How to reclaim your online data from internet data brokers

• The collection of personal data from consumers online has become a lucrative industry known as data brokerage.
• Many people are unaware of the personal information being collected about them, how it is being traded, and how they can safeguard their privacy.
• Experts suggest several ways to safeguard sensitive information online.

Few people realize the extent of data brokers' personal information collection, which has been happening in the shadows of the internet for years and involves billions of people worldwide.

The global data broker industry demonstrates the value of aggregated personal data, which is harvested, packaged, and sold for profit based on every online move, including clicks, purchases, and likes.

The increasing use of artificial intelligence tools may lead to more personal information being scraped from the internet and a more aggressive data brokering industry, which is exacerbating data privacy concerns. A 2023 study by Pew Research found that the American public is becoming increasingly confused about what companies do with their data. In the latest survey, 67% of Americans said they understand little to nothing about what companies are doing with their personal data, up from 59% in a previous survey in 2019. Additionally, a majority of Americans (73%) believe they have little to no control over what companies do with their data.

Arjun Bhatnagar, co-founder and CEO of Cloaked, stated that many people are unaware that their phone number can be used by data brokers and bad actors to uncover sensitive information, including a Social Security number, address, email, and family details. To protect personal information, Cloaked generates a unique "identity" for each online account.

While many data brokers adhere to ethical standards, some smaller, lesser-known brokerages may violate regulations and use data in harmful ways, according to cybersecurity expert Roger Grimes of KnowBe4. The lack of clear regulations around data brokerage contributes to these practices going unchecked.

According to OneRep, some of the largest providers of data brokerage services include Experian, Equifax, TransUnion, LexisNexis, Epsilon (formerly Acxiom), and CoreLogic. Additionally, people-search services Spokeo and Intelius are also among the top data brokers. These companies operate across multiple industries and handle both publicly available information and more sensitive consumer data. They offer various services, ranging from marketing analytics to credit scoring and background checks. However, depending on the state you live in, they may not have to comply with data privacy laws.

The data industry has grown significantly, and Experian, Equifax, and TransUnion are just a few of the many companies involved in data collection and marketing. While these companies are well-known for their credit services, they now generate revenue from a range of digital marketing activities. According to Jeff Chester, founder and executive director of the Center for Digital Democracy, data collection has become a crucial aspect of modern business, with companies from various sectors collecting and selling data to others. Chester stated, "Today, everyone is a data broker. The ability to target consumers online has become a core part of business."

As a security expert, I strive to secure everything as much as possible, but I am also aware that despite my expertise, I may be overexposed, said Bruno Kurtic, president and CEO of data security firm Bedrock Security.

To safeguard against financial risks, he advises individuals to freeze their credit reports as a preventive measure against identity theft and to prevent unauthorized accounts or loans from being opened in their name.

Inside data brokers' massive vault

On average, individuals with an online presence have approximately 1,000 data points collected by cybersecurity experts.

Chris Henderson, senior director of threat operations at Huntress, stated that it is crucial for them to gather as much information as possible about you because the more data they have, the more specific and costly it becomes.

According to privacy experts interviewed by CNBC, data brokers typically collect a range of information.

• Basic identifiers. Full name, address, phone number, and email.
• Financial data. Credit scores and payment history.
• Your online search history, purchases, buying locations, and frequency of buying specific products.
• Your health data includes your medications, medical conditions, and interactions with health-related apps or websites.
• Your preferences and tendencies towards certain ads can be inferred from your behavioral data.
• GPS data from apps that monitor your travel, shopping habits, and frequency of visits to specific locations in real-time.
• Data brokers gather information about your lifestyle, income, preferences, religious or political beliefs, hobbies, and charitable giving tendencies based on your browsing and media consumption habits.
• Data brokers can use social media and messaging app data to analyze your relationships with family, friends, and colleagues, and track the frequency of your interactions to determine the depth of your bonds.

Little oversight around data privacy

Unlike the GDPR in the European Union, there is a lack of comprehensive regulation around data privacy, which allows data brokers to operate with minimal oversight.

"According to Chelsea Magnant, adjunct instructor of cyber leadership at NYU's Center for Global Affairs and a director at corporate consulting firm Brunswick, the lack of a comprehensive federal privacy law that specifically regulates the industry makes it difficult to combat them. Instead, we have a patchwork of state laws with varying privacy protections that these companies are familiar with and can navigate."

In 2018, California enacted comprehensive legislation with the California Consumer Privacy Act, giving residents more control over their personal data. In 2020, voters approved an expansion of the CCPA, called the California Privacy Rights Act, which took effect in 2023. The CPRA offers the most extensive protections in the U.S., including data correction, limiting the use of sensitive information, and requiring businesses to honor opt-out preference signals. It also imposes stricter data-protection obligations on companies, such as minimizing data collection.

After that, nearly 20 other U.S. states have adopted similar laws; nonetheless, the specific requirements and benchmarks for companies to adhere to differ significantly among states.

RSA's chief information security officer, Rob Hughes, stated that the varying business environments, economies, and perspectives among different states pose a threat to citizens' protection, as there is no uniform approach to safeguard them from data brokers.

Despite the strict privacy laws in some states, there is doubt that smaller companies in the data brokerage industry will adhere to them. Kurtic stated, "These companies manage extremely sensitive data sets and must act like the most sensitive enterprises. However, we know that some data brokers do not operate their businesses in this manner."

How to take control of your data

To safeguard your privacy, it's crucial to reevaluate the amount of personal information you share daily, advises Cloaked's Bhatnagar. Although we can't completely conceal ourselves, consumers must adopt new behaviors and technologies to minimize what they reveal, such as disabling location tracking permissions, rejecting cookies, and avoiding posting personal information online. Moreover, utilizing secure browsers, VPNs, and tracker blockers can aid in this endeavor.

Technology giants like Apple are consistently enhancing and expanding their privacy features, including those found on the latest iPhone and iOS update.

According to a spokeswoman for Equifax, U.S. consumers have the option to opt out of their personal information being shared in accordance with state privacy laws. On average, opt-out requests made through Equifax's Privacy Preference Center are processed within one business day, and consumers are notified of a successful submission through the company's Preference Center. Additionally, consumers can review the types of third-parties that companies such as Equifax share personal data with in the privacy section. Opt-out links and instructions are readily available for most major data brokers.

Experts advise that reclaiming or deleting your data from brokers can be a challenging task that is both time-consuming and frustrating. Each broker has its own opt-out procedures, and even after you've removed your data, it often resurfaces, sourced from other places.

"If you remove your data from their systems, it negatively impacts their revenue, so they are less likely to make it easy for you to do so," said Henderson. "In the end, if more people request their information to be removed, the less appealing they become to advertisers as brokers."

Services such as DeleteMe, Kanary, OneRep, and PrivacyDuck charge a fee to manage ongoing tasks related to data removal, and their popularity is increasing. In October, Consumer Reports launched Permission Slip, a free app that helps users control which companies can collect, store, and sell their personal data. The app relies on donations to continue operating, which can be made through the app or the Consumer Reports website.

To get started with data privacy, experts recommend the DIY approach.

To identify the brokers collecting your data, you can conduct a Google search using your name, phone number, and email address. You may find your name on sites like Spokeo, Whitepages, or MyLife. Additionally, you can visit the websites of the largest data brokers and search for your information.

You can submit a request to delete your data on the opt-out page of these companies' websites, including at the links listed above, so they cannot share your data with third-party companies. However, it's important to note that each broker may have different processes for handling these requests and state laws vary when it comes to what types of data are covered. Some data brokers may also require you to provide identification or verify your identity.

To ensure your data has been removed from data brokers' sites, periodically revisit their sites after submitting opt-out requests. It may take several weeks or months for your request to be processed.

Regularly updating your online security practices is crucial. Secure passwords, two-factor authentication, and encryption tools can help safeguard your information. Additionally, using virtual identities, such as alternative email addresses and phone numbers, can further protect your personal information.

If a data broker does not comply with a deletion request, you may have the option to file a formal complaint with regulatory authorities such as the Federal Trade Commission, which has previously taken legal action against the industry.

It's crucial to note that not all states offer the same level of privacy protection. If you suspect your rights have been breached, seek legal advice from a privacy attorney.

'The future is unfortunately dark'

According to Chester, experts say that deleting data is only a temporary solution, "a Band-Aid to address a gaping wound."

"The consumer has been put in a difficult position," he stated. "Data is now a form of payment," he added, citing instances where consumers seek discounts in grocery stores or pharmacies. "This is a comprehensive privacy issue that requires Congress or the FTC to address. The notion that individuals can manage their privacy on their own is misguided. While it is possible to shut down a small portion of it, it would require a significant amount of time and effort. Once a consumer opts-in for a discount at a store, the process starts all over again."

As technology progresses, the future of the data broker industry presents both opportunities and challenges, according to Javad Abed, an assistant professor of information systems at Johns Hopkins Carey Business School. He predicts that data brokers will continue to adapt with the advancement of AI and machine learning.

""As AI technology advances, data brokers will use it to create increasingly detailed and predictive profiles, including biometric and behavioral data, resulting in a more complex problem," Abed stated."

While Abed sees potential in blockchain and privacy-enhancing technologies to disrupt the data brokerage model, he remains skeptical and believes that a collaborative effort is necessary. He believes that the future is uncertain and that the main actors are not motivated for a collaborative change.

""Configuring settings on social media, browsers, and search engines is not a winning proposition for telling our grandmothers or a child, as it requires a combination of regulation, technology on the vendor side, and know-how on our own personal side," Kurtic said. "Until regulation intervenes, data brokers will continue to collect as much data as possible, as these are revenue streams for companies that may not have other recurring revenue streams. Given there's no regulation stopping businesses from selling information about you, I don't see the practice stopping, especially given how lucrative it is," Henderson added."