Data brokers

Data brokers collect, analyse, combine, and package some of our most sensitive personal information and sell it as a commodity to each other, to advertisers, even to those same public authorities, often without our direct knowledge, let alone our consent. Brokers are considered to be among the most likely potential adversaries that have the motivation to attempt a re-identification (identity disclosure, link disclosure and content disclosure), and have the necessary tools.


Financial gain. Where there is money being made, there is a market, and there are middlemen brokering data, of which many do not even consider themselves a data broker. While this industry has been around for decades, most people have never heard of data brokers. Thanks to advances in data science and its role in enabling the current internet marketing and advertising and advertising eco-systems, it has grown into a multibillion dollar global industry that operates in the shadows with virtually no oversight.

Past patterns

Some data broker products are beneficial or harmless, others are a threat to our privacy.

  • Credit bureaus have played and still play a critical data brokerage role in mediating access to financial data. They begun building databases in the mid 20th century, to catalogue us and our habits for marketing, fraud detection or credit scoring purposes. They have adapted to be able to ingest and process the streams of information we make available about ourselves today.

  • Police in both the United States and Europe purchase information and assistance to profile people based on personal data.

  • Political parties are targeting their digital outreach based on details of individual behaviour.

  • Employers routinely turn to data brokers to purchase reports regarding job candidates.

  • In the US, one data broker disclosed in a government filing that “they buy our health information, electronic health records, prescriptions, claims data, and they also put in information about our health from social media.” These “longitudinal” health profiles are then sold to thousand of clients, including the federal government.


In the European Union, the GDPR was established, but public authorities and civil society struggle to apply its rules in concrete ways. Regulatory guidance seems not entirely complete.


Information about millions of people is sold to corporate and governmental actors in both the US and Europe. Data brokers, and the profiling techniques used, are giving large institutions more visibility than ever before into people’s private lives.