We disclose a lot of information about ourselves online, both willingly and for convenience, as well as unwittingly. That data has become the basis for a new and lucrative business. Data brokers gather information about us that’s used to build marketing profiles and sell us things we don’t need or which are actively harmful for us. There are laws about making them delete that data – but how easy is it to do it?

In short: what is a data broker?

Data brokers are companies that collect information on internet users both from services and apps you use daily as well as by scraping public records, making it possible to create frighteningly intrusive profiles of personal information. Such data can include names, ages, genders, phone numbers, as well as a wide variety of interests. That data can then be purchased by anyone else willing to pay for it.

Your personal data is important – to massive industries

In 2019, there were at least 4,000 data brokerage companies¹. The largest of them was collecting data on 500 million users – and up to 3000 data points per user (that’s an industry term of a single piece of data  – knowing that you have a cat and are a Muslim would be two data points). All that data allows them to put people in tens of thousands of categories. 

But no company is collecting your data just for the heck of it. Data brokers exist because every data point about you is valuable. The industry was worth $150 billion as far back as 2012. Now, it’s even bigger, especially when advertising gets involved. Everyone wants to get the most bang for their buck in marketing, so increasing efficiency via better targeting is very attractive. But to target an audience, you need to know them intimately. 

What personal data is collected?

To show you just how much an advertising agency can do with your data they purchased from a brokerage, we consulted a real flesh-and-blood marketing professional. Based on publicly available information and our correspondence with data brokers, here’s a fairly basic model of what data they’d be collecting about you:

Phone number
Ethnicity
Home Address
Religion
Email Address
Hobbies
Full name
Media usage
Age
Purchase history
Gender
Occupation
Education
Search History
Marital Status
Political affiliation

These data points will then be used to tailor ads you see on: 

  • Google;
  • Facebook and Instagram feeds;
  • Websites you visit;
  • Emails;
  • Short messages (SMS);
  • Influencer videos; 
  • And even in the real world.

But that’s just a dry bullet point list. We have some deeper insights to share about its use. 

How does the market use your personal data?

Aside from how annoying ads are and what a bane on the environment the consumer culture is, your data, it may be used to sell you products that are bad for your health, like tobacco and gambling. 

Let’s say they’re targeting non-smokers. Below you will find a hypothetical scenario showing how a marketing agency for tobacco products can profile its potential customers based on their social qualities.

Step 1. First of all, the marketers will want the brokers to provide data on social qualities. They target males over females as well as Native Americans and Caucasians over Hispanics and Asians². The exception of flavored cigarettes and such, which are predominantly used by the female³, LGBTQ+⁴ and Black demographic⁵.

Step 2. Then, they’d separate out people with religious affiliations that are against smoking. They’re also less likely to target pet owners and parents. 

Step 3. They can slice those ads by geographic region. If they’re targeting people in Europe, they’d need to go after affluent people between the ages of 18 and 30 who like to drink and party. People with interest in sports and yoga are excluded. But if they want to market in the US, they’ll go after lower income individuals in poor areas⁶, only targeting higher income targets if they show interest in marijuana. 

Bonus step. If the data broker knows that you’re already a smoker, that’s a blessing for marketers promoting gambling products. Since smokers gamble more⁷ and more men gamble than women⁸, you’ll target smoking men! Are they pet owners or sports fans? Then you target the former with products that enable gambling at home and the latter will convert (read: buy your product) better if your ads talk about how knowledgeable they are about sports – and betting on sports is gambling

Data is also useful when determining channels and time of placement. Marketing wisdom says that Google ads are best placed during work hours and Facebook ads during leisure time. Facebook ads in particular can be aimed according to country, state, zip code and address. 

This is but a small sample and a professional marketer could go on forever. And as you can see, your data can be used in ads that may do you more harm than just making you buy a mattress from a company named after a friendly ghost. We are in no way implying that profiling people is okay. This is just an example to provide context based on reliable sources.

Getting access to your own data would take forever

Article 15 of the European General Data Protection Regulation (GDPR) (and others, like the California Consumer Privacy Act (CCPA)) states that a person has the right to know what information the data brokers have collected on them. We wanted to test this, so we reached out to 36 data brokers (26 of which are newcomers to the market) with requests to disclose our data. 25% of them – or nine companies – didn’t reply to us at all

On average, a data broker newcomer responded to our emails in 3 and a half days. For an established broker, that number grew to almost two weeks. That’s two weeks just to get a response to your first email – plenty of time to forget that you sent it in the first place.

But it doesn’t end there. The average time between the first response and the final one was more than 12 days for a large broker and almost 3 days for a new broker. To get a final response – a summary of what data they had about us or that the broker didn’t have our data – took little over 6 days from our first letter with a new data broker and more than 20 days  with an established one. That’s nearly a month for a seemingly easy task that should be done along clearly-established company lines.

Though there’s a possibility that those lines are purposefully established to be annoying. One aspect that drove up the numbers is that the established companies required us to fill out excessive forms before giving us our data. That’s why it took 3.2 letters to finalize the process with the large businesses and only 1.2 letters on average to small ones. Don’t forget the period of time those emails are spread out over!

These were the results from trying to contact 36 data brokers – or less than 1% of the currently existing broker companies (of which there are 4000). If you contact one broker at a time and each request only took as much time as the industry newcomer average, it would take 66  years to finalize your data inquiry requests.

This discounts two things: the appearance of new companies (all but guaranteed seeing how the business is booming) and companies starting to collect your data sometime after your request (and you can give them a great head start by filling out those excessive forms). 

Contacting a broker: no guarantees of success 

After our email experiment was concluded, the numbers showed that only 27 out of 36 brokers – or 75% – responded to our requests. 

Of the market newcomers, 19 of the 26 responded within 14 calendar days of our first email. This can be explained by the smaller companies not having had the time to develop the obstacles and a big enough legal department to help them craft deterrence. 

For our letter campaign, we used a varied approach. Some letters were generic, just asking for information like a regular user would. Others were crafted to lean more on the legal side of things, citing appropriate laws. 

However, data brokers aren’t always responsive to such requests. Even when they respond, they are likely to make the person making the inquiry jump through several hoops, like providing a personal ID copy or filling out forms.

Of the 10 large data brokers, only 5 responded to our emails within a month. For those non-responsive, we sent a letter crafted with full help of our legal department. As there are multiple state agencies tasked with overseeing data protection, this helps motivate the data brokers to be more forthcoming with our data. 

Mentioning the GDPR regulation in a more extensive manner prompted three more the data giants to respond.

When it came to responses, 13% of big-time brokers asked our researchers to submit a copy of their IDs (or a passport, or a driver’s license) – none of the newcomers did that.

63% of the large brokers asked for additional personal data (outside of ID copy) while only 11% of newcomers did. This request included data such as:

  • postal address;
  • a bank statement or other type of proof of address;
  • date of birth;
  • e-signature;
  • country of residence. 

Newcomers mostly asked to confirm their email or a connection to the data broker.

63% of the responding large brokers and 16% of the newcomers asked us to fill out an online form to process our request, asking to provide more information than is necessary for such a request. 

In the end, 9 brokers claimed they only collect data from persons in specific countries (US, UK, France, etc.). 13 claimed to have searched their databases and found no data related to our requests. 5 submitted the data they had by sending us a file. 

How do I get the brokers to delete my data?

Having gotten this far into the article, you may be getting a sneaking suspicion that making the brokers delete your data won’t be easy.

You’re right. 

A lot depends under what laws the brokers operate – and in the US, that changes state by state. Even the legislation in California, probably the strongest in the country, may not be enough to bring the brokers to do what you want.

That is, if you manage to get them to respond at all. As you can see from our experiment, the brokers are many, but the ways to make them talk are few. 

Get some aid in reclaiming your privacy 

There’s potentially reams of your data floating out there. If you tried finding it all by hand and asking for its removal, it would take years (and a lot of annoyance) to do it yourself. This is something you should consider when you’re fleshing out your social media profiles, filling out online forms, and signing up for newsletters. Once all that data is out, it’s almost impossible to take it down! 

Luckily, Surfshark has developed a new service called Incogni that automates the process of reclaiming your privacy. You can sit back and relax, while we take care of removing your data off the market!

Entrust clearing your data to professionals

Get Incogni

An example of an email using natural language to request information.

Hi,

I would like to inquire about any personal information of mine, which your company might have. Could you send it to me, please?
Best wishes,


Dear Sender,

Thank you for reaching out to TrueData. We put privacy at the forefront of our business and support applicable privacy regulations. To continue with your request, please fill the following web-forms.
For opt-out request, please use:
https://info-prod.truedata.co/opt-out-request
For other requests, please use:
https://info-prod.truedata.co/access-delete-request
Thank you for sharing our commitment to privacy. For further information, including the categories of data we collect, please see our privacy policy at https://www.truedata.co/privacy-policy/ .

Thank You,
The TrueData Privacy & Compliance Team

An example of a data broker backing up from their disproportionate request

Thank you for your email.

In order for us to comply with your request, we must first check whether you are present in our databases and, where applicable, extract the data we have about you. To do so, we would need your postal address as well as your email address if different from the one you use in these exchanges.

In addition, in order to comply with article 12 6° of the General Data Protection Regulation, and before communicating any information to you, we must also ensure your identity. To do so, please provide us a copy of a valid proof of ID (national identity card or passport or driving license). You may prefer to redact or blur the photo and/or ID number on the ID document before sending it to us. That’s fine, as we do not need those for the verification. We will only process this proof of ID for the purpose of honouring your subject access request and we will delete it as soon as we have established your identity. Upon receipt of these elements, we will be able to perform a complete search of our databases and get back to you as soon as possible, and in any case, within 30 days following confirmation of your identity.

Kind regards,


Dear LiveRamp,

Thank you for your reply.

In accordance with GDPR article 12.6, could you please specify why you have reasonable doubts concerning my identity? I would like to know what the exact reasons for the doubts are.

Besides, I would like to emphasize that my legitimate interest is to access my data rather than provide additional and disproportionate information.


Thank you for your response.

In order to ensure that we comply with our data protection obligations, we are required to take reasonable steps to verify the identity of individuals making requests for access to personal data. This is to make sure that we don’t inadvertently provide personal data to the wrong person.

We note that you do not wish to provide us with copies of identity documentation. We confirm that we will run a search against all data associated with the information you provided us and will let you know if we require additional proof of identification based on the data we may find.

An example of an exchange involving the advanced legal letter.

“Dear Sir / Madam,
Hope this email finds you well. I am writing to you regarding the request of my private data, which I have submitted on 10th of August 2021. Note that the initial request was submitted more than 30 days ago. As per GDPR you are obliged to comply within a 30 days period. Please be advised that in the case of refusal to comply with the request or failure to respond, I will be exercising the right to submit a complaint to a competent authority in order to review your privacy practices on behalf of the requestor.
Please confirm once this request is completed.
Kind regards,”

Sources:

  1. WebFX Team. 2020. “What Are Data Brokers – And What Is Your Data Worth?”. March 16, 2020. https://www.webfx.com/blog/internet/what-are-data-brokers-and-what-is-your-data-worth-infographic/ 
  2. Centers for Disease Control and Prevention. 2020. “Current Cigarette Smoking Among Adults in the United States”. December 10, 2020. https://www.cdc.gov/tobacco/data_statistics/fact_sheets/adult_data/cig_smoking/index.htm 
  3. Centers for Disease Control and Prevention. 2021. “Menthol and Cigarettes”. 2021 July 16, 2021. https://www.cdc.gov/tobacco/basic_information/tobacco_industry/menthol-cigarettes/index.html#3 
  4. Fallin, Amanda, Goodin,  Amie J.  & King, Brian A. 2015. “Menthol cigarette smoking among lesbian, gay, bisexual, and transgender adults”. American Journal of Preventive Medicine. https://pubmed.ncbi.nlm.nih.gov/25245795/ 
  5. Centers for Disease Control and Prevention. 2021. “Menthol and Cigarettes”. 2021 July 16, 2021. https://www.cdc.gov/tobacco/basic_information/tobacco_industry/menthol-cigarettes/index.html#3 
  6. Centers for Disease Control and Prevention. 2020. “Current Cigarette Smoking Among Adults in the United States”. December 10, 2020. https://www.cdc.gov/tobacco/data_statistics/fact_sheets/adult_data/cig_smoking/index.htm 
  7. Petry, Nancy M. & Oncken, Cheryl. 2002. “Cigarette smoking is associated with increased severity of gambling problems in treatment-seeking gamblers”. Addiction. https://pubmed.ncbi.nlm.nih.gov/12084144/ 
  8. National Center for Responsible Gambling. Fact Sheet, Gender and Gambling Disorder. https://www.ncrg.org/sites/default/files/oec/pdfs/ncrg_fact_sheet_gender.pdf 
  9. Christl, Wolfie. 2017. Corporate Surveillance in Everyday Life, How Companies Collect, Combine, Analyze, Trade, and Use Personal Data on Billions. A Report by Cracked Labs. Vienna. https://crackedlabs.org/dl/CrackedLabs_Christl_CorporateSurveillance.pdf