There are approximately 1,000 data brokers operating in the United States alone. Worldwide, the number is closer to 5,000. This is a $300 billion industry built entirely on collecting, packaging, and selling detailed profiles of private individuals — without their knowledge, without their consent, and without paying them a cent.
In the US, laws in California, Virginia, Oregon, and Texas give residents the legal right to demand brokers delete their data. In Europe, the GDPR makes that right universal. These are real legal protections with real teeth — on paper. In practice, three independent investigations conducted in 2025 found that data brokers are systematically evading them. Not accidentally. Deliberately.
This article covers what the evidence shows, why it matters beyond abstract privacy concerns, and what you can actually do about it — including a significant new tool that launched in California in January 2026 and will become mandatory for all registered brokers by August of this year. For the full picture of how this ecosystem operates across jurisdictions, see our Data Broker Ecosystems hub.
What Data Brokers Actually Know About You
Before understanding why deletion matters, it helps to understand what you are trying to delete. Research into broker data practices consistently shows these companies collect far more than most people realise:
- Full legal name, home address, phone numbers, email addresses, and date of birth
- Financial status — creditworthiness, investment holdings, mortgage data, bankruptcy history
- Health-adjacent data — medication purchases, symptom searches, fitness tracker output
- Geolocation history — where you work, where you shop, how frequently
- Relationship data — family members, coworkers, friends, frequency of contact
- Political and religious beliefs, inferred from browsing history and purchase patterns
- Online behaviour — which ads you looked at, what content you watched, how long
This information is cross-referenced across sources: public records, credit bureau feeds, retail loyalty programmes, mobile app analytics, and data purchased directly from other brokers. The result is a profile that would take an OSINT investigator hours to build manually — and brokers have one on virtually every adult in the developed world. What those profiles look like from the outside is covered in detail here.
The names brokers give their datasets reveal the intent. A US Senate investigation documented collections titled "Rural and Barely Making It," "Retiring on Empty: Singles," and "Tough Start: Young Single Parents." These products are purchased by payday loan operators to target people in financial distress. Brokers also sell location data detailed enough to identify whether someone has recently visited an abortion clinic.
In 2025, an American man purchased residential address data from publicly available broker websites and used it to locate and kill political targets. This is the endpoint of the industry's logic: data collected at scale, sold without restriction, and used by whoever pays for it.
Breach risk compounds exposure: Data brokers are themselves breach targets. In 2024, National Public Data — a major broker — had 2.7 billion records stolen in a single attack. The records included names, addresses, dates of birth, phone numbers, and Social Security numbers for what is believed to be every US citizen with an SSN. When your data sits with a broker, you carry the breach risk of every company that holds it.
How the System Is Designed to Fail You
Three separate investigations in 2025 examined whether data brokers comply with their legal obligations to allow data deletion. All three reached the same conclusion: the system is failing, and the failure appears deliberate.
Finding 1: Hundreds of Brokers Evade State Registration
In April 2025, the Privacy Rights Clearinghouse analysed the four US states that require data brokers to register — California, Oregon, Texas, and Vermont. They identified 750 distinct data broker groups operating in the US. Since these companies operate nationally online, all four state registries should show roughly the same 750 entities.
| State | Registered Brokers | Expected | Gap |
|---|---|---|---|
| California | 499 | 750 | 251 missing |
| Oregon | 292 | 750 | 458 missing |
| Vermont | 375 | 750 | 375 missing |
| Texas | 207 | 750 | 543 missing |
Hundreds of brokers that registered in one state failed to register in others with identical legal requirements. This is not a paperwork oversight. Brokers that are not registered are not visible to enforcement agencies. They cannot be fined or compelled to comply with deletion requests. Non-registration is how you stay off the radar.
Finding 2: Brokers Are Hiding Opt-Outs from Google
In August 2025, The Markup investigated California's registry of 499 registered data brokers and found that 35 of them had added noindex code to their opt-out and data deletion pages — deliberately removing those opt-outs from Google and Bing search results.
These pages are required by law in California and Virginia. Companies are legally obligated to provide them. But if a page cannot be found through a search engine, the overwhelming majority of people will never find it at all. Five additional brokers offered no opt-out page whatsoever. When The Markup contacted brokers for comment, most either did not respond or claimed ignorance. Two admitted they did it intentionally to reduce spam. Four made their pages searchable only after the investigation published.
Data brokers are betting that most people won't have the time, resources, or persistence to fight for their privacy — and that no authorities will make it a priority. For EU residents with legal standing to demand deletion, the EU data broker opt-out directory provides a practical starting point.
Finding 3: 43% of Brokers Simply Ignore Deletion Requests
In June 2025, researchers at the University of California, Irvine submitted deletion requests to 454 data brokers registered under California's CCPA and tracked the results. The CCPA requires brokers to respond within 45 days. What the researchers found:
- 52% responded within the legal 45-day window — the bare minimum
- 5% responded after the legal deadline
- 43% never responded at all
Before even reaching the response stage, the researchers had excluded 89 brokers outright: websites that were inaccessible, had no opt-out page, had disconnected phone numbers, or sent bounced emails. Of the brokers that did respond, dozens demanded additional personal data to verify identity — in some cases requesting IP addresses, marital status, or monthly car loan payment amounts. You are required to hand over more of yourself to exercise your right to privacy.
The CCPA is the strongest consumer privacy law in the United States. This is its enforcement record.
The California Nuclear Option: DROP
In October 2023, California passed the Delete Act, which directed the California Privacy Protection Agency to build a centralised deletion platform. That platform — the Delete Request and Opt-Out Platform (DROP) — launched on 1 January 2026.
DROP works differently from any previous mechanism. Instead of submitting individual requests to hundreds of brokers separately, a California resident can create a profile on DROP, verify their state residency once, and submit a single deletion request that is automatically routed to all registered data brokers simultaneously. As of February 2026, DROP had over 215,000 registered users.
The scope of what DROP can delete is broad:
- Basic identifiers — name, phone number, email address
- Online behavioural data — social media history, browsing patterns, online habits
- Financial data — payment history, spending habits
- Health-adjacent data — use of health apps, wearables, and trackers
- Location history — where you go and how frequently
- Relationship data — family members, friends, frequency of contact
- Inferences — conclusions drawn about your lifestyle, income, political and religious beliefs
The critical enforcement mechanism: from 1 August 2026, data brokers are legally required to check DROP every 45 days, action all pending deletion requests within 90 days, and maintain suppression lists to prevent re-collection of deleted data. Brokers that fail to comply face fines starting at $200 per day. The California Privacy Protection Agency has already hired its first Chief Privacy Auditor. Enforcement is coming.
DROP also requires data brokers to forward deletion requests to any third parties they have shared that data with — not just delete their own copy. This is the provision that makes DROP structurally different from any previous state law. Full legal analysis of the Delete Act and DROP is here.
If you live in California: Register at privacy.ca.gov/drop. Verify your residency once, submit your request, and let DROP route it to every registered broker. This is currently the single most effective deletion mechanism available to any individual in the US.
If You Are in the EU: GDPR Is Stronger Than You Think
Europe's General Data Protection Regulation gives every EU resident the right to request deletion of their personal data from any organisation that holds it — including data brokers. Unlike the US, there is no need to live in a specific state. The right applies everywhere the GDPR applies.
Key distinctions from US law:
- Response deadline: Organisations must respond within one month of a request — faster than CCPA's 45 days
- Burden of proof: The organisation must demonstrate a legitimate legal basis for retaining your data — if they cannot, they must delete it
- "Right to be Forgotten": GDPR's Article 17 is enforceable and has resulted in significant fines against non-compliant companies
- Third-party forwarding: Controllers must inform processors and third parties who received your data of your deletion request
When submitting requests to brokers operating in or accessible from the EU, cite GDPR Article 17 explicitly in your request. Many brokers — including US-based ones — will honour GDPR requests regardless of whether the law strictly applies to you, simply to avoid risk. European data broker law and opt-out links are covered in detail here.
The Practical Playbook: How to Fight Back Anyway
If you are not in California, or if you want to go further than DROP covers, the manual route still works — it just requires patience and organisation. This is what we actually do for clients.
Step 1: Find the brokers that have your data
Search your full name, phone number, and email address across the major people-search sites. Use the direct opt-out links for 100 major brokers as your starting list. The Privacy Rights Clearinghouse maintains a registry of hundreds of brokers if you want to go deeper.
Step 2: Build a tracking spreadsheet
Create a spreadsheet with columns for: broker name, opt-out page URL, date submitted, response received, and follow-up date. This sounds mundane, but without it you will lose track — especially since some brokers require a follow-up 30 days later to confirm deletion was completed.
Step 3: Use a standard request template
Most opt-out pages are online forms. Some require email. For email requests, a consistent template saves time and ensures you cite the applicable law:
Subject: Data Deletion Request — [Your Full Name]
To Whom It May Concern,
I am writing to request the immediate deletion of all personal data you hold relating to me, under the rights afforded by [CCPA / GDPR Article 17 / applicable state law].
My details: Full name: [Your name] | Current address: [Your address] | Email: [Your email] | Phone: [Your phone]
Please confirm in writing that: (1) All records relating to me have been deleted from your systems, (2) My data has not been sold or shared with third parties since this request, (3) My details have been added to your suppression list to prevent re-collection.
I expect a response within the legally required timeframe. If I do not receive confirmation within 30 days, I will escalate this request to the relevant enforcement authority.
Step 4: Expect obstruction — and escalate anyway
Some brokers will ask for additional identity verification. Provide the minimum necessary — your name, address, and email. Do not provide government ID, Social Security numbers, or payment data unless you are dealing with a regulated financial institution that has a legal basis to require it.
If a broker ignores your request after 45 days (US) or 30 days (EU), file a complaint.
Step 5: Repeat every three to six months
Data brokers re-collect. Even after a successful deletion, your data may reappear within months as brokers refresh their sources. This is not a one-time task. It is ongoing maintenance — which is why professional removal services exist and why their clients consider the cost worth it.
What to Do Right Now
The data broker industry runs on the assumption that most people won't bother. Three independent investigations in 2025 confirmed they are correct: opt-out pages buried on page 15 of privacy policies, hidden from search engines, or simply ignored for 43% of requesters. The system is built to exhaust you before you succeed.
But the tools for fighting back are better than they have ever been. California's DROP is the most significant individual deletion mechanism ever created. GDPR enforcement is increasing. And the manual route, executed with a spreadsheet and a consistent template, still works — it just works slowly.
The first step is understanding what's out there. Run an OSINT search on yourself before submitting any deletion requests — you cannot delete what you cannot find.