If there's one thing all data brokers have in common, it's that they don't like to be called data brokers.
It's no wonder why, considering the term has become as sensitive as the data some companies collect for advertising purposes.
However, the legal definition of a data broker is quite simple.
In a 2014 report, the Federal Trade Commission broadly defined data brokers as companies that make money by collecting consumer data and selling it to third parties. Recent examples include X-Mode Social and its successor Outlogic, which settled FTC claims in January, and Kochava, which was recently the subject of a new FTC lawsuit.
Some state laws define data brokers more narrowly. California's takedown law, signed into law in October, defines data brokers as companies that collect and sell data about consumers with whom they have no direct relationship.
Federal and state regulators have recently begun ramping up efforts to prevent data brokers from exploiting consumers' personal data in ways they don't expect.
If you walk like a duck (probably a data broker)
This increased regulatory attention has certainly given the term “data broker” a negative connotation.
But being called a data broker is not necessarily stigmatizing. The term simply refers to commercial practices that, if done improperly (without proper consent), can be problematic from a privacy perspective.
Still, this is the implication why data brokers typically do not refer to themselves as such, even though selling data is at the core of their business.
Taking Experian as an example, the company acknowledges that data brokering is “an element of the Experian recipe,” said Chris Feo, SVP of global sales. But that's not the only part of the business.
subscribe
AdExchanger Daily
Get our editor's roundup delivered to your inbox every weekday.
Credit reporting aside, Experian's main focus is helping other companies connect their data across multiple sources, Feo said. That's why Experian likes to position itself as a “connection company.” thank you.
It's for a similar reason that TransUnion calls itself an “information and insights company,” while Equifax chooses “a trusted global leader in data, analytics, and technology.”
brokering peace
But regardless of what a company wants to call itself, “data broker” is a term defined by law, including new state laws with special requirements.
Currently, four states have enacted laws targeting data brokers: California, Vermont, Texas, and Oregon. California's takedown law is an amendment to existing state law, Vermont passed a data broker law in 2018, and Texas and Oregon's laws went into effect in September 2023 and January 2024, respectively.
These laws require data brokers to register with the state. This means that data brokers disclose the types of personal information they collect from consumers and the business purposes. Registration also imposes obligations on data brokers to demonstrate appropriate consumer consent verification and data collection disclosures.
However, some laws go beyond disclosure requirements. For example, California just updated its data broker law with a takedown law. The law, which goes into effect in January 2026, provides an easy way for California residents to request that the California Privacy Protection Agency remove their personal data from the databases of all data brokers based in the state. is required to be created.
“Companies can no longer just collect information. [and sell] It’s everything they want,” said Daniel Rosenzweig, founder and principal attorney at specialty law firm DBR Data Privacy Solutions.
State and federal regulators are “likely cracking down on data collection practices such as:” [fall] It exceeds the expectations of the average consumer,” Rosenzweig said.
For example, when people swipe a credit card at a store, they don't expect that transaction data to be stored in a third-party company's identity graph. But one of the most common data broker tactics is to aggregate consumer credit data and sell it to businesses for targeted advertising purposes, Rosenzweig said.
Signaling sensitivity
Increasing public concern about the risks of collecting and sharing sensitive data, in particular, is behind calls for tighter governance of data brokers.
For example, the 2022 Supreme Court decision striking down Roe v. Wade means that many women are now at risk of having their reproductive health information in the wrong hands, from using period tracking apps to visiting family planning clinics. I began to have a reasonable fear that it might end up in the hands of someone else.
“There is a huge focus on sensitive information, especially precise geolocation and health status. [data]'' Rosenzweig said. When data brokers sell sensitive personal information, it can harm consumers, and it certainly goes against the public's expectations.
what kind of consumer do However, we hope to have the ability to easily opt out of data collection and delete personal information previously collected by data brokers.
cause for concern
In light of increased scrutiny, data brokers are preparing for stricter regulation by ensuring that their business practices can pass legal scrutiny.
For example, if a user in Experian's identity graph opts out of data tracking on one of their devices, Experian will remove all connected device IDs for that user's entire household from the identity graph, Feo said. Masu.
The problem of signal loss in the online advertising industry is likely to become even more acute as data brokers continue to rein in their actions and adopt more restrictive approaches to data collection.
Whether companies like it or not, the only appropriate way to handle data collection and sharing in a “privacy-first” world is “consumer first.”