What is a data broker

A data broker is a company that aggregates consumer data from multiple sources, builds detailed profiles tied to individual identities, and sells that data to advertisers, marketers, fraud-detection services, and increasingly law enforcement.

The US data broker industry is roughly $300 billion. The major players (Acxiom, LiveRamp, Oracle Data Cloud, Experian, Equifax, TransUnion) maintain profiles on essentially every US adult — typically 1,500+ data points per person.

Where the data comes from

Several pipelines:

ISP browsing records (US specifically). Since the 2017 net neutrality repeal, US ISPs can sell browsing data without opt-in consent. AT&T, Verizon, Comcast operate explicit data-monetisation programs. The data flows ISP → broker → advertiser.

Mobile app SDKs. Apps embed analytics and advertising SDKs that collect device IDs, location, behaviour, sometimes contacts. Vendors aggregate across many apps.

Public records. Court records, property records, voter registration. Aggregation makes look-up cheap.

Loyalty programs. Grocery store cards, credit-card rewards, airline frequent flyer programs. Merchants sell purchase data to brokers.

Browser tracking. Cookies, pixels, fingerprinting. Cross-site aggregation by ad-tech companies feeds broker profiles.

What is in a typical profile

For a US adult: demographics, income, net worth, address history, vehicle ownership, employer, behavioural patterns (shopping, charitable giving, political affiliation), health-adjacent data (some pharmacy data, fitness tracker patterns where shared), browsing patterns (where derivable from ISP feeds and app data).

The aggregation is the broker's value-add. Individual data points are widely available; tying them together into a unified profile linked to a single identity is what brokers sell.

Where VPN fits

A VPN closes the ISP-to-broker pipeline specifically. Your ISP cannot record what sites you visited, so they cannot sell that data to brokers.

A VPN does NOT affect:

• App-level data collection (apps run on your device, collect data, send to brokers)
• Browser fingerprinting (still works regardless of IP)
• Public-record-based data (court records, property records — none affected)
• Loyalty program data (you provide directly)
• Logged-in service tracking (Google, Facebook know you when you sign in)

For users who want comprehensive privacy from the broker ecosystem, the full stack is: VPN (ISP layer) + ad blocker (browser layer) + selective app permissions (device layer) + minimal loyalty-program participation (transactional layer) + periodic broker opt-outs (cleanup).

Opt-out and deletion

Major US data brokers must comply with deletion requests under California's CCPA, Virginia's VCDPA, and an increasing number of state privacy laws. EU users have stronger rights under GDPR.

Services like Privacy Duck, Optery, and DeleteMe automate the opt-out process for the major brokers. The data flows back from other sources, so periodic re-deletion is needed.

Read more in our data brokers blog post and What your ISP sees.