ANALYSIS

How to Identify a Data Broker in the EU (When They Don't Call Themselves One)

Ask whether there are data brokers in the European Union and you get an oddly difficult answer. There is no EU-wide register you can search. Unlike California, where the CPPA runs a public Data Broker Registry, or Vermont, which pioneered broker registration in the United States, no European instrument requires a company to declare itself a data broker and sign a public list. The term is not a legal category under the GDPR. A company can collect, profile and sell personal data on a large scale and never once describe itself as a data broker on its website.

So the honest answer is: yes, there are many. A 2025 study commissioned by the Belgian data protection authority through the European Data Protection Board identified more than forty data brokers and data providers operating in Belgium alone. The harder question is the practical one. If they do not use the label, and no registry lists them, how do you find them?

The same study answers that question. Its answer is the useful part. It sets out a framework, built for regulators, for deciding whether a company is likely brokering personal data based on what it does rather than what it calls itself. That framework transfers cleanly to anyone trying to work out who holds their data.

Why business registries fail to identify data brokers

The first instinct of any investigator is to look for an official classification. In Belgium that meant NACEBEL codes, the national version of the European NACE system for classifying business activity. The study started there, selecting the codes closest to data brokerage: information service activities, data processing and hosting, database creation, database provision.

It did not work. Those codes returned 7,864 companies, most of them unrelated to brokering anything, while missing several firms already known to be brokers. The reason is simple and it applies across the EU: activity codes are self-reported. A company picks its own classification, and a broker has no incentive to pick one that invites scrutiny. Overly broad codes swallow thousands of ordinary businesses; narrow ones get skipped. The register tells you what a company was willing to say about itself, which is not the same as what it does.

That is the core problem. Identification has to run the other way. You cannot start from a name or a code; you start from behaviour.

A framework for identifying European data brokers

The study, authored by Ruben d'Hauwers for the EDPB's Support Pool of Experts and finalised in November 2025 (updated April 2026), works through three stages: define what a data broker is, search for candidates by behavioural signal, then classify each candidate against a typology. What follows reproduces the parts of that framework that are directly reusable. Full credit and the source link are at the end.

What counts as a data broker: the working definition

The study reviewed the academic and regulatory literature, from the FTC's 2014 report onward, and distilled a single working definition:

"Data brokers are commercial entities that collect personal data from a range of public and private sources. They process, analyze, infer, and aggregate this data to create detailed consumer profiles, which are then monetized by developing informational goods and services offered to third parties. These activities typically take place without the knowledge or direct control of the individuals concerned."

Read that closely and it is not really a definition of a kind of company. It is a description of a chain of activity: collect, combine, profile, sell, all without the person's involvement. Any company whose business runs that chain is doing the work of a data broker, whatever it prints on its homepage.

Five criteria for identifying a data broker

From the definition, the study derived five criteria. A company that meets all five is a data broker in the full sense. These five criteria are the test you can apply yourself.

CriterionWhat it means
Collects from multiple sourcesData is gathered from different public and private sources: mined, scraped, or bought.
Processes into profilesPersonal data is aggregated and profiled, not merely stored.
Monetises the dataData is sold or exchanged with data consumers or other brokers.
No meaningful individual controlLimited direct relationship with the person; data collected with little of their knowledge and less of their control.
Handles personal dataThe data relates to an identified or identifiable natural person, as defined by Article 4(1) GDPR.

Selection criteria for a data broker. Source: EDPB SPE Data Brokers Market Study (d'Hauwers, 2025), Table 1.

The study added a sixth, jurisdictional filter for its own purposes, whether the company's main establishment sits in Belgium, but that is about which regulator has competence, not about whether the company is a broker. For identification, the five above are the substance.

The catch, which the study is candid about, is that very few companies meet all five cleanly. That is not because brokers are rare. It is because the business has fragmented into forms that each satisfy the definition in their own way, and most sit in a grey zone. Which is where the typology earns its place.

Types of data brokers and data providers

Rather than force a yes or no, the study built a typology of eight types, ranked by the privacy risk each one carries. The ranking turns on three things: whether the data is about individuals or aggregated, whether multiple sources are combined, and how granular the result is. The high-risk types handle individual-level personal data combined across sources. The medium-risk types deal in aggregated data where the concern shifts to re-identification.

TypeRiskWhat distinguishes it
Personal data brokerHighCombines individual data across sources, profiles people, sells without the person's control. Meets all five criteria.
Data pool & clean roomHighData shared and combined in a collaborative setting between partner companies, often pseudonymised or encrypted.
AI platform integrating personal dataHighProfiles individuals to train an algorithm; the data is not sold directly but built into an AI product.
Data broker with user controlHighSells user-provided data while leaving the individual some degree of control over its use.
Self-generated data providerMediumCreates and sells its own individual-level datasets without combining them with outside sources.
Business data brokerMediumCompiles and sells business records that still include personal detail: contact data, professional profiles.
Data marketplaceMediumA platform where others buy and sell data; re-identification risk arises when sources are combined.
Aggregated data providerMediumDeals in aggregated datasets that can be re-identified when combined at fine granularity.

Eight types of data broker and data provider, ranked by preliminary privacy risk. Source: EDPB SPE Data Brokers Market Study (d'Hauwers, 2025), Table 4.

The value of the typology is that it names the disguises. A company will not describe itself as a personal data broker. It will describe itself as a customer data platform, a data clean room, an audience solution, an enrichment service, or a business intelligence provider. Each of those is a recognised type in the table above. The typology lets you match the marketing language to the underlying activity.

How to find the personal data processing companies that broker data

Because codes and labels fail, the study's working method was to read what companies say about their capabilities and match it against the definition. It analysed the websites of eighteen known or former brokers, including Acxiom, TransUnion, RocketReach, CoreLogic and Recorded Future, and extracted the vocabulary they use to sell their services. Those terms then became the search signals.

Some phrases turned out to be strong indicators. "Data pool", "data collaboration", "data as a service", "B2B data", "geomarketing", "data enrichment" and "buy leads" reliably surfaced companies doing brokerage work. Others, the softer marketing terms like "consumer insight", "customer data platform", "identity intelligence" and "predictive data", were weaker on their own but meaningful in combination. A company that describes itself with several of these, sells access to the result, and has no obvious direct relationship with the people in its data, is very likely brokering personal data regardless of the word "broker" appearing nowhere on the site.

The framework changes what you are doing. Instead of looking a company up in a register, you read what it does and score the likelihood that it brokers data.

Which companies are brokering your personal data?

The framework was built for a supervisory authority mapping a national market. The logic runs identically at the level of one person. The question "which companies are brokering my data?" has the same shape as the regulator's question, and the same answer method: you cannot rely on a list, so you identify the holders by what they do and then act on them.

The difficulty is volume. Applying the definition, the criteria and the typology to every people-search site, marketing-data firm, credit-reference agency, clean room and enrichment provider that might hold a record on you is exactly the exhaustive work the Belgian study needed a commissioned expert to do for one country. Most people do not have the time to trace which companies, beyond the ones already named in our EU opt-out list and removal guides, are quietly brokering their data.

That tracing is the work we do. The Mirror is a digital footprint audit: it identifies and classifies which brokers and providers actually hold records on you, using the same behavioural logic the framework describes, at the level of one individual. Where you want those records removed rather than just mapped, the Eraser handles the removal against each holder. Identification first, then removal.

The limits of the EDPB data broker study

Three caveats matter. The study states each of them plainly.

It is Belgium-scoped. The company list covers firms with an establishment in Belgium, gathered between early and late 2025. It is not an EU-wide directory of brokers, and it was never meant to be. What transfers across the EU is the method rather than the roster.

Its risk assessment is preliminary. The rankings rest on publicly available information, mostly company websites. The study is explicit that a full privacy risk assessment would need more than that. High risk in the table means higher likelihood of concern, not a finding of non-compliance.

And the definition is not law. "Data broker" remains a descriptive category in the EU, not a regulated status with a registration duty. That is precisely why a behavioural framework is needed in the first place. Where the United States is slowly building registries, the EU relies on the GDPR's general rules applying to whoever processes personal data, broker or not. Those are the same rights you can exercise against data brokers across Europe, and the burden of identifying who holds your data falls on you.

Data brokers in the EU: common questions

Is there a data broker registry in the EU?

No. There is no EU-wide data broker registry. California (through the CPPA) and Vermont operate broker registries in the United States, but no equivalent European instrument requires a company to register as a data broker. Brokers are identified by their activity, not by a public list.

What is the difference between a data broker and a data provider?

The EDPB study treats "data broker" as the full case, a company that collects from multiple sources, profiles individuals, and sells the result without their control, and uses "data provider" for the related types that meet the definition only partly, such as a firm selling its own self-generated data or aggregated datasets. The typology of eight types captures that spectrum.

Are data brokers legal in the EU?

Brokering data is not prohibited as such, but any company processing personal data in the EU must comply with the GDPR: a lawful basis, transparency, and respect for data subject rights including access and erasure. "Data broker" is a descriptive term, not a licensed status, so the general rules apply regardless of the label.

How many data brokers are there in the EU?

No one has a complete count, which is part of the problem. The EDPB study identified more than forty data brokers and providers in Belgium alone; the EU-wide figure is unknown because there is no register and companies do not self-identify.

Sources

  • European Data Protection Board, Support Pool of Experts. Data Brokers Market Study, by Ruben d'Hauwers. Commissioned by the Belgian Data Protection Authority. Finalised November 2025, updated April 2026 (v2). edpb.europa.eu.
  • Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability (2014) — the definitional lineage the study draws on.
  • California Privacy Protection Agency, Data Broker Registry (cited as the US registry contrast).

Don't have the time to work out which companies, beyond the ones named in our guides, could be brokering your data? The Mirror identifies and classifies the brokers and providers that actually hold records on you; the Eraser removes them.

Talk to an Analyst

Share this briefing

If this was useful, sharing it helps others protect themselves. It also helps keep the intelligence briefings free.