Data brokers and your browsing history

The data broker industry generates roughly $300 billion in global revenue. The average data broker maintains 1,500+ data points per US adult. Most of this is invisible to the people whose data is being traded.

Most VPN content treats data brokers as an aside. They are central to why network privacy matters. Here is what the industry actually does, where ISP browsing data fits in the supply chain, and what a VPN does and does not change.

The industry

The major US data brokers:

Acxiom (Liveramp's parent). ~2.5 billion consumer profiles. Demographic, behavioural, financial, lifestyle data. Sells to advertisers, marketers, and researchers.

CoreLogic. Property and consumer data. Originally real-estate-focused; expanded to broader consumer profiling.

Oracle Data Cloud (formerly BlueKai, since wound down somewhat after privacy controversies). Aggregated consumer audiences for advertising.

LiveRamp. Identity-resolution platform; ties offline and online identifiers together. Industry standard for ad-tech identity matching.

Experian. Credit bureau plus separate consumer-marketing data businesses.

Equifax. Same dual structure.

TransUnion. Same.

Epsilon (Publicis Groupe). Marketing data; large ad-tech presence.

Verisk Analytics. Insurance-focused but broader consumer data.

Plus dozens of smaller brokers, location-data specialists (X-Mode, Cuebiq, Veraset historically), browsing-data specialists, mobile-app-data specialists.

Outside the US, the industry exists but is more constrained by privacy laws. EU data brokers operate under GDPR; UK under post-Brexit equivalent; others vary.

Where data brokers get the data

Several pipelines:

ISP browsing records (US). US ISPs since 2017 (post-net-neutrality repeal) have legally been able to sell browsing data without opt-in consent. AT&T, Verizon, and others operate explicit data-monetisation programs. The data flows from ISP to data broker to advertiser.

App SDKs. Mobile apps embed SDKs from advertising networks and analytics providers. The SDKs collect device identifiers, location, behaviour, sometimes contacts and other sensitive data. Vendors aggregate across apps. The user's app permissions theoretically gate access; in practice many users grant broad permissions.

Public records. Court records, property records, voter registration, professional licences. Broker-aggregation makes lookup cheap.

Loyalty programs. Grocery store loyalty cards, credit card rewards programs, airline frequent flyer programs. The merchant collects purchase data; sells to brokers.

Browser tracking. Cookies, pixels, fingerprinting. Broker-aggregation across sites.

Location data. Mobile apps with location permissions (weather apps, navigation apps, social apps) collect location traces. Sold to brokers; combined with other data points to build comprehensive profiles.

The pipeline matters. ISP browsing data flows specifically from ISPs to brokers. App data flows specifically from app developers to brokers. Different sources, different completeness, different ethical and legal frameworks.

What is in a data broker profile

A typical US adult's profile includes:

Demographics: age, gender, race, marital status, household composition
Income, net worth, credit score (separately regulated)
Home: address history, property value, ownership
Vehicle: ownership, make/model, lease/loan
Employer: industry, role, tenure
Behavioural: shopping categories, brand affinities, charitable giving
Health adjacent: certain pharmacy data (more limited under HIPAA), fitness tracker patterns where shared
Political: party affiliation, voting frequency, donation history
Browsing: visited sites, search topics, content consumed (where derivable from cookies, app data, or ISP feeds)

The aggregation makes the whole greater than parts. Individual data points are available many places; the broker's value-add is correlating them into a single profile linked to a single identity.

How brokers tie identifiers together

The "identity resolution" problem. Different platforms see different identifiers — your email here, your phone number there, your cookie ID elsewhere, your home address on a credit application. Brokers tie these together into "personas" representing the same individual across sources.

Techniques:

Email matching. When the same email appears in multiple data sources, the broker ties them.
Phone-number matching. Same.
Address matching. Less reliable (households share addresses).
Probabilistic matching. Same browser fingerprint plus same approximate location plus same approximate online behaviour likely equals same person.
Device-graph matching. A specific device's identifiers (Apple ID, Google ID, advertising IDs) follow you across apps.

The result: a unified profile linked across data sources. Brokers sell access to these profiles for advertising targeting, fraud detection, identity verification, marketing analytics, and increasingly for political campaigns.

What the data is used for

The legitimate-sounding uses:

Ad targeting: showing relevant ads instead of irrelevant ones
Fraud detection: flagging suspicious transactions based on demographic / behavioural anomalies
Credit decisions: data brokers feed into the credit system
Insurance pricing: actuarial models use broker data inputs
Marketing analytics: understanding customer cohorts

The more concerning uses:

Differential pricing: charging users different amounts based on broker-derived perceived willingness to pay
Employment screening: pre-hire research on candidates uses broker data
Political microtargeting: campaign messaging tailored to broker-derived political profiles
Law enforcement data purchase: agencies buying data they would otherwise need a warrant to obtain (this has been actively documented, particularly around location data)
Aggregation for surveillance: foreign intelligence agencies buying US broker data has been documented in news investigations

The line between "legitimate marketing" and "concerning surveillance" is blurrier than the industry typically acknowledges.

The ISP-to-broker pipeline specifically

The most VPN-relevant pipeline. Concretely:

Your ISP records your DNS queries, SNI, destination IPs, traffic patterns
ISP packages this data into anonymised cohorts (in theory) or pseudonymised individual data (in practice, depending on ISP policy)
ISP sells to data broker
Broker correlates with their existing profiles using IP-to-household matching
Broker sells to advertiser, who targets ads based on inferred behaviour

The "anonymised" framing is often weaker than the marketing suggests. With enough data points, individual identification is possible from "anonymised" profiles. Academic research has consistently shown that browsing data labelled as anonymised can be re-identified with relatively few additional data points.

What a VPN actually changes

A VPN encrypts traffic between your device and the VPN provider. From the ISP's perspective:

They see encrypted traffic to a VPN provider
They cannot see the domain you visited (no SNI to read)
They cannot see what you queried (no DNS queries to log)
They cannot infer specific services (traffic shape obscured)

Result: the ISP cannot sell your browsing data to brokers because they do not have specific browsing data to sell. The volume and timing they CAN observe is much less commercially valuable than specific destinations.

What VPN does NOT change:

App-level data collection. Apps still collect what they collect; SDKs still send to brokers. VPN does not reach inside applications.
Browser fingerprinting. Tracking pixels and cookies still work. VPN changes the IP, not the browser identity.
Logged-in service tracking. Google, Facebook, Amazon still know you when you sign in. VPN does not anonymise authenticated activity.
Public records and offline data. Property records, court records, loyalty programs — none affected by network-layer encryption.
Already-collected data. A VPN going forward does not erase data brokers already have on you.

A VPN closes the ISP-to-broker pipeline. It is one piece of a layered privacy posture.

The full privacy stack

For users who care about the broader broker ecosystem:

VPN (network layer) — closes ISP pipeline
Privacy-respecting browser (Firefox + uBlock Origin + Privacy Badger; Brave; Tor Browser for high-stakes) — reduces browser-level tracking
Encrypted DNS (DoH or DoT to a no-logs resolver like Cloudflare 1.1.1.1, Quad9) — additional DNS-level protection
Selective app permissions — minimise what apps can collect
Privacy-focused alternatives — DuckDuckGo or Kagi instead of Google; ProtonMail instead of Gmail
Data broker opt-out — companies like Privacy Duck, Optery, DeleteMe automate the opt-out process for the major brokers
Mindful loyalty-program use — register with separate email, minimise volunteered data
Be wary of free apps — they monetise somehow; usually data

Any single layer is partial. The stack is what produces meaningful privacy. VPN is one layer.

Frequently asked

Can I find out what data brokers know about me?

Mostly. The major brokers (Acxiom, Experian, Equifax, TransUnion) offer consumer-data access under various consumer-protection laws (US CCPA in California, EU GDPR). Requesting your file is free but laborious. Services like Optery automate this.

Can I get my data deleted from data brokers?

Yes, but it is a continuous battle. Brokers must comply with deletion requests in California (CCPA), the EU (GDPR), and an increasing number of other jurisdictions. The data tends to flow back from other sources, so periodic re-deletion is needed.

Will using a VPN remove my data from brokers?

No. VPN going forward stops new ISP-to-broker data transfer for VPN-encrypted traffic. It does not erase historical data brokers already collected from any source.

Are some VPN providers themselves data brokers?

Some have been caught. Free VPN services frequently monetise through user-data sales. Reputable paid VPN providers explicitly do not (Mullvad, ProtonVPN, IVPN, Fexyn). When evaluating, the "no-logs" claim plus audit history is the relevant test.

In the EU, yes (much stronger than US). Data brokers in the EU operate under explicit legal limits on data collection and use. US users have CCPA in California; less protection elsewhere.

Is my data already out there?

Probably yes. Even if you have used VPN since 2017, your data was collected before that, your apps continue to collect, your offline activity (loyalty cards, public records) generates data. Privacy is a posture you take going forward; it is not something you achieve and finish.

Try Fexyn free for 7 days — closes the ISP-to-broker pipeline, no card required for the trial. What your ISP sees covers ISP-level surveillance specifically; How to choose a VPN covers the buying decision.

Last reviewed 2026-05-09.