How We Verify Every Data Broker in Our Directory
Every broker in our directory is verified against California's statutory definition. Here's our 4-layer verification process: legal classification, registry cross-reference, URL health monitoring, and weekly audits.
Why Broker Verification Matters
When you sign up for a data removal service, you're trusting that service to send removal requests to the right companies. But how do you know the companies on their list are actually data brokers?
At GhostMyData, every single entry in our broker directory goes through a 4-layer verification process before we'll send a removal request on your behalf. Here's exactly how it works.
Layer 1: Legal Classification
Every company in our directory is assigned one of six legal classifications based on California Civil Code Section 1798.99.80:
STATUTORY_DATA_BROKER
Companies that collect and sell personal information from consumers with whom they have no direct relationship. These are the only companies that receive automated removal requests.
Examples: Spokeo, WhitePages, BeenVerified, Intelius, Radaris, TruePeopleSearch
DIRECT_RELATIONSHIP
Companies where users create accounts and voluntarily provide their own data. NOT data brokers under California law.
Examples: Match.com, Bumble, HireRight, Trustpilot
SERVICE_PROVIDER
Companies that process data on behalf of other businesses, not for their own commercial purposes.
Examples: SiteGround, Cloudflare, analytics platforms
GRAY_AREA
Companies that exhibit both broker and non-broker characteristics. Excluded from automated removals pending legal clarification.
Examples: Zillow, Healthgrades, Yelp
SOCIAL_PLATFORM
Social media companies where users create profiles and post content. Subject to CCPA/GDPR deletion rights but not data broker specific regulations.
Examples: LinkedIn, Facebook, Instagram
MONITORING_ONLY
Breach databases, dark web sources, and AI services that are monitored for exposure detection but cannot be "removed" from.
Examples: Have I Been Pwned, breach databases, facial recognition services
Layer 2: California Registry Cross-Reference
California's Privacy Protection Agency maintains an official data broker registry. Under the Delete Act (SB 362), companies meeting the statutory definition must register annually or face fines of $200 per day.
We cross-reference our directory against this registry quarterly:
- Registered brokers receive the highest confidence classification
- Unregistered companies meeting the definition are flagged for manual review — they may be non-compliant with registration requirements, or they may not actually be brokers
- Companies NOT on the registry that also don't meet the statutory test are reclassified or removed
This registry check catches cases where a company's practices have changed. If a previously registered broker is removed from the registry, we investigate why.
Layer 3: Daily URL Health Monitoring
A verified broker with a broken opt-out URL is effectively unremovable. Our compliance monitoring system checks every opt-out URL in our directory every day:
What We Check
- HTTP response codes (200, 301, 404, 500, etc.)
- Response times
- SSL certificate validity
- Whether the opt-out form is actually functional
How We Classify Health
- Healthy: 2xx or 3xx responses, or expected blocks (403, 405, 429 — these typically indicate a working but rate-limited form)
- Broken: 404 (not found), 410 (gone), or 5xx server errors
- Network error: DNS failures, timeouts — we retry before classifying as broken
What Happens When a URL Breaks
- Our system flags the broken URL immediately
- We search for the broker's current opt-out page (companies often redesign their sites)
- If found, we update the URL and verify it works
- If the broker's opt-out page is truly gone, we investigate whether the company is still operating
- Companies whose opt-out infrastructure has disappeared entirely are marked DEFUNCT and removed from active processing
Results
In our most recent audit, we found and fixed 21 broken opt-out URLs — 18 were corrected with new URLs, 2 companies were marked defunct, and 1 was reclassified as email-only removal.
Layer 4: Weekly Classification Audits
Every Tuesday, an automated audit runs against our entire directory. It checks:
Classification Consistency
- Does the company's classification match its actual behavior?
- Has the company been acquired or merged with another entity?
- Has the company changed its data collection practices?
Subsidiary Tracking
Many data brokers operate under multiple brand names. For example:
- Intelius owns Instant Checkmate, TruthFinder, and several other people-search sites
- Spokeo operates under its main brand but pulls from dozens of data sources
- PeopleConnect operates multiple people-search brands
Our directory tracks these subsidiaries so that a single removal request to the parent company covers all related brands.
Compliance Rate Monitoring
For each broker, we track:
- Success rate: What percentage of removal requests result in confirmed deletion?
- Average response time: How long does the broker typically take to process a request?
- Opt-out URL health: Is their removal form consistently available?
Brokers with consistently low success rates or unresponsive opt-out processes are flagged for review. In some cases, we switch from automated form submission to direct email or API-based removal methods.
What We DON'T Expose
Our verification process generates data that's useful for internal operations but potentially harmful if exposed publicly:
- False positive rates — internal accuracy metrics that could be misinterpreted
- Consecutive failure counts — technical debugging data
- Internal operational notes — team communications about specific brokers
- HTTP response details — technical data that could be used to circumvent broker protections
We share broker success rates and health status with users because it helps set realistic expectations. We keep the rest internal to protect our process and our users.
How This Compares to Industry Practice
Based on our research, most data removal services use a simpler approach:
| Practice | Industry Typical | GhostMyData |
| Legal classification | None or informal | 6-tier statutory test |
| Registry cross-reference | Rare | Quarterly |
| URL health monitoring | Manual or none | Daily automated |
| Classification audits | Annual or never | Weekly automated |
| Public transparency | Minimal | Full methodology published |
| Subsidiary tracking | Basic | Comprehensive parent-child mapping |
The Numbers
Our current directory includes:
- 1,500+ tracked sources (including subsidiaries and aliases)
- 500+ verified statutory data brokers that receive automated removal requests
- 27 reclassified companies removed in our February 2026 compliance audit
- 21 broken URLs fixed in the same audit cycle
- 100% opt-out URL health across active brokers after corrections
What This Means for You
When you see a removal request in your GhostMyData dashboard, you can be confident that:
- The target company is a verified data broker under California law
- The opt-out URL we used was health-checked within the last 24 hours
- The company's classification was verified within the last 7 days
- If the company operates subsidiaries, those are tracked and covered
We'd rather show you 500 verified broker removals than 1,000 that include non-brokers, broken links, and companies that will ignore the request.
Try It Yourself
Start a free scan to see which verified data brokers have your personal information. Every removal request we send is backed by our 4-layer verification process.
Frequently Asked Questions
How many data brokers does GhostMyData cover?
Our directory tracks 1,500+ sources including subsidiaries and aliases. After compliance verification, approximately 500+ are classified as verified statutory data brokers that receive automated removal requests.
How often is the broker directory updated?
Opt-out URLs are health-checked daily. Legal classifications are audited weekly. The California registry cross-reference happens quarterly. New brokers are added as they're discovered and verified.
What happens if a broker's opt-out form breaks?
Our monitoring system detects the break within 24 hours. We search for the updated URL, verify it works, and update our directory. If the broker's opt-out process is permanently gone, we investigate and reclassify if necessary.
Can I see which brokers have my data?
Yes. When you run a free scan, we check our verified broker directory and show you which brokers have your information. You can then request removal from any or all of them.
Why don't you target more companies to maximize removals?
Because sending removal requests to non-brokers wastes your time, has no legal basis, and undermines the industry. We prioritize accuracy over volume — every removal we report is from a verified data broker.
Related Reading
- The Legal Definition of a Data Broker
- Why We Removed 27 Companies From Our Removal List
- The Data Broker Compliance Problem No One Is Talking About
- How to Remove Yourself from Spokeo
Ready to Remove Your Data?
Stop letting data brokers profit from your personal information. GhostMyData automates the removal process.
Start Your Free ScanGet Privacy Tips in Your Inbox
Weekly tips on protecting your personal data. No spam. Unsubscribe anytime.