The FTC's New Rules on Data Brokers: What Changes for You

The Federal Trade Commission has fundamentally reshaped the data broker landscape with new regulatory frameworks that affect how your personal information can be collected, sold, and used. While the United States has historically taken a hands-off approach to data broker regulation compared to Europe's GDPR, recent FTC actions signal a dramatic shift in federal oversight. Understanding these changes isn't just about compliance—it's about knowing what protections you actually have and how to exercise them.

Overview of the Legal Framework

The FTC's approach to data broker regulation represents a patchwork evolution rather than a single comprehensive law. Unlike the European Union's unified GDPR framework, U.S. federal privacy regulation has developed through a combination of FTC enforcement actions, industry guidance, and strategic use of existing consumer protection statutes.

The FTC's Legal Authority

The FTC derives its data broker enforcement power primarily from Section 5 of the FTC Act (15 U.S.C. § 45), which prohibits "unfair or deceptive acts or practices in or affecting commerce." This broad mandate has allowed the agency to pursue data brokers for:

• Deceptive practices: Making false claims about data security, anonymization, or consumer control
• Unfair practices: Collecting or using data in ways that cause substantial injury to consumers without offsetting benefits
• Inadequate security: Failing to implement reasonable safeguards for sensitive personal information

The FTC has also invoked the Fair Credit Reporting Act (FCRA) when data brokers provide information used for credit, employment, insurance, or other FCRA-covered purposes. This is significant because FCRA imposes strict accuracy requirements and gives consumers specific rights to dispute information.

Recent Enforcement Actions That Set New Standards

The FTC's 2024 enforcement priorities have crystallized through several landmark actions:

Kochava (2022-2024): The FTC sued the data broker for selling precise geolocation data that could be used to track individuals to sensitive locations like reproductive health clinics, places of worship, and domestic violence shelters. This case established that selling location data without adequate safeguards constitutes an unfair practice under Section 5.

InMarket Media (2024): The FTC required the location data company to delete all previously collected location data and implement a comprehensive privacy program. The settlement prohibited selling or licensing any precise location data without express consumer consent—a requirement that goes beyond most state privacy laws.

Outlogic (formerly X-Mode Social) (2024): Another location data broker faced similar restrictions, with the FTC explicitly stating that selling sensitive location data creates "substantial injury" to consumers that isn't outweighed by any benefits.

These cases don't just punish individual companies—they establish precedents that effectively create new rules for the entire industry. The FTC has made clear that sensitive location data now requires explicit opt-in consent, not just buried disclosures in privacy policies.

The Advance Notice of Proposed Rulemaking (ANPR)

In October 2023, the FTC issued an ANPR on commercial surveillance and data security, signaling potential formal rulemaking on data brokers. While not yet finalized, the ANPR indicates the FTC is considering rules that would:

• Require affirmative express consent for collecting and sharing sensitive data
• Mandate data minimization (collecting only what's necessary for disclosed purposes)
• Limit retention periods for personal information
• Establish security standards based on data sensitivity
• Create restrictions on algorithmic decision-making that produces discriminatory outcomes

The comment period revealed strong support from privacy advocates and state attorneys general, suggesting eventual rules may be quite stringent.

Who Is Covered and What's Protected

Understanding who falls under FTC data broker rules and what information receives protection is crucial for knowing when your rights apply.

Defining "Data Broker" Under FTC Guidance

The FTC defines data brokers as companies that collect and sell personal information about consumers with whom they don't have a direct relationship. This includes:

• People search sites like Whitepages, Spokeo, and BeenVerified that compile public records and other sources
• Marketing data aggregators like Acxiom, Experian Marketing Services, and Oracle Data Cloud
• Location data brokers like SafeGraph (now defunct), Placer.ai, and similar companies
• Consumer profile compilers that create detailed dossiers for advertising, fraud prevention, or other purposes

Importantly, the definition focuses on the lack of direct consumer relationship. Companies that collect data from their own customers (like retailers or social media platforms) face different regulatory frameworks, though the FTC can still pursue them under Section 5.

Categories of Protected Information

Not all data receives equal protection under FTC enforcement priorities. The agency has established a hierarchy of sensitivity:

Highly Sensitive Data (requiring explicit opt-in consent):

• Precise geolocation data (within a radius that can identify specific buildings)
• Health information including reproductive health, mental health, and medical conditions
• Financial account information beyond what FCRA already covers
• Social Security numbers and government identifiers
• Biometric data including facial recognition, fingerprints, and voiceprints
• Children's information (COPPA provides additional protections for under-13)

Moderately Sensitive Data (requiring clear disclosure and reasonable security):

• Contact information (email, phone, physical address)
• Demographic data (age, income range, education)
• Purchase history and consumer preferences
• Employment information
• Public records (though collection is legal, use may be restricted)

Contextually Sensitive Data (sensitivity depends on use):

• Web browsing history becomes highly sensitive when revealing health conditions, political affiliations, or religious beliefs
• App usage data similarly varies in sensitivity based on app categories
• Aggregate data that can be de-anonymized through combination with other datasets

The FTC has emphasized that context matters tremendously. Even seemingly innocuous data like shopping preferences becomes sensitive when used to infer protected characteristics like pregnancy status, sexual orientation, or medical conditions.

Exemptions and Gray Areas

Certain entities and uses remain outside current FTC data broker enforcement:

• FCRA-covered consumer reporting agencies already face specific regulations (though the FTC can enforce FCRA compliance)
• HIPAA-covered entities handling protected health information under medical privacy rules
• Financial institutions regulated under Gramm-Leach-Bliley Act (GLBA)
• Government agencies and their contractors (though state laws may apply)
• Purely journalistic uses protected by First Amendment considerations

The gray area involves public records data. While data brokers can legally compile court records, property records, and other public information, the FTC has signaled that selling comprehensive dossiers combining multiple public sources may still constitute unfair practices in certain contexts—particularly when used for stalking, harassment, or discrimination.

Step-by-Step Process: Exercising Your Rights Under FTC Framework

While the FTC doesn't provide consumers with a private right of action (you can't sue data brokers directly for FTC violations), understanding the regulatory framework helps you exercise the rights you do have and file effective complaints.

Step 1: Identify Which Data Brokers Hold Your Information

The challenge with data brokers is that most people don't know which companies have their data. Unlike businesses you interact with directly, data brokers operate in the background.

Action steps:

• Search for yourself on major people search sites: Start with Whitepages, Spokeo, BeenVerified, Intelius, PeopleFinders, and TruthFinder. These consumer-facing sites often reveal what information is publicly available.

• Check data broker registries: Vermont requires data brokers to register annually. Review the Vermont Data Broker Registry to see the 300+ registered brokers (though many more exist).

• Review marketing opt-out databases: The Digital Advertising Alliance's opt-out tool shows which ad-tech companies have placed tracking cookies on your browser.

• Consider a comprehensive scan: Services like GhostMyData scan 2,100+ data brokers—far more than the 35-500 covered by most competitors—to identify where your information appears. This is significant because most DIY approaches miss the vast majority of brokers.

Step 2: Submit Removal Requests (Where Applicable)

If you live in California, Virginia, Colorado, Connecticut, Utah, or other states with privacy laws, you have statutory opt-out rights. Even without state law protection, many data brokers offer voluntary removal processes—though they're often deliberately cumbersome.

For CCPA-covered California residents:

• Look for "Do Not Sell My Personal Information" links on data broker websites (required under CCPA)
• Submit requests without creating accounts (brokers cannot require account creation)
• Verify your identity using only information necessary for verification (typically name, email, and address)
• Expect compliance within 45 days (15-day extension allowed with notice)

For residents of other states:

• Check each broker's privacy policy for voluntary opt-out procedures
• Submit requests via provided web forms, email addresses, or postal mail
• Document all requests with screenshots and confirmation emails
• Follow up if you don't receive confirmation within 30 days

Reality check: Manually opting out is extraordinarily time-consuming. With over 2,100 data brokers operating in the U.S., comprehensive removal requires hundreds of hours of work. Moreover, data brokers frequently re-add information from public records and other sources, requiring ongoing monitoring.

Step 3: File FTC Complaints for Violations

When data brokers violate FTC standards—particularly regarding sensitive data or deceptive practices—filing a complaint helps the agency identify patterns warranting enforcement action.

File a complaint when:

• A data broker sells sensitive location data without consent
• Privacy policy claims are demonstrably false
• A broker refuses legally required opt-outs (in states with privacy laws)
• Data security is grossly inadequate (like storing SSNs in plaintext)
• Information is used for discriminatory purposes

How to file:

• Go to ReportFraud.ftc.gov
• Select "Other" then specify "Data Broker" or "Privacy Violation"
• Provide specific details: company name, URLs, dates, what data was involved
• Include documentation: screenshots, emails, privacy policy excerpts
• Explain the harm: identity theft risk, stalking concerns, discrimination, etc.

The FTC uses complaint data to identify enforcement priorities. While individual complaints rarely trigger immediate action, patterns across multiple complaints often do.

Step 4: Leverage State Privacy Rights

If you live in a state with comprehensive privacy legislation, you have stronger tools:

California (CCPA/CPRA): Right to know what data is collected, right to delete, right to opt out of sale, right to correct inaccuracies. File complaints with the California Privacy Protection Agency. Private right of action for data breaches.

Virginia (VCDPA): Right to access, delete, correct, and opt out. File complaints with the Virginia Attorney General. No private right of action.

Colorado (CPA): Similar rights to Virginia, plus right to opt out of profiling. Complaints to Colorado Attorney General.

Connecticut (CTDPA): Access, deletion, correction, opt-out rights. Complaints to Connecticut Attorney General.

Utah (UCPA): Access, deletion, and opt-out rights. Complaints to Utah Division of Consumer Protection.

Each state law has different thresholds for which businesses are covered (typically based on revenue and data volume), but most major data brokers fall within scope.

Step 5: Monitor for Re-Appearance

Data brokers continuously refresh their databases from public records, data partnerships, and other sources. A single removal rarely provides permanent protection.

Monitoring strategies:

• Set up Google Alerts for your name, phone number, and address
• Quarterly manual checks of major people search sites
• Annual comprehensive reviews of data broker presence
• Automated monitoring services that track 2,100+ brokers and handle recurring removals

The reality is that effective data broker removal requires ongoing effort—not a one-time action. This is where automated services that use AI agents to handle continuous monitoring and removal become practical for most people.

Common Pitfalls and How to Avoid Them

Even with good intentions, consumers often make mistakes that undermine their privacy efforts or waste time on ineffective strategies.

Pitfall 1: Providing More Information Than Necessary

The mistake: When requesting removal, some consumers provide extensive personal information to "prove" their identity—including SSNs, dates of birth, driver's license numbers, or copies of government IDs.

Why it's problematic: You're giving sensitive data to the very companies you're trying to remove it from. Many data brokers have poor security practices, and some are outright malicious actors.

The solution: Provide only the minimum information required for verification. Under CCPA, brokers can only request information "reasonably necessary" to verify identity. For most removals, name, email, and address suffice. Never provide SSN, driver's license, or financial information unless legally required (which it rarely is for opt-outs).

Pitfall 2: Focusing Only on Consumer-Facing People Search Sites

The mistake: Many people search for themselves on Spokeo or Whitepages, submit removal requests to the handful of sites where they find information, and consider the job done.

Why it's problematic: Consumer-facing people search sites represent less than 5% of the data broker ecosystem. The vast majority of brokers operate business-to-business, selling data to marketers, fraud prevention companies, background check services, and others. Your information on these B2B brokers never appears in Google searches but is actively bought and sold.

The solution: Understand that comprehensive removal requires addressing both consumer-facing and B2B data brokers. The difference between services that cover 35-50 brokers versus 2,100+ brokers is the difference between addressing 2% versus 100% of the problem.

Pitfall 3: Believing "Incognito Mode" Protects You

The mistake: Using private browsing mode and assuming this prevents data collection.

Why it's problematic: Incognito mode only prevents your browser from storing local history and cookies. It does nothing to prevent websites, advertisers, ISPs, or data brokers from tracking you. Your IP address, device fingerprint, and browsing behavior are still visible and collectible.

The solution: Use actual privacy tools: VPNs to mask IP addresses, browser extensions like Privacy Badger or uBlock Origin to block trackers, and privacy-focused browsers like Brave or Firefox with enhanced tracking protection. More importantly, address the root problem by removing your information from data broker databases where it's already stored.

Pitfall 4: Assuming Public Records Can't Be Removed

The mistake: Believing that because information comes from public records (court documents, property records, voter registration), it's permanently and unavoidably public.

Why it's problematic: While the underlying government records remain public, data broker compilation and resale of that information can often be stopped. Many states allow sealing or redacting certain records. Moreover, even when records themselves remain public, you can remove your information from commercial databases that aggregate and sell it.

The solution: Distinguish between government records and commercial data broker databases. You may not be able to remove a property deed from county records, but you can remove your information from Zillow, Trulia, and dozens of data brokers that republish property ownership data. For sensitive records (domestic violence protective orders, witness information, etc.), investigate state-specific confidentiality programs.

Pitfall 5: Ignoring Mobile App Permissions

The mistake: Casually granting apps access to location, contacts, photos, and other data without considering how it's used.

Why it's problematic: Mobile apps are a primary source of data for brokers. That free flashlight app that requests location permission? It's likely selling your movement patterns to data brokers. Apps often share data with dozens of third-party SDKs (software development kits) that aggregate information across apps.

The solution:

• Review and revoke unnecessary app permissions in iOS Settings → Privacy or Android Settings → Privacy → Permission Manager
• Delete apps you don't actively use
• Choose "Allow Once" or "Ask Every Time" for location rather than "Always Allow"
• Read app privacy labels (required in iOS App Store and Google Play Store)
• Prefer web versions of services over apps when possible (web browsers have better privacy controls)

Pitfall 6: Falling for "Free" Data Broker Removal Scams

The mistake: Using "free" services that claim to remove your information from data brokers but actually collect your data to sell to other brokers.

Why it's problematic: Some malicious actors pose as privacy services while actually operating as data brokers themselves. They collect detailed personal information under the guise of "verification" then add it to their databases.

The solution: Research any service before providing personal information. Look for:

• Transparent business models (legitimate services charge fees or use freemium models)
• Clear privacy policies explaining exactly what they do with your data
• Verifiable company information (real addresses, identified leadership)
• Reviews from reputable sources (not just testimonials on their own site)
• Specific details about their coverage (vague claims like "major data brokers" are red flags)

Templates and Resources

Having the right templates and knowing where to find authoritative resources makes the removal process more efficient.

Opt-