Technology · 2026-07-09 · 8 MIN

The Data Brokers You Never Meet: How Your Information Gets Bought and Sold

A whole industry collects and resells information about you. You have almost certainly never heard of the companies in it, and that is not an accident.

Ask someone to name the companies that hold information about them, and they list the ones they deal with directly. The bank that keeps their money. The phone company that carries their calls. The shops and apps whose terms they scrolled past and accepted years ago. It is a fair list, and it leaves out the firms that may hold the fullest picture of all. Some of the companies that know the most about you are ones you have never heard of and will never knowingly meet. You hold no account with them. They send you no bill. Yet they may know where you slept last night, what you searched for last week, and which building you walked into on Tuesday afternoon.

These companies are called data brokers. They sit in the middle of the modern information economy, and they keep quiet about it. Hardly anyone can name a single one, and that is the first thing worth knowing about them.

What a data broker actually is

The Federal Trade Commission, the main consumer-protection regulator in the United States, has a flat definition: companies that collect personal information about people from a mix of public and private sources and then resell or share it with others. That is the whole business. A data broker does not make the phone you carry or the app you open. It makes files. Its product is a picture of you, put together and scored, sorted into categories, and sold to whoever will pay for it.

The business has one feature that defines it, and the FTC put it plainly to a Senate committee: these firms generally never deal with the people whose data they hold. No shopfront, no welcome email, no cancel button. That gap is what makes the whole thing work. You cannot object to a deal you cannot see. Because there is no relationship, there is never a moment when you might have said no. You did not pick a broker the way you pick a bank. The broker picked you, or really picked the trail of records you leave just by living a documented life.

Where the data actually comes from

Almost none of a broker's file is stolen. It is put together, legally and cheaply, from a few streams that all run at once.

The first is public records. Governments publish a lot about people as a matter of routine: property ownership, court filings, marriage and business registrations, professional licences, voter rolls where those are open. One at a time these documents are dull. Sorted by name and address and cross-referenced, they sketch the shape of a life: where you live, what you own, who you might be related to, what you do for a living.

The second is what people publish about themselves, mostly through social media profiles left open for anyone to read. The people search sites, one of the most familiar kinds of broker, scrape these along with the public records, stitch them into a single report, and sell it to anyone willing to pay a small fee.

The third one tends to surprise people, because it hides inside a system they think of as harmless: the advertising machinery of the web. When an app or website has ad space to sell, it does not just paste in an advert. In the split second before a page finishes loading, it runs a fast auction, a process called real-time bidding. To invite bids, it broadcasts information about the user to lots of possible advertisers at once: rough location, device, interests, the kind of person this is thought to be. The point of the broadcast is to place a relevant advert. But once the signal has gone out, it can be caught and kept. The FTC has taken action against firms that harvested data, including precise location data, out of these ad exchanges rather than using it only to place adverts, and has moved to bar companies from selling sensitive location data outright.

The fourth is simply other brokers. Files get bought, merged, added to, and resold between companies. That is why a single detail about you, a change of address, a health interest guessed from your browsing, can spread into many hands at once, long after you have forgotten the moment that produced it.

Put the four together and the point is clear. Each source, on its own, tells you little. The value comes from the merging. A property record, a browsing pattern, and a month of location pings stop being dull facts and turn into a dossier.

Why location keeps coming up

One thing runs through the recent enforcement cases: location. A person's movements, gathered without a break and sold on, are some of the most revealing data there is. Where a phone sleeps most nights is where its owner lives. Where it sits during working hours is where its owner works. The places in between, a fertility clinic, a cancer centre, a place of worship, a lawyer's office, can expose facts a person has told almost no one.

The FTC has gone after several companies over exactly this kind of tracking. In one closely watched case it acted against a carmaker and its connected-services arm over the collection and sale of drivers' geolocation data without their informed consent. The trail is no longer just the phone in your pocket. More and more, it is the car in your driveway.

The danger is not any single ping. It is the build-up. One location reading is a dot on a map. A year of them is a life: your routines, your relationships, your beliefs, and your weak spots, none of which you agreed to hand over, drawn out one ordinary Tuesday at a time.

Why it is so hard to see

The same basic fact sits under all of it: there is no direct relationship. Sign up for a service and you are, at least in theory, shown something to agree to, a line you cross, however lightly. With a data broker there is no line. No sign-up, no login, no notice, no moment of consent. The FTC has said again and again that people usually have no idea these companies got their data in the first place. If you never learn that a file exists, there is nothing to agree to and nothing to refuse.

For the industry, staying invisible is not a fault to fix. It is the condition that lets the market run. A trade carried out in full view of the people whose lives it packages would meet resistance that a trade carried out in the background never has to. Being hard to see is not a side effect of a complicated system. It holds the whole thing up.

The response, so far

Regulators have started to push back, though how hard depends a lot on where you live.

In the United States the FTC has ordered data brokers to explain what they do. In 2012 it made nine of them account for how they collect and use consumer data, and a 2014 report set out a broad call for transparency and accountability. Since then it has brought a run of cases over sensitive information, location most of all. The approach has been to take companies to task case by case rather than pass one sweeping law.

Elsewhere the response has been a broad law. The European Union's General Data Protection Regulation gives people the right to see the data held about them, to correct it, to have it deleted, and to be told how it is used. India's Digital Personal Data Protection Act, passed in 2023, sets out much the same set of rights for people who live there. The laws differ, but the pattern is the same. You now have rights on paper, and using those rights against an industry built to stay invisible is still genuinely hard. It is hard to ask a company to show you your file when you do not know the company exists.

Seeing the machinery

The data broker economy is a clear example of a system that shapes ordinary lives at a huge scale while staying almost entirely out of sight. No single villain built it. The records were already there, published in the normal run of government and commerce. The technology made gathering and merging them nearly free. And because there was no direct relationship, for years hardly any of the people being catalogued ever noticed it happening.

This is less a reason to panic than a reason to pay attention. Knowing that the machinery exists, who runs it, where the raw material comes from, and why it prefers to stay hidden is what anyone needs before deciding what to do about it. The middlemen have counted on never being seen. Seeing them is where any real answer has to start.

Sources

  • U.S. Federal Trade Commission, "What To Know About People Search Sites That Sell Your Information".
  • Federal Trade Commission, "Data Brokers: A Call for Transparency and Accountability" (2014).
  • Federal Trade Commission, "FTC Takes Action Against Mobilewalla for Collecting and Selling Sensitive Location Data" (2024).
  • Federal Trade Commission, "FTC Finalizes Order Settling Allegations that GM and OnStar Collected and Sold Geolocation Data" (2026).

Delvewire