites, supplemented with US-specific data on the broker population, recent enforcement actions, and the timeline for California's Delete Request and Opt-out Platform (DROP), which goes live for broker-side processing on August 1, 2026.
If you are reading this from outside the US, the European edition covers DeleteMe, Incogni, Optery and CrabClear for EU/UK consumers under GDPR. If you are a US consumer, what follows is the relevant analysis.
What is different about the US broker market
The most important fact about US data brokers is that the consumer has no baseline right to request deletion. The GDPR's Article 17 ("right to erasure") and Article 15 ("right of access") have no federal equivalent in the United States. The federal Fair Credit Reporting Act regulates credit brokers only. The Children's Online Privacy Protection Act regulates data collected from children under 13. Everything else is a state-by-state question.
That asymmetry matters because most US consumers carry data exposure in a different shape than EU consumers. In Europe, the friction is bureaucratic: brokers exist, but each one is bound by GDPR to respond to a deletion request within thirty days. In the US, the friction is structural: many brokers will not respond at all unless the consumer lives in a state with a specific opt-out law (California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Kentucky, Rhode Island, Minnesota, Maryland) — and even then, the request must be submitted to each broker individually, with proof of state residency.
US data aggregation also operates at a different intensity. The same residential record that appears in two or three broker databases in Europe will often appear in twenty or thirty in the US, because the US permits broader commercial trading of public records: voter registration files, property deeds, court records, motor vehicle records (where state law allows), licensing rosters, professional registrations, and so on. These are scraped, merged, enriched with online behavioural data, and resold under different product names by different brokers — sometimes by the same corporate parent under multiple trade names.
The practical consequence: a US consumer who wants meaningful removal coverage cannot rely on a single opt-out request. They are dealing with a population of brokers that no single registry counts, no single law governs, and no single vendor can fully cover.
The US registry picture: 750 brokers across five state registries
Five US jurisdictions currently require data brokers to register with the state: California (under two separate authorities — the Attorney General and the newer California Privacy Protection Agency), Oregon, Texas, and Vermont. The combined registries list roughly 750 unique brokers across the five jurisdictions, with significant cross-registration: most companies appear in more than one registry, which is how a registered-broker count of around 2,150 collapses to roughly 750 distinct entities.
The distribution across registries (as of the 2025 consolidated registry data):
- Oregon: 1,048 broker registrations
- Vermont: 474 registrations
- California (Attorney General): 301 registrations
- California (Privacy Protection Agency): 221 registrations
- Texas: 102 registrations
Oregon and Vermont collect the largest registries because their definitions are the broadest. California's two registries diverged in 2024 when the Delete Act transferred broker oversight from the Attorney General to the new Privacy Protection Agency. Texas's registry, the newest, is still being populated.
There are two important caveats.
The first is that the registries do not cover all brokers operating in the United States. A 2025 report by Privacy Rights Clearinghouse and the Electronic Frontier Foundation, Registration Without Implementation, identified substantial gaps: brokers that operate without registering in any state, brokers that register in one state but not others where they should, and brokers that have changed corporate names or restructured to avoid the definitions. The 750-broker figure is therefore a floor, not a ceiling. The actual population of entities trafficking in US consumer data is larger — estimates from advocacy researchers range from 1,500 to 4,000, depending on how aggressively the term "broker" is defined.
The second is that registration is not the same as compliance. A broker can be listed in California's registry and still ignore individual opt-out requests, respond slowly, or require so much identity verification that the request fails. California's Attorney General began enforcement actions in 2024 and 2025 against brokers that registered but did not honour requests; the California Privacy Protection Agency announced in November 2025 the formation of a Data Broker Enforcement Strike Force, signalling that the state is moving from registration audit to compliance audit.
California's enforcement push and the DROP timeline
The most important development for US data broker removal is not a vendor product — it is the California Delete Request and Opt-out Platform (DROP), authorised by the Delete Act (SB 362) signed in October 2023.
DROP is intended to function as a single submission point: a consumer registers once, and every California-registered data broker is required to honour the deletion request for that consumer across all of their databases. It is the closest thing the US has produced to a one-stop opt-out, and it is restricted to California residents.
The DROP timeline has two phases:
- January 1, 2026: consumer signups went live on the privacy.ca.gov portal. California residents can now register, but no deletion processing happens at this stage.
- August 1, 2026: data brokers begin processing DROP deletion requests, with a requirement to re-process every 45 days against any new data ingested. This is the date on which DROP becomes operationally meaningful.
At the time of writing (May 2026), DROP signup has been live for approximately five months. No actual deletions have yet occurred under the DROP mechanism; the first processing wave is roughly ten weeks away. The California Privacy Protection Agency is responsible for enforcement, and the Strike Force announced in November 2025 is the enforcement arm.
For consumers outside California, DROP does not apply. There is no equivalent platform in any other state, and no federal proposal close to enactment. A California resident in May 2026 has more leverage than a resident of any other US state: they can register for DROP, they have the Delete Act, they have the strongest state privacy law (CCPA / CPRA), and the most active enforcement body.
For consumers in other US states, removal in 2026 remains a per-broker exercise — either done manually or paid out to a vendor.
The foreign-actor finding EPIC documented
In March 2026, the Electronic Privacy Information Center (EPIC) published an analysis of California's 2026 data broker registry identifying 33 registered brokers that had self-reported selling or sharing data with "foreign actors" — defined in the California Delete Act, by reference to 10 U.S. Code § 4872, as entities organised under the laws of or principally based in North Korea, China, Russia, or Iran. Five of the 33 also reported collecting precise geolocation data, and 32 reported collecting device identifiers.
The EPIC list is built from registry filings the brokers themselves submitted to California in 2025. EPIC's contribution was to surface those self-reported disclosures and assemble them into a single readable analysis. Within two days of publication, seven of the 33 brokers contacted EPIC to contest the categorisation, stating that their registry filings contained inaccuracies and that they do not in fact transact with foreign-actor counterparties. EPIC updated the post on 27 March 2026 to reflect those disputes while retaining the original 33-broker list and the underlying registry-data integrity question it raises.
For US consumers, the practical relevance of this finding is twofold. First, it is a reminder that registration in a US state registry is not a security clearance: a broker can be properly registered, fully compliant with state law, and still be a node in a data supply chain that ends with a foreign-state actor. Second, it is a piece of evidence about the upstream market for US consumer data — who actually buys it once it leaves the broker — that is normally invisible. The 33-broker number is small relative to the 750-broker registered population, but the volume of data those brokers handle is not necessarily proportional to their count.
The EPIC list is publicly maintained at the EPIC website and is more useful as a current reference than as a static citation here. Consumers concerned about this dimension of broker exposure should consult the EPIC analysis directly rather than rely on a snapshot in this article.
What Consumer Reports 2024 actually found
The most recent independent field test of paid removal services is Consumer Reports' August 2024 study Data Defense: Evaluating People-Search Site Removal Services. CR tracked 32 volunteers in California and New York over four months between May and September 2023, testing seven paid services — Confidently, DeleteMe, EasyOptOuts, IDX, Kanary, Optery, and ReputationDefender — against 13 widely-used people-search sites: BeenVerified, CheckPeople, ClustrMaps, Dataveria, Intelius, MyLife, Nuwber, PeopleFinders, PublicDataUSA, Radaris, Spokeo, ThatsThem, and Whitepages. A control group of four volunteers opted out manually from each of the 13 sites.
The headline result is bleak. Of 332 initial profile instances tracked across the paid services, only 117 — 35 per cent — were removed within four months. Every service, without exception, left some of each participant's data exposed at the four-month mark.
Performance varied widely across the seven services tested. Removal rates at the four-month mark were:
- Optery (Ultimate tier, $249/yr): 68 per cent
- EasyOptOuts ($19.99/yr): 65 per cent
- IDX (Privacy tier, $139.92/yr): 40 per cent
- Kanary ($179.98/yr): 34 per cent
- DeleteMe ($129/yr): 27 per cent
- ReputationDefender (Privacy Pro tier, $99/yr): 6 per cent
- Confidently ($120/yr): 4 per cent
(All prices reflect July 2024 marketed rates as CR recorded them. Several vendors have restructured since.)
The single most striking finding in the study is comparative. The four-participant manual opt-out control group achieved a 70 per cent removal rate — higher than every paid service in the test, at zero cost. Of 47 profiles found across the manual cohort, 33 were gone within the first week and 36 by the end of month one. Manual opt-out outperformed every paid service on both removal volume and speed.
The CR study has methodological limits the authors are explicit about. The sample is small (four participants per service, not statistically significant). Participants supplied minimum information — name, current address, date of birth — and did not engage with the service dashboards after signup, which CR notes may understate vendor performance for diligent users. The study tested a fixed set of 13 prominent people-search sites, not the broader 750+ broker population discussed earlier in this article.
The CR study is the same one we cite in the European edition, and the directional finding applies on both sides of the Atlantic. The US-specific implication is sharper: paid services produce a visible reduction on the most prominent people-search sites, but not a complete one, and in this controlled test they did not outperform a determined consumer doing the work themselves. The case for paid services rests on continuity (they keep working after you have stopped) and on coverage of brokers outside the 13-site CR cohort — not on the proposition that they remove more in absolute terms.
DeleteMe, Incogni, Optery, Kanary, Privacy Bee, EasyOptOuts: US-specific notes
A US consumer choosing among these vendors should consider three variables that the marketing pages do not emphasise.
Broker list coverage. Each service publishes a claimed broker count — Incogni 420+, Optery 640+ (Ultimate tier), Privacy Bee 600+ — but counts are not directly comparable because vendors define "broker" differently and weight people-search sites against B2B aggregators inconsistently. None covers all 750 state-registered brokers, let alone the larger unregistered population. The more useful indicator is whether the vendor publishes its actual broker list rather than just a count. DeleteMe, Optery, and Kanary publish lists; Incogni and Privacy Bee publish counts without a full enumerated list at the time of writing. EasyOptOuts publishes a partial summary.
Jurisdictional reach. DeleteMe and Optery are US-headquartered with the strongest coverage of US-specific people-search sites. Incogni is owned by Surfshark (Lithuania, EU jurisdiction) and is built to handle GDPR and CCPA simultaneously — strong for cross-border users, less specialised on US-only brokers. Kanary is US-headquartered, with a tiered structure split between automated and fully-managed service. Privacy Bee runs a multi-tier model from a basic essentials plan to a high-end signature tier that includes ongoing analyst support. EasyOptOuts is an annual subscription with quarterly removal rounds at the lowest price point in the market.
Pricing, in USD as of May 2026:
- DeleteMe: from $129/year per person, family plans available
- Incogni: from $95.88/year (Standard) or $179.88/year (Unlimited), family plans available
- Optery: free basic tier; Core $39/year, Extended $149/year, Ultimate $249/year
- Kanary: free community tier; Professional ~$120/year ($9.99/month), Advanced ~$600/year ($50/month)
- Privacy Bee: Essentials ~$96/year ($8/month), Pro ~$216/year ($18/month), Signature ~$804/year ($67/month)
- EasyOptOuts: $19.99/year (annual subscription with quarterly scans)
Three notes on these prices. First, several vendors have repriced significantly since the CR 2024 study; Kanary in particular is materially cheaper than the $179.98 CR recorded, and Optery has introduced a free tier. Second, the cheap end of the market (EasyOptOuts at $19.99, Optery Core at $39) is now competitive on raw price with manually opting out for an hour or two a year. Third, none of these subscriptions is a substitute for the California DROP system when DROP becomes operational in August 2026 for California residents.
Boutique and executive alternatives
A small number of US firms operate above the consumer-vendor tier, working with executives, public figures, high-net-worth clients, and corporate principal protection programmes. These firms are not equivalent to the subscription vendors and should not be compared on the same axis.
ReputationDefender (now part of Gen Digital) is the longest-running US operator in this space, with two decades of removal and reputation-management work. Their offering is heavier on the "reputation" side — Google result management, negative-content suppression — than pure data broker removal.
BlackCloak is the US-headquartered executive cybersecurity firm that pairs data broker removal with broader OPSEC, device hardening, and family-tier monitoring. They publish substantial research; their pricing is bespoke and well above subscription-vendor levels.
NetReputation is a US-based reputation and removal firm that operates across the consumer-to-executive spectrum, with a heavier emphasis on online-mention removal than registry-grade broker work.
These firms are appropriate for clients whose exposure profile is named — executives, attorneys, finance principals, public figures — and whose removal needs extend beyond the standard broker list to court records, news mentions, and reputation surface. The 2024 CR study did not test this tier; there is no comparable evidence base. For a consumer whose primary concern is the standard broker population, a subscription vendor will do the same job at a fraction of the price.
For UK and EU equivalents at the boutique tier, see the European edition. For our own position on this work, see The Eraser.
If the named-target threshold is where you sit — executive, principal, public figure, or family with significant exposure — a subscription vendor is the starting point, not the end of the work. The Eraser is built for the layer above.
Talk to an AnalystManual opt-out vs paid service: what the evidence says for US consumers
The honest answer is that manual opt-out works, and a US consumer with twenty hours of disciplined time can replicate most of what a paid service does on the visible-broker layer. The reason most consumers do not do this is that the work is repetitive, the brokers' opt-out portals are intentionally tedious, and the result decays — new listings appear, brokers re-ingest data, and the work has to be repeated.
The evidence base for this is the 2024 CR study itself: the manual baseline in the study showed substantial removal coverage for a determined consumer, comparable to the lower-performing vendors on the initial wave. The vendors' advantage was not coverage but continuity — they keep working after the consumer has stopped.
There is one US-specific consideration that complicates the manual-vs-paid choice: the California DROP system, when it begins processing in August 2026, will provide a single submission point for California residents that no paid service can replicate. A California resident in late 2026 will rationally combine DROP (one-time registration, free, covers all California-registered brokers) with either manual work on non-California-registered brokers or a paid service for the long tail.
For a consumer outside California, the choice in 2026 is genuinely between manual opt-out (free, time-intensive, decays) and a paid service (subscription, partial coverage, lower decay). The right choice depends on time available, exposure level, and whether the consumer's threat model includes targeted aggregation (in which case a subscription service is rational) or just general data hygiene (in which case a one-time EasyOptOuts scan or manual work may be sufficient).
Services to avoid
A short list, applicable to US consumers:
- Any "free" removal service that asks for full identity verification upfront. The legitimate vendors require identity verification too, but on a subscription model where they are paid by you, not by the broker downstream. A free service is monetising the verification.
- Any service that promises to remove your data from "the dark web." Data broker removal cannot do this — data that has been breached and posted on criminal forums is replicated across uncountable mirrors. What a credible service offers for breached data is monitoring, not removal.
- Any service offering "guaranteed permanent removal." Given the broker re-ingest cycle documented in the CR study, this claim is unsupportable.
We discuss this in more detail in the European edition; the same principles apply.
When to use what: a US decision tree
For California residents in late 2026: register for DROP at privacy.ca.gov as soon as practical, then assess what is left. DROP will handle California-registered brokers. For the non-registered population, manual opt-out on the brokers that matter most to your exposure profile (people-search platforms, address aggregators, court-record aggregators) is the next step. A paid service is rational if your time is more valuable than $100–$200/year or if your threat model requires continuous monitoring.
For residents of other US states: a paid service is the simplest route. Optery and DeleteMe have the strongest US-specific coverage. EasyOptOuts is the cheapest entry point if you only want a one-time scan. Incogni is the right choice if you live across US and EU jurisdictions.
For executives, high-net-worth clients, and individuals whose exposure includes named-target risk: a subscription vendor is necessary but not sufficient. The appropriate combination is a removal subscription plus dedicated OPSEC work — device hardening, family-tier exposure assessment, monitoring of named-target indicators. For our own position on this, see The Eraser.
For organisations with concentrated executive exposure: individual subscription services do not scale and were not designed for staff-level deployment. A Corporate Audit maps the full surface across named individuals, family members, and corporate footprint, and identifies which removal work needs to be done in-house, which through subscription, and which requires a boutique tier.
Sources
California Delete Act and DROP
- California Privacy Protection Agency, Delete Request and Opt-Out Platform (DROP) consumer portal at privacy.ca.gov.
- California Privacy Protection Agency, January 2026 DROP is coming, December 2025: privacy.ca.gov DROP timeline announcement.
- The Washington Post, "California's radical idea for data privacy: Enforce the law," 21 February 2025: Washington Post coverage.
US registry analysis
- Privacy Rights Clearinghouse and Electronic Frontier Foundation, Why Are Hundreds of Data Brokers Not Registering With States?, June 2025: PRC + EFF report. Consolidated 5-state registry dataset (CC BY-NC-SA 4.0).
EPIC foreign-actor analysis
- Justin Sherman, The 33 Data Brokers Selling US Data to Foreign Actors, According to California, EPIC, originally published 25 March 2026, updated 27 March 2026: EPIC analysis. Seven brokers contested the categorisation post-publication; the underlying registry-data integrity question persists.
Consumer Reports field test
- Yael Grauer, Victoria Kauffman and Leigh Honeywell, Data Defense: Evaluating People-Search Site Removal Services, Consumer Reports, 8 August 2024: CR study PDF. 32 volunteers, 7 services, 13 people-search sites, May–September 2023.
Vendor pricing references (verified May 2026)