How data brokers profit off you without your (or the law’s) knowledge

a data broker’s world

“I’ll take the next in line over here.”

As I lumber to the lone open register of the CVS in Rhinebeck, New York, the middle-aged mom-type behind the counter gives me a kind smile. “Find everything you need OK?” she asks. “Yep, thanks,” I say, plopping down my armful of assorted products and pulling out my wallet.

“And do you have your CVS card with you today, sir?”

I fumble through my pocket, pulling out a jumbled tangle of keys and little plastic cards, each with its own unique bar code stamped on the back. Stop & Shop. PetSmart. Ace Hardware. I find the red one that says “ExtraCare CVS/Pharmacy.” It’s bent. I halfheartedly try to revive its original shape, thinking it might not scan.

These are the companies that “know more about you than you know about yourself.”

The nameless CVS clerk swipes my key-laden card across the infrared beam of her computerized register. My “guest number” appears on the screen. The woman begins to ring me up: a copy of Wired magazine, a box of CVS brand “Allergy Relief” medicine, a bottle of Aveeno Active Naturals Stress Relief Moisturizing Lotion, a box of Durex condoms, and four-pack of no-name AA batteries. Each one finds its way into a white plastic CVS bag.

“Your total comes to $20.14,” says the clerk. “And your savings today is $2.30”

 This scene may seem like a simple trip to the store, something each of us does countless times every week. What many of us may not realize, however, is that the use of CVS ExtraCare and other loyalty rewards cards is but one of many ways we toss precious details about ourselves into the grip of an impossibly complex shadow industry that has increasing control over our lives.

I’m talking, of course, about data brokers.

Those concerned with even minor violations of privacy have likely heard the term “data broker,” probably with a scowl on our faces. These are the companies that “know more about you than you know about yourself.” They collect information about the lives of nearly every adult in the U.S., from what we buy to who we love. And they use that data to make themselves, and countless other companies, bloody rich.

At least, that’s a common description that pops up when talking about the data broker industry. The reality is, we don’t really know what exactly defines a data broker.

“There’s no general agreement on the definition of a data broker,” says Tiffany George, an attorney in the Federal Trade Commission’s Division of Privacy and Identity Protection. And because we don’t even know what constitutes a data broker, it is currently impossible for the government to successfully regulate the industry.

… our offline activities and Facebook activities have become inexorably intertwined

Frustrated with the FTC’s answer to this basic question, I reached out to David Jacobs, consumer protection attorney for the Electronic Privacy Information Center (EPIC), to see if he could better pin this creature down.

“Typically, a data broker is a company whose primary business is to collect or maintain personal information, either itself or through contracts with other companies, and then regularly provides access to this information in exchange for some sort of consideration, like money or something else,” says Jacobs.

But that definition does not show the full picture, says Jacobs. For example, the companies or organizations that collect our data in the first place are not generally considered “data brokers.” This means Facebook, Google, Foursquare, or CVS are not actually data brokers – instead, they are rich sources for the data broker industry.

In recent years, however, the barriers between data broker and data source have become increasingly unstable. Facebook, which arguably “knows” more about us than any other consumer-facing company, currently partners with three of the largest data brokers in the U.S.: Datalogix, Acxiom, and Epsilon.

These partnerships mean our offline activities and Facebook activities have become inexorably intertwined. My purchase of Durex condoms may be compared against the number of Durex Facebook ads served to my demographic – 30, white, male, single – to discover their effectiveness, and better ensure that I continue to buy the product.

Defining the data brokers

Within their industry, there are two main types of companies: primary data brokers, and secondary data brokers. Primary data brokers gather your data straight from the sources: courthouses, police departments, consumer rewards card programs, trademark offices, and more.

“These are the ‘third-party partners’ that partner with companies like CVS, like Stop & Shop, to help them analyze their data,” says Sarah Downey, an attorney and privacy advocate for online privacy company Abine. “But they also sell that data.”

Among their customers are secondary data brokers. This includes companies like eVerify and Intelius, which combine even more social-network and Web-analytics data with our offline profiles. Even further down the chain are companies like Spokeo, BeenVerified, and PeekYou, “people search” providers that aggregate data from other primary and secondary data brokers, as well as online profiles and other source material. According to Privacy Rights Clearinghouse, there are more than 200 online data brokers.


It is this barrel-bottom group of data brokers, which allow anyone with as little as $15 to purchase personal information, that make the case for the kind of legislation that is currently not possible due to the industry’s squishy definitions.

Writing for Jezebel, an anonymous woman says her rapist was able to track her down, likely thanks to a Spokeo profile containing “incredibly detailed” information about where she lived, and many more details about her life.

“It listed everything from the types of pets I had to my profession, and included a street-view map showing our building,” she wrote. “I went to see if my profile appeared on any other directory sites (and there are quite a few out there), but none of them had anything nearly as comprehensive as the Spokeo listing.”

The services offered by BeenVerified, which advertises itself as a “background check company,” allegedly enabled a similarly horrifying tale.

“My husband was killed in March 1987. The person who killed him was tried, and convicted in 1992,” wrote an anonymous author from Poughkeepsie, NY, on RipOffReport, in 2011. “The defendant went to jail and was released last July after only serving 18 yrs out of a 25-life sentence. The defendant being savvy and enraged at being incarcerated has been using beenverified.com to try to find ‘me.’

… there’s little the law can do to stop it.

“I called, wrote, called and wrote over 500 times to not just beenverified.com but to dozens of other companies who, when you put my name in their data base my address pops up, this madman that killed my husband doesn’t need anything else to find me since these big companies are handing out my address like it was candy. Why isn’t the government or any other lesser government agency doing [anything] to protect the victims of violent crimes? Who looks out for us?”

While I was unable to verify this story, despite repeated attempts to contact the author, it illustrates an important fact: People-finder services like Spokeo and BeenVerified could very well be used for precisely these kinds of activities. And for now, there’s little the law can do to stop it.

1 of 3