Public Data Loophole: Why Brokers Sell Your Info

Here's the brutal truth: data brokers aren't breaking the law when they publish your address, phone number, and voting history online. They're exploiting a massive legal loophole called the "publicly available data exemption" — and it's perfectly legal in every state.

This exemption means that any information originally sourced from government records can be republished, aggregated, and sold without your consent. Your property deed? Fair game. Voter registration? Completely legal to publish. Marriage certificate? Already online. The publicly available data exemption has created a parallel surveillance economy that operates entirely within the bounds of privacy law, and it's why even the strongest state privacy laws can't fully protect you.

The Legal Framework That Makes This Possible

Every major privacy law in the United States — from California's CCPA to Virginia's CDPA — includes an explicit carve-out for publicly available information. The legal definition is straightforward: if data is lawfully made available from federal, state, or local government records, it's exempt from most privacy protections.

The FTC confirmed this in multiple advisory opinions. No federal law prevents the collection and republication of public records. State laws can't override this because of First Amendment protections around publishing truthful information.

Here's what qualifies as publicly available under most state definitions:

• Voter registration records (name, address, party affiliation, voting history in 30+ states)
• Property records (deeds, sales prices, property tax assessments, ownership history)
• Court documents (civil filings, divorce records, judgments, liens)
• Business registrations (LLC filings, professional licenses, corporate officer listings)
• Marriage and birth certificates (varies by state, but often includes full names, dates, locations)

The kicker? Once this data enters the public domain through government sources, data brokers can repackage it infinitely. They're not just copying public records — they're creating sophisticated profiles by linking your voter registration address to your property deed to your court records, building a comprehensive dossier that no single government database could provide.

Who Is Actually Protected (And Who Isn't)

This is where the exemption gets messy. Privacy laws do protect certain categories of data, but the protection is narrower than most people realize.

What's Covered by Privacy Laws

Most state privacy laws apply to personal information collected through commercial transactions or private interactions. If a company collects your email when you sign up for their service, or tracks your browsing behavior with cookies, or purchases your shopping history from a data broker — that's covered. You have rights to access, delete, and opt out of sale for that data.

The laws also create special protections for sensitive personal information: Social Security numbers, financial account details, precise geolocation data, health information, and in some states, biometric data. Even if this information appears in public records (like SSNs in old court filings), republishing it may violate other statutes.

What the Exemption Excludes

The publicly available exemption means you cannot force a data broker to delete information they sourced from government records. Even under California's strong deletion rights, if your address came from voter registration, it's exempt. If your property value came from county assessor records, it's exempt.

Our removal data shows this plays out in predictable patterns. When we submit deletion requests to brokers, about 40% cite the publicly available exemption as their reason for denial. They'll remove your email address (collected commercially) but keep your home address (sourced from voter rolls).

The exemption also creates bizarre edge cases. If a broker has your phone number from two sources — one from a commercial data purchase and one from a business license filing — they can legally keep the business license version even after you request deletion of the commercial version. Same phone number, different legal status.

How Data Brokers Exploit Public Records

The mechanics of this exploitation are more sophisticated than just scraping government websites. Data brokers have built industrial-scale operations around harvesting government records online and cross-referencing them with commercial data to create comprehensive profiles.

Step 1: Bulk Public Records Acquisition

Data brokers don't manually search county recorder websites. They purchase bulk data feeds directly from government agencies. Many states sell entire voter registration databases for a few hundred dollars. County assessors provide property records on DVD or via FTP. Court systems offer bulk downloads of case filings.

Some examples of actual pricing we've documented:

• Florida voter file (complete state): $5 per county, roughly $335 for all 67 counties
• Texas property records: varies by county, typically $50-200 for bulk access
• Federal court PACER filings: $0.10 per page, but brokers negotiate bulk access

This isn't public access in the traditional sense. These are commercial transactions between data brokers and government agencies that treat public records as a revenue source.

Step 2: Cross-Referencing and Profile Building

Once brokers have raw public records, they use sophisticated matching algorithms to link records across databases. Your name and birth year from voter registration gets matched to your property deed, which gets matched to your business license, which gets matched to any court filings.

This creates profiles that are far more invasive than any single public record. A voter registration privacy concern becomes exponentially worse when linked to your property value, political donations, and professional licenses. No government database provides this consolidated view, but data brokers create it legally by exploiting the exemption.

Step 3: Continuous Re-Collection

Here's the loophole that makes removal nearly impossible: data brokers re-collect from public records every 3-6 months. You can successfully remove your information from a broker, but when they run their next bulk data refresh, you're re-listed with "new" data from the same public sources.

Technically, this is legal. Privacy laws regulate data collection and use, but they don't prevent repeated collection from public sources. A broker isn't violating your deletion request if they're sourcing your information from a fresh voter registration pull rather than their old database.

Based on our monitoring of removal requests across hundreds of brokers, we see re-listing patterns:

• 60-90 days: Fast re-listing from brokers with monthly public records updates
• 180 days: Standard re-listing cycle for most property-focused brokers
• Annual: Voter registration updates typically occur after each election cycle

This is why one-time opt-outs fail. The property records data broker you successfully removed from in January will re-list you in July when they refresh their county assessor data.

Common Pitfalls in Fighting the Exemption

People make predictable mistakes when trying to remove information that falls under the publicly available exemption. Understanding these pitfalls can save you months of frustration.

Pitfall 1: Assuming Privacy Laws Override Public Records

The most common misconception is that CCPA or other state laws give you the right to delete anything a data broker publishes about you. They don't. If you submit a deletion request and the broker responds with "information sourced from public records is exempt," that's likely a legally valid response.

Some brokers abuse this exemption by claiming everything is from public records even when it's not. But legitimate brokers maintain detailed provenance records showing exactly which government source provided each data point.

Pitfall 2: Not Addressing the Source

Removing your information from data brokers while leaving it in public records is like bailing water from a boat without fixing the leak. You need to address the source.

For voter registration, most states allow you to request confidential voter status if you have a qualifying reason (law enforcement, domestic violence victim, etc.). The requirements vary significantly by state, but it's worth investigating.

For property records, some states allow ownership through trusts or LLCs that obscure your personal name. This won't remove existing records but prevents future exposure. It requires legal setup and has tax implications, so it's not a casual decision.

Pitfall 3: Ignoring Re-Listing Patterns

Submitting a single opt-out request to a broker that uses public records is essentially useless. You'll be re-listed within months. Continuous monitoring and re-submission is the only practical approach.

This is the core reason services like GhostMyData exist. Manual removal is a losing game against automated re-collection. We monitor 1,500+ brokers and automatically re-submit removals when re-listing is detected. The publicly available exemption means this isn't a one-time project — it's ongoing maintenance.

Pitfall 4: Falling for Identity Verification Barriers

Some brokers create deliberately difficult identity verification requirements for opt-out requests. LexisNexis, for example, requires government-issued ID plus proof of address. Technically, this complies with CCPA's identity verification provisions, but it creates friction that discourages removal requests.

Under CCPA Section 1798.140(w), if a broker cannot verify your identity, they must treat your request as an opt-out of sale rather than deletion. Many brokers don't comply with this requirement, simply rejecting unverified requests entirely.

When we handle removals on behalf of users, we navigate these verification barriers as part of the service. But if you're doing manual removals, understand that some verification requirements are deliberately onerous to discourage compliance.

What Actually Works (And What Doesn't)

Let's be realistic about what's achievable given the legal framework.

What Doesn't Work

Demanding deletion of public records data from brokers. They have a legal exemption. Threatening legal action won't change this. Citing CCPA won't override the publicly available exemption.

One-time opt-out requests. Re-listing makes this pointless unless you're willing to repeat the process quarterly for years.

Expecting legislation to close the loophole soon. The publicly available exemption exists for legitimate reasons — journalists, researchers, and the public benefit from access to government records. Any legislation that closes the loophole for data brokers risks restricting legitimate public access. That's a hard needle to thread politically.

What Does Work

Continuous monitoring and re-submission. Accept that this is an ongoing process, not a one-time fix. Set up automated monitoring or use a service that handles it.

Reducing your public records footprint. Investigate confidential voter status in your state. Consider property ownership structures that obscure your name. Be strategic about what you file publicly.

Focusing on high-impact brokers first. Not all brokers have equal visibility. People search sites like Whitepages, BeenVerified, and Spokeo are where most casual searches happen. Prioritize those over obscure data aggregators.

Documenting re-listings and non-compliance. If a broker re-lists you immediately after deletion using the same old data (not a fresh public records pull), that may violate privacy law. Document the timeline and consider filing a complaint with your state attorney general.

With California's DROP (Delete Request Online Portal) launching in August 2026, there's a structural change coming. DROP will create a single portal to submit deletion requests to all registered California brokers, and brokers must check it every 45 days. Violations carry $200/day fines.

This won't eliminate the publicly available exemption, but it will make ongoing removal less manually intensive for California residents. Brokers will still re-list you from fresh public records pulls, but at least the removal process will be centralized.

Templates and Tactical Approaches

If you're going to attempt manual removal despite the limitations, here's how to structure your requests to maximize compliance.

Template for Initial Removal Request

Subject: CCPA Deletion Request - [Your Name]

"I am a California resident submitting a verified consumer request under the California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.105.

I request deletion of all personal information you maintain about me, including but not limited to:

• Name, addresses, phone numbers, email addresses
• Family member associations
• Employment and income estimates
• Property ownership information

I understand that information sourced from public records may be exempt under Cal. Civ. Code § 1798.145(d). If you deny this request based on the publicly available exemption, please provide specific documentation of which government source and date each data element was obtained.

For any information not sourced from public records, I expect full deletion within 45 days as required by law.

[Your Name]

[Your Address for Verification]"

The key addition here is requesting documentation of provenance. Many brokers claim the exemption broadly without actually maintaining source records. Forcing them to document it may reveal that some data isn't actually from public records.

Template for Re-Listing Complaint

If you're re-listed within 90 days using data that appears to be from the broker's old database (not a fresh public records pull):

Subject: CCPA Violation - Re-Listing After Confirmed Deletion

"On [date], I submitted a deletion request under CCPA. On [date], you confirmed deletion of my personal information.

On [date], I discovered my information re-listed on your site with data that appears identical to what was deleted, including [specific data points].

CCPA does not permit re-listing from retained data after confirmed deletion. If this information was obtained from a new public records pull after [deletion date], please provide documentation of the government source and acquisition date.

If you cannot document a fresh public records acquisition, this constitutes a violation of Cal. Civ. Code § 1798.105 and I will file a complaint with the California Attorney General.

[Your Name]"

This won't work if they actually did pull fresh public records, but it forces them to prove it.

When Professional Help Makes Sense

Manual removal is theoretically possible but practically exhausting. Here's when it makes sense to stop doing it yourself.

If You're Dealing with More Than 10 Brokers

The publicly available exemption means you need continuous monitoring, not one-time removal. Monitoring 10+ brokers quarterly for re-listings is a part-time job. Our data shows the average person appears on 150-200 data broker sites. Manually managing even 10% of that is unsustainable.

If You've Experienced Identity Theft or Stalking

In high-risk situations, incomplete removal is dangerous. Missing even one broker that still publishes your address can have serious consequences. Professional services maintain comprehensive broker lists (GhostMyData monitors 1,500+ brokers compared to competitors' 35-500) and handle identity verification barriers that might trip you up.

If Your Time Has Dollar Value

Removing your information from a single broker takes 15-30 minutes including identity verification. Multiply that by 50-100 brokers, then repeat quarterly when re-listing occurs. That's 25-50 hours initially, then 25-50 hours every three months.

If your time is worth anything close to minimum wage, paying $7.49/month (currently on sale through March 31 as part of our limited-time spring privacy offer) is economically rational compared to hundreds of hours of manual work. The math is straightforward: professional removal pays for itself in time savings within the first month.

If You're Facing Verification Barriers

Some brokers require notarized identity documents, government IDs with photos, or utility bills matching your address. If you've moved recently, use a P.O. box, or don't have traditional documentation, these barriers can be insurmountable. Professional services have established relationships and verification processes that navigate these obstacles.

The Hard Truth About the Exemption

The publicly available data exemption isn't going away. It exists because there's legitimate public value in accessible government records. Journalists need property records to investigate corruption. Researchers need court records to study the justice system. Citizens need business registrations to verify who they're dealing with.

Data brokers exploit this legitimate exemption by industrializing access and cross-referencing records in ways that no individual would reasonably do. But legally distinguishing between "legitimate public access" and "exploitative data brokerage" is nearly impossible. Any law that restricts one risks restricting the other.

The First Amendment makes this even harder. Courts have generally upheld that publishing truthful information from public records is protected speech. Data brokers argue — sometimes successfully — that deletion laws unconstitutionally restrict their right to publish factual information.

This means the solution isn't primarily legislative. It's practical: continuous removal, source reduction, and strategic monitoring focused on high-impact brokers.

California's DROP portal launching in August 2026 is a step forward because it reduces the friction of ongoing removal without restricting public records access. But it won't eliminate re-listing from fresh public records pulls. That's structurally impossible without restricting the public records themselves.

If you're serious about limiting your exposure, start with a free scan to see which brokers currently list you. Focus removal efforts on people-search sites with high visibility. Consider confidential voter status if you qualify. And accept that this is ongoing maintenance, not a problem you solve once and forget.

The publicly available exemption is the loophole that won't close. Understanding how it works — and how to work within its constraints — is the only realistic path to privacy in a world where your government is inadvertently your biggest data broker.