The murky world of data brokers

Most people know that Google, Meta and other tech giants have an insatiable voracity for information. But they probably know little about the shadowy market where personal information is bought and sold by data brokers — enigmatic companies that diligently build vast databases of user information to sell. These businesses plumb the depths of public and private domains, crawl though social networks, vacuum up browsing histories, and buy data from demographic censuses and health records. Kaspersky cybersecurity expert Marc Rivero succinctly describes what these data brokers do. “They collect user data, which includes digital identities and browsing histories. Then they sell it to other companies that exploit the information.”

They are not just data sellers. Hicham Qaissi, a professor at Madrid’s Polytechnic University and director of IT projects at Docaposte, says that data brokers also offer customized analysis services. “If a company needs to identify the best location for a business they want to open, they can buy valuable information to guide that decision.” User data can be used to identify potential clients, refine advertising and enrich market studies.

People often differentiate between data brokers and companies like Google, Facebook and X (formerly Twitter) that gather data and share it with third parties for targeted ads. Nevertheless, the line isn’t always clear to everyone. “When you think about it, what’s the difference between giving away data and selling it? To me, they’re both data brokers, although most people only call the company that sells data a broker,” said Rivero. But he also acknowledges that when users accept a Terms of Use agreement, they are more aware that their data will be used somehow. They usually don’t know that it could be sold to a third party.

Data brokers have been around the internet for a while now. Back in 2007, a report from the U.S. Congressional Research Service highlighted the concerns surrounding the vast amount of personal information they collect and the inappropriate access to that data. And their presence has only grown since then. According to Transparency Market Research, the global data brokers market reached $240 billion in 2021 and is expected to reach $462 billion by 2031, an annual growth rate of 6.8%.

Most data brokers are relatively unknown to the public. Some of the biggest ones named in the Transparency Market Research report are Acxiom, Experian, Equifax, CoreLogic, Epsilon and LexisNexis. EL PAÍS contacted some of these companies for comment but received little response, except that CoreLogic denied being in the data brokering business and the Spanish subsidiary of Experian said they do not act as a data broker in Spain.

Comprehensive user profiles

Data brokers handle more than just traditional demographic profiles. They collect and store information such as first and last names, age, postal address, gender and socioeconomic indicators. “Psychographic analyses are in big demand now,” said Qaissi. “They will analyze the residents of a metropolitan area in Paris, for example, and gather insights into their preferences, shopping habits, dining choices, leisure activities, sports activities and average age of marriage.”

Qaissi explains that a bank could use a psychographic analysis to offer financial products tailored to a target group of clients. To create these psychographic profiles, brokers collect data from various sources. “Like when you enter personal information into an online form, when you accept cookies on a website, when you use a hotel’s WiFi...” said Qaissi. What happens when you access a WiFi network with Google or Facebook login credentials? “You’re basically giving away information, like you’re a 45-year-old man with this email address who vacations on the Costa Brava.”

This data is extracted and standardized so it can be loaded into a well-organized database, ready for analysis and processing with machine learning. Some of this information is shared with third parties for targeted advertising, often in the form of email marketing. A few years ago, there was a scandal when certain unethical practices were revealed. “Cambridge Analytica is an example of the access that third-parties have to data on Facebook, now Meta,” said Rivero, referring to the uproar over information manipulation on Facebook during the 2016 U.S. elections. The term “data broker” wasn’t used when the scandal broke, but their role in enabling precise targeting of political messages later became apparent.

The European Union’s illusion of privacy

The European Union’s General Data Protection Regulation (GDPR) was enacted to ensure a high level of user privacy. Its protections should be sufficient to prevent data brokers from obtaining personal information. However, in practice, there are loopholes that allow these companies to operate and act outside EU borders.

“It’s easy for these companies to access personal information, either through social networks, by phishing [impersonating a legitimate website to obtained personal information], illegal hacking, and more,” said Qaissi. “Accessing, storing and analyzing this data is prohibited in Europe. But maybe not in Türkiye.” He says data brokers located outside the EU can collect data on European users and sell it to companies operating within the EU.

“Data buyers can’t legally do it here [in the EU], but they can get it elsewhere. We are talking about maybe a five- megabyte file with information on 5,000 potential clients. A little file you can send by email,” said Qaissi. As easy as an email attachment.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition