Data Brokers in the United States: No Federal Law, 25 Brokers, and How to Opt Out

The United States has no comprehensive federal privacy law. While Europe has GDPR and Australia has the Privacy Act, Americans have a patchwork of sector-specific regulations that leave data brokers almost entirely free to collect, aggregate, and sell personal information with minimal legal obligation to stop — or even tell you they exist. The industry is estimated to be worth $200–300 billion annually. It operates on your data. And most Americans have no idea.

This guide covers what the law does and does not protect, how the state-by-state patchwork works, what the 25 biggest data brokers hold about you, and the most effective opt-out mechanisms available right now — including what's coming in 2026. For the European and global context on this ecosystem, see our Data Broker Ecosystems hub.

Why the US Has No Federal Privacy Law

The short answer is money and politics. The data broker, advertising technology, and platform industries have spent hundreds of millions of dollars lobbying against comprehensive federal privacy legislation. The US constitutional tradition has no explicit right to privacy (unlike the EU Charter, Article 8). And Congress has been unable to resolve a fundamental disagreement: whether a federal law should override stronger state laws — a provision the industry desperately wants and California desperately opposes.

The closest the US came was the American Data Privacy and Protection Act (ADPPA), introduced in June 2022. It passed out of the House Energy and Commerce Committee by a vote of 53–2 — the most bipartisan privacy vote in US history. It never reached the House floor. Speaker Pelosi refused to schedule it because California members objected that it would weaken the CCPA. The bill died. Revised versions were discussed in 2023 and 2024. None became law.

What exists instead is a collection of narrow sectoral laws covering specific categories of data: HIPAA for health records, the FCRA for credit reports, COPPA for children's data, GLBA for financial data, FERPA for education records. Each covers only its defined domain. Data brokers that hold general consumer profiles — demographics, purchase history, location, lifestyle, inferred attributes — fall through every gap.

What Federal Law Actually Does

The FTC's Limited Role

In the absence of comprehensive legislation, the Federal Trade Commission uses Section 5 of the FTC Act — prohibiting "unfair or deceptive acts or practices" — as its primary tool against data broker abuses. The FTC can pursue companies that lie about their data practices (deception) or cause substantial consumer harm that consumers cannot reasonably avoid (unfairness). It cannot issue fines for first-time violations; it can only obtain consent orders. Civil penalties of up to $51,744 per violation per day apply only when a company violates an existing FTC order.

Notable FTC enforcement against data brokers and data misuse:

• Spokeo (2012, $800,000): Marketed people-search data for employment and background screening purposes — making it a consumer reporting agency under the FCRA — without following FCRA accuracy and notice requirements.
• TruthFinder and Instant Checkmate (2023, $7.8 million combined): FCRA violations; told consumers they could correct inaccurate profile information but never actually implemented the corrections. Both owned by PeopleConnect, Inc.
• MyLife (2022, $4.25 million): Showed alarming "reputation scores" and charged consumers to suppress profiles they had never consented to. FTC and NY AG joint action.
• Kochava (2022, ongoing): Sold precise geolocation data enabling tracking of individuals to abortion clinics, domestic violence shelters, addiction treatment centres, and places of worship. First FTC action based purely on the sale of sensitive location data as an inherently unfair practice.
• BetterHelp (2023, $7.8 million): Online therapy platform shared mental health data with Facebook and Snapchat for advertising despite explicit promises it would not.

The FTC published a landmark data broker report in 2014 documenting the industry's scope — brokers held billions of data points per consumer, created segments like "Rural and Barely Making It" and "Diabetes Interest" — and recommended Congress act. Congress did not. A follow-up 2024 FTC report described the internet platform economy as a "surveillance ecosystem." Congress still has not acted.

The FCRA — Your Only Federal Deletion Right

The Fair Credit Reporting Act (1970) is the closest thing Americans have to a federal right to demand data correction and, in limited circumstances, deletion. It applies only to consumer reporting agencies (CRAs) — companies that compile "consumer reports" used for credit, employment, insurance, housing, or other decisions.

Under the FCRA, you have the right to:

• One free annual credit report from each of the three major bureaus via AnnualCreditReport.com
• Dispute inaccurate information — bureaus must investigate within 30 days and delete anything they cannot verify
• A free security freeze, preventing new credit from being opened in your name
• Notification when a credit report was used against you (adverse action notice)

The FCRA also mandates deletion timelines for negative information: most derogatory items must be removed after 7 years from the date of first delinquency; Chapter 7 bankruptcies after 10 years.

Critical gap: the FCRA only applies to data used for consumer reporting. People-search sites explicitly disclaim that their data is "not for FCRA purposes" — a disclaimer that shields them from FCRA requirements while providing the same information that credit bureaus are regulated for. The FTC's Spokeo case showed these disclaimers are not a complete defence if the company's actual marketing suggests otherwise.

The State Patchwork — 20 Laws, No Consistency

By early 2025, approximately 20 US states had enacted comprehensive consumer privacy laws. No two are identical. The patchwork means your privacy rights depend entirely on your state of residence — and if you live in a state without a law, you have almost none.

California — The Strongest

California has two layers of privacy law running simultaneously:

California Consumer Privacy Act (CCPA, 2020) / California Privacy Rights Act (CPRA, effective January 2023): Applies to businesses meeting any one of three thresholds: annual gross revenues over $25 million; processing data of 100,000+ California consumers or households annually; or deriving 50%+ of annual revenues from selling consumer personal information.

Rights under CCPA/CPRA: right to know what data is collected and why; right to delete; right to opt out of sale and sharing of personal information (the sharing provision, added by CPRA, closes the loophole where data transfer without money is not a "sale"); right to correct; right to limit use of sensitive personal information; right to data portability.

Enforcement is by the California Privacy Protection Agency (CPPA), the first dedicated state privacy agency in the US. Civil penalties up to $7,500 per intentional violation. Notable actions: Honda ($632,500 for requiring consumers to over-identify themselves to exercise rights); DoorDash ($375,000 for sharing customer data with a marketing cooperative without proper disclosure).

California AB 1202 — Data Broker Registration: Any company that "knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship" must register annually with the California AG. Registration fee: $400/year. As of 2024, approximately 500 data brokers had registered. The registry is publicly searchable — it is the most comprehensive public inventory of data broker activity in the US.

California DELETE Act (SB 362, October 2023) — coming January 2026: The most significant US privacy development since CCPA. The CPPA must operate an accessible deletion mechanism through which a California consumer can submit one request that all registered data brokers must honour. Brokers must check the portal at least every 45 days and honour deletion requests within 45 days. Violations: $200/day per non-compliant broker. Annual audit submissions required. When this goes live in January 2026, California residents will have the closest thing to GDPR-style erasure rights against data brokers of any US population.

The Other 19 — Virginia, Colorado, Texas, and More

Most other state privacy laws follow a more business-friendly model than California's:

• Virginia CDPA (effective January 2023): Rights to access, correct, delete, portability, opt out of targeted advertising, data sales, and profiling for significant decisions. AG enforcement only; civil penalties up to $7,500 per violation. No private right of action.
• Colorado CPA (effective July 2023): Similar to Virginia; first state to require businesses to honour the Global Privacy Control (GPC) browser signal — a browser setting that automatically signals opt-out of data sale/sharing to every website you visit.
• Texas TDPSA (effective July 2024): One of only three states (with Vermont and California) to specifically require data broker registration with the state AG. Covers businesses processing data of Texas residents without a revenue/volume threshold (exempts SBA-defined small businesses by industry). Fines up to $7,500 per violation.
• Florida FDBR (effective July 2024): Narrowest coverage in the US — applies only to businesses with annual global revenues over $1 billion. Effectively applies to approximately 35–50 companies globally. A political choice to regulate only large platforms without touching the broader data broker industry.
• Vermont (first state, 2019): First US data broker registration law. 121 registered brokers. Requires disclosure of whether consumers can opt out and whether the broker has experienced data breaches. Fines up to $10,000 per violation.

If you live in one of the 30+ states without a comprehensive privacy law — including New York, Illinois (except for its biometric data law, BIPA), and most of the South and Midwest — you have no state right to access, correct, or delete data held about you by data brokers. You rely on voluntary opt-outs and FTC enforcement.

The Key Difference from GDPR

GDPR requires a lawful basis before processing begins — the default is that you cannot process without justification. US state laws are opt-out by default — processing is permitted unless the consumer objects. Under GDPR, a company must demonstrate why it can process your data. Under US law, you must take action to stop it. This structural difference means that inertia — the fact that most consumers never exercise their rights — is deeply embedded in the US system by design.

Five Years of US Data Breaches (2020–2024)

Year	Organisation	Records	Data Type	Notable Detail
2021	T-Mobile	54+ million	Names, DOB, SSNs, driver's licence numbers, IMEI numbers	Unprotected router provided entry point. $350M class action settlement.
2023	MOVEit (supply chain)	93+ million across 2,500+ organisations	Varied by victim — government IDs, health data, financial data, SSNs	Cl0p ransomware group. Victims included US federal agencies, Louisiana/Oregon DMVs, Maximus, Johns Hopkins.
2023	T-Mobile (second)	37 million	Names, email addresses, phone numbers, billing addresses, DOB	API abuse; attacker had access for 8 months undetected.
2024	AT&T (March)	73 million	Names, addresses, phone numbers, DOB, SSNs (7.6M)	AT&T initially denied the data was theirs. Data matched a 2021 dataset.
2024	Change Healthcare (UnitedHealth)	~190 million	Medical records, prescriptions, diagnoses, insurance data, SSNs	Largest healthcare breach in US history. Disrupted 50% of US medical claims processing for months. UnitedHealth paid $22M ransom; estimated $2.3B total cost.
2024	AT&T (July)	~110 million	Call and text records — who you called, when, how long, which cell tower	Via Snowflake cloud platform compromise. Largest telco metadata breach ever. DOJ authorised delayed disclosure.
2024	National Public Data	2.9 billion records	Names, addresses (historical), SSNs, phone numbers, relatives	Background check company with no direct consumer relationship. SSNs for most of the US adult population. Company filed for bankruptcy.

The National Public Data breach deserves particular attention. Unlike a breach of a company you chose to do business with, NPD had no relationship with the 2.9 billion individuals whose records it held. Most of those people did not know their data was at NPD. Their Social Security Numbers were exposed in a breach by a company they had never heard of — which is precisely the data broker problem in miniature: you cannot protect yourself from a company you do not know exists.

The 25 Biggest Data Brokers Holding US Data

The opt-out links below are accurate as of early 2026. Most opt-outs are voluntary — legally required only for California, Virginia, Colorado, and other state residents with privacy rights. For everyone else, opt-outs work at the broker's discretion. Data re-populates over time as brokers continuously re-aggregate from public records and third-party sources.

People-Search Sites

1. Spokeo — name, address history, phone numbers, relatives, estimated age, social media profiles.
   Opt-out: spokeo.com/optout
2. BeenVerified — background reports, criminal records, address history, social profiles.
   Opt-out: beenverified.com/app/optout/search
3. Intelius — one of the oldest and largest people-search services; owned by PeopleConnect Inc.
   Opt-out: suppression.peopleconnect.us (covers Intelius, TruthFinder, and Instant Checkmate in one submission)
4. TruthFinder — background and criminal record checks; subject to 2023 FTC $7.8M settlement.
   Opt-out: suppression.peopleconnect.us
5. Whitepages — the original online directory, now a comprehensive people-search platform.
   Opt-out: whitepages.com/suppression-requests
6. PeopleFinders — large public records database; address, criminal, court record searches.
   Opt-out: peoplefinders.com/opt-out
7. MyLife — reputation scores and profile aggregation; subject to 2022 FTC/$4.25M settlement.
   Opt-out: mylife.com privacy request
8. FastPeopleSearch — free aggregator; operated by a Czech company, making legal enforcement difficult.
   Opt-out: fastpeoplesearch.com/removal
9. Radaris — comprehensive people-search with property, business, and social profile data.
   Opt-out: radaris.com/ng/page/optout
10. Instant Checkmate — criminal records focus; PeopleConnect Inc.; covered by 2023 FTC settlement.
    Opt-out: suppression.peopleconnect.us
11. Pipl — primarily B2B identity resolution for investigators; one of the most comprehensive people-search databases.
    Opt-out: pipl.com/personal-information-removal-request
12. Zabasearch — free people-search aggregating public records and phone directories.
    Opt-out: zabasearch.com/public_optout.php
13. USSearch — background check service; Certiphi/PeopleConnect ecosystem.
    Opt-out: ussearch.com/profile-removal

Data Aggregators and Marketing Intelligence

14. Acxiom / LiveRamp — approximately 2.5 billion consumer profiles globally; 300 million US consumers with 10,000+ attributes each. The world's largest commercial data broker.
    Opt-out: isapps.acxiom.com/optout
15. Oracle Data Cloud — third-party cookie and purchase data; audience segments for digital advertising. Oracle announced wind-down of its advertising data business in 2023 — what happened to billions of consumer profiles during that process is itself an open question.
    Opt-out: datacloudoptout.oracle.com
16. Epsilon (Publicis Groupe) — approximately 250 million US consumer profiles; cooperative marketing databases (Abacus Alliance), digital marketing platform (Conversant).
    Opt-out: epsilon.com/us/privacy-policy — opt-out of Epsilon marketing
17. LexisNexis Risk Solutions — identity verification, fraud prevention, public records aggregation. Administers the CLUE insurance claims database. Supplies financial institutions and government for KYC/AML compliance.
    Consumer opt-out: optout.lexisnexis.com / Free CLUE report: personalreports.lexisnexis.com
18. CoreLogic — property data on approximately 99% of US real estate. Ownership records, mortgage data, sales history, tax assessments, hazard data. Used by lenders, insurers, and real estate industry.
    Opt-out: corelogic.com/privacy — marketing opt-out only; property record data is public
19. Verisk / ISO — insurance risk data; trade and claims data for the US insurance industry. CLUE (Comprehensive Loss Underwriting Exchange): property and auto insurance claims history. Insurers share claims data to assess risk.
    Consumer CLUE access via LexisNexis: personalreports.lexisnexis.com
20. Equifax Workforce Solutions / The Work Number — payroll and employment data from 2+ million employers, covering approximately 55% of the US non-farm workforce. Used by lenders, landlords, and government agencies to verify employment and income.
    Employee access: employees.theworknumber.com — free annual employment data report; dispute and freeze options available

Credit Bureaus (FCRA-regulated)

21. Equifax — one of the three major credit bureaus; credit files on 220+ million US adults. Subject to 2019 breach settlement ($575–700M). Free weekly credit reports now available.
    Freeze: equifax.com — credit freeze / Free report: AnnualCreditReport.com
22. Experian — major credit bureau; also operates marketing data and identity verification businesses.
    Freeze: experian.com/help/credit-freeze / Marketing opt-out: experian.com/privacy/opting_out.html
23. TransUnion — major credit bureau; acquired Neustar (identity resolution) and Callcredit (UK credit bureau).
    Freeze: transunion.com/credit-freeze / Opt-out: transunion.com opt-out

Specialty

24. Clearview AI — facial recognition database built by scraping billions of photos from social media and public websites without consent. 600+ law enforcement and government agency clients in the US. Fined €20M each by France, Italy, and Greece; £7.5M by the UK — all fines ignored (no EU assets). 2024 FTC consent order prohibits selling to private US businesses.
    Opt-out: app.clearview.ai/privacy/requests
25. ChexSystems — banking history database; negative banking records (overdrafts, account closures, check fraud) used by banks when deciding whether to open accounts. A negative ChexSystems record can prevent you from opening a bank account anywhere.
    Free annual report: chexsystems.com — free disclosure report / Disputes accepted under FCRA

How to Opt Out — Your Practical Toolkit

If you want a starting point, a free opt-out guide covering 100+ brokers lists direct removal links with the steps for each site.

The Most Powerful Single Action: Credit Freeze

Place a security freeze on your credit file at all three bureaus — Equifax, Experian, and TransUnion — and also at Innovis (the smaller fourth bureau) and ChexSystems. Freezes are free since 2018. A freeze prevents anyone — including you — from opening new credit in your name without first lifting it. If your SSN was exposed in any of the major breaches (and if you are a US adult, it probably was — the National Public Data breach alone exposed records on most US adults), a freeze is the single most effective protective action available.

Opt out of pre-screened credit and insurance offers simultaneously: OptOutPrescreen.com — one form stops pre-screened offers from all four major bureaus for 5 years, or permanently by mail.

Systemic Opt-Out Tools

• Global Privacy Control: Enable GPC in Firefox, Brave, or via the Privacy Badger extension. This browser signal automatically transmits an opt-out-of-sale/sharing instruction to every website you visit. Legally required to be honoured in California and Colorado. The most persistent and comprehensive digital opt-out available.
• NAI opt-out: optout.networkadvertising.org — opts out of interest-based advertising from 100+ NAI member ad networks. Cookie-based; re-apply after clearing cookies.
• DAA opt-out: optout.aboutads.info — Digital Advertising Alliance member companies. Same cookie-based limitations.
• DMAchoice: dmachoice.org — reduces direct mail from participating Direct Marketing Association members. $2 fee. Useful for reducing physical mail volume.
• Do Not Call Registry: donotcall.gov — FTC registry. Stops telemarketing from compliant companies; does not stop scammers or political/charitable calls.

California DELETE Act (Coming January 2026)

If you are a California resident, watch for the CPPA's deletion mechanism going live in January 2026. One request through the official CPPA portal will trigger mandatory deletion obligations from all ~500 registered California data brokers simultaneously. This will be the most powerful data removal tool ever made available to US consumers — set a calendar reminder.

What You Cannot Remove

Even after exhaustive opt-outs, several categories of data about you will remain beyond reach:

• Public records: Property deeds, court filings, voter registration, professional licences, business filings, traffic records — all legally public and re-aggregatable indefinitely. Opting out of a data broker's profile does not alter the public records that feed it.
• B2B data: Companies like LexisNexis Risk Solutions, Palantir, and government contractors access data streams that do not have consumer opt-out mechanisms. The data supplied to law enforcement and government agencies cannot be opted out of by the individual.
• Breach data already in circulation: If your SSN or medical records were in the National Public Data, Change Healthcare, or T-Mobile breaches, that data is already on criminal forums. Opt-outs from commercial data brokers do not affect criminal data markets.
• Offshore operators: Sites like FastPeopleSearch (Czech operator) have no legal obligation to honour opt-outs. They do so voluntarily — or not at all.

The structural conclusion is unavoidable: opt-outs are maintenance, not resolution. They reduce your commercial data broker exposure — meaningfully, if done systematically — but they do not eliminate it. The only durable solution is regulatory — either a federal right to erasure or the expansion of the California DELETE Act model to all states. Neither exists yet.

Resources

• AnnualCreditReport.com — free credit reports (all three bureaus)
• OptOutPrescreen.com — opt out of pre-screened credit and insurance offers
• FTC — Data Brokers
• FTC Data Broker Report 2014
• California Privacy Protection Agency
• California Data Broker Registry (searchable)
• Global Privacy Control — browser opt-out signal
• FTC Do Not Call Registry
• The Work Number — view and freeze your employment data
• FTC — Credit Freezes and Fraud Alerts