UK tech experts · info@vividrepairs.co.uk
Vivid Repairs

The Data Broker Economy: How Your Data Is Collected, Shared and Sold

15 min readLast verified 15 July 2026

In short

Data brokers are companies that collect personal information from dozens of sources, combine it into detailed profiles, and sell those profiles to advertisers, insurers, employers and others. Most UK adults have never heard of them, yet have profiles with hundreds of data points. UK GDPR gives you the right to see, correct and request deletion of your data, though removing yourself from every broker is genuinely difficult and requires ongoing effort. This piece explains how the industry works and gives you practical steps to reduce your exposure.

The industry you have never heard of

There is an entire economy built around you, and you were never asked to join it.

Data brokers are companies whose core business is collecting personal information about individuals, combining it with data from other sources, and selling the resulting profiles to whoever will pay. They do not make apps you use or services you sign up for. Most of them have no direct relationship with you at all. You have probably never typed their names into a search bar. And yet, right now, several of them hold files on you that are more detailed than anything your GP, your bank or your employer has on record.

The industry is large. Researchers and journalists who have investigated it describe hundreds of companies operating globally, with the largest holding records on billions of individuals. The UK market is smaller but well-established, fed by a mix of homegrown operators and the UK arms of American and European firms.

The reason most people have not heard of this industry is simple: it has no reason to introduce itself. Its customers are businesses, not consumers. Its product is you, not something it sells to you. That invisibility is part of how it functions.

Practical takeaway: Search your full name in quotation marks on a search engine. Add your town. The results, particularly any people-search or address-lookup sites that appear, are a rough first glimpse of what is publicly visible about you.

Where brokers get your data

The honest answer is: almost everywhere. But it helps to understand the specific pipelines, because that knowledge is what makes the later opt-out steps make sense.

Apps and digital services

Many free apps collect far more than they need to run the service. Location history, browsing habits, purchase behaviour, even the other apps installed on your phone. Some of this data is sold directly by the app developer. Some is collected by advertising software development kits (SDKs) embedded inside the app, which funnel data back to third-party ad-tech companies. Those companies are often data brokers, or they sell to them. The mechanisms by which companies track you online feed directly into broker databases.

Public records

The UK has a surprisingly rich ecosystem of public records. The edited version of the electoral register, which local councils are legally required to make available for sale, is one of the oldest and most widely used sources. Companies House filings name directors and, historically, their home addresses. Land Registry records show property ownership. County court judgments are publicly searchable. Brokers harvest all of this systematically.

You can opt out of the edited electoral register when you register to vote, or at any point afterwards by contacting your local council. This is worth doing. The full register, used only for elections and credit checks, is not sold commercially.

Loyalty cards and purchase data

When you use a supermarket loyalty card, the retailer builds a detailed picture of what you buy, how often, in which stores and at what price points. Some retailers sell anonymised or pseudonymised versions of this data. In practice, a dataset that includes your postcode, age bracket, household composition and purchasing patterns is not very anonymous at all. Researchers have demonstrated repeatedly that even supposedly anonymised datasets can be re-identified when combined with other sources.

Connected devices and cars

This is a newer and rapidly growing pipeline. Modern cars with internet connectivity can transmit location data, journey records, speed, braking patterns and more to manufacturers. Some manufacturers have shared or sold this data to insurers. In the United States, investigative journalists at the New York Times and researchers at Mozilla documented specific cases of car data reaching broker networks without drivers' knowledge. UK regulators have not yet produced the same depth of public documentation, but the technical pipelines are identical.

Smart home devices, fitness trackers and health apps present similar questions. The data that social media platforms collect is another significant input, whether through direct data partnerships or through the ad-tech ecosystem those platforms participate in.

Data enrichment and broker-to-broker trading

Brokers also buy from each other. One company might specialise in electoral data; another in purchase behaviour; a third in online activity. They trade and merge these datasets, a process called data enrichment, to build profiles that are more complete than any single source could provide. This is why a broker who has never had any direct contact with you can still hold a surprisingly complete picture.

Practical takeaway: Opt out of the edited electoral register if you have not already. Contact your local council or check your annual household enquiry form. It takes a single letter or online request and removes one of the most widely traded data sources.

What a broker profile of you actually contains

It varies by broker, but the categories researchers have documented are striking in their breadth.

A typical profile might include your full name, current and previous addresses, date of birth, phone numbers, email addresses, estimated household income, home ownership status, relationship status, number of children, vehicle ownership, political affiliation (inferred or stated), religious beliefs (inferred), health conditions (inferred from purchase data or app usage), shopping habits, estimated net worth, credit risk score, employment history and social media handles.

Some brokers go further. Researchers at Duke University's Sanford School of Public Policy published a 2023 study examining US data brokers and found categories including mental health conditions, whether someone had experienced domestic violence, and financial distress indicators. UK brokers operate under stricter legal constraints around sensitive categories, but the underlying data collection infrastructure is often shared with or derived from the same global networks.

The profile is not a single document sitting in one place. It is a distributed set of records held by dozens of different companies, each with slightly different versions of the same underlying facts. That is part of what makes it hard to remove.

Practical takeaway: Send a subject access request to one data broker you have heard of, or one that appeared in your name search. Reading an actual profile of yourself is the most effective way to understand what this industry holds. The next section explains how to do this properly.

Who buys it, and what it costs

The customer list is broader than most people expect.

Advertisers and marketing agencies are the largest buyers by volume. They use broker data to target ads, build lookalike audiences and suppress people who have already bought a product from seeing acquisition campaigns. Much of what feels like uncanny ad targeting is broker data at work.

Insurers have a significant and growing interest. Telematics insurers use driving data directly. But some insurers have explored using broader lifestyle and purchase data to inform risk assessments. The UK's Financial Conduct Authority has scrutinised certain uses of data in insurance pricing, and the ICO has issued guidance on what is permissible. Whether every insurer stays within those lines is a different question.

Employers and background check companies use broker data to supplement formal checks. This is particularly common in sectors with high security requirements, though the legal basis for using inferred or purchased data in employment decisions is genuinely murky under UK GDPR.

Political campaigns and lobbying organisations have used broker data for voter targeting. The Cambridge Analytica scandal, which involved UK voters' data, brought this into public view. The ICO investigated and found widespread misuse of personal data in political advertising.

Debt collectors and skip tracers use people-search data to locate individuals. This is a legitimate use in some circumstances and an intrusive one in others.

Scammers and fraudsters also access broker data, sometimes through legitimate-looking business accounts, sometimes through data breaches of broker databases themselves. Several large brokers have suffered significant breaches. A fraudster with your name, address, date of birth, phone number and partial financial data has most of what they need for identity fraud or a convincing phishing call.

As for cost: bulk data is sold at fractions of a penny per record for large datasets. Individual people-search lookups on consumer-facing sites cost a few pounds per report. The economics mean that even small operators can afford to buy and use this data.

Practical takeaway: If you receive a suspicious phone call where the caller knows details about you that feel too specific, a broker profile is a plausible source. The NCSC's guidance on suspicious calls and messages is worth bookmarking.

Your UK rights: what GDPR really lets you demand

UK GDPR gives you several rights that apply directly to data brokers. They are real rights with legal force, not suggestions. But they have limits, and understanding both sides is more useful than either false confidence or despair.

The right of access (subject access request)

Under Article 15 of UK GDPR, you can ask any organisation processing your personal data to tell you what data they hold, where they got it, what they use it for, and who they share it with. This is a subject access request, usually called a SAR. The organisation has one calendar month to respond. They cannot charge you for a standard request. If the request is complex or you have sent multiple requests, they can extend by a further two months, but they must tell you this within the first month.

The right to erasure

Article 17 gives you the right to request deletion of your personal data in certain circumstances: where the data is no longer necessary for the purpose it was collected, where you withdraw consent and there is no other legal basis, or where the data has been unlawfully processed. Data brokers often claim a legitimate interest in holding your data, which they argue overrides your erasure request. This claim is not automatically valid. The ICO's guidance on the right to erasure explains when legitimate interest holds up and when it does not.

The right to object

Article 21 lets you object to processing based on legitimate interest, including processing for direct marketing purposes. An objection to direct marketing must be honoured immediately and without question. An objection to other legitimate interest processing requires the organisation to stop unless they can demonstrate compelling grounds that override your interests.

The right to rectification

If a broker holds inaccurate data about you, you can require them to correct it. Given how much broker data is inferred or derived from out-of-date records, this right is more useful than it might sound.

What GDPR does not do

It does not give you the right to know every organisation in the world that holds your data. You have to know who to ask. It does not automatically delete your data the moment you request it. And it does not prevent brokers from re-acquiring your data from other sources after they have deleted it. That last point is worth sitting with.

Practical takeaway: Bookmark the ICO's Your Data Matters hub. It has plain-English explanations of each right and template language for requests. If a broker ignores or refuses your request without a valid reason, you can complain to the ICO directly at no cost.

How to run a subject access request that gets answered

A poorly worded SAR is easy to mishandle. A clear, specific one is much harder to ignore.

Start by identifying the organisation's data protection contact. Under UK GDPR, any organisation processing personal data at significant scale must appoint a Data Protection Officer (DPO) or have a named contact for data requests. This is usually in their privacy policy. If you cannot find it, address your request to the company's registered address marked for the attention of the Data Protection Officer.

Write a short, clear letter or email. State that you are making a subject access request under Article 15 of UK GDPR. Include your full name, current address, and any previous addresses or email addresses that might be associated with your record. Provide enough identifying information for them to find you, but do not send copies of identity documents unless they specifically ask and have a clear reason to need them. The ICO's guidance on subject access requests confirms that organisations can only ask for identity verification if they have reasonable doubts about who you are.

Note the date you sent it. One calendar month starts from that date. If you do not receive a response, send a follow-up referencing the original request date and noting that the legal deadline has passed. If there is still no response, raise a complaint with the ICO. The ICO does act on these complaints, though its caseload means timelines vary.

When the response arrives, read it carefully. Check whether the data held matches what you expected. Look at the stated legal basis for processing. If they claim legitimate interest, ask yourself whether that claim is plausible for the specific use. If something looks wrong or the response feels incomplete, you can ask for clarification or raise it with the ICO.

One realistic note: some smaller broker and people-search companies will simply not respond, or will send a holding reply and then go quiet. This is unlawful, but enforcement takes time. Document everything. A pattern of non-compliance is exactly what the ICO investigates.

Practical takeaway: Send your first SAR this week. Pick one broker or people-search site. The process takes about fifteen minutes to initiate and the response will teach you more about this industry than any article can.

Opting out: the major brokers and UK people-search sites

There is no single opt-out that covers the whole industry. Each broker has its own process. Some are straightforward; some are deliberately cumbersome. That is not an accident.

UK people-search sites

Sites that aggregate names, addresses and related information for UK residents include 192.com, BT Phone Book (now part of Yell), and various smaller operators. Most have an opt-out or suppression process, usually found in their privacy policy or a dedicated data removal page. For 192.com, the process involves submitting a removal request through their website and may require you to verify your identity. Check their current privacy policy for the live process, as these change.

The electoral register opt-out, mentioned earlier, removes one of the primary sources these sites draw from, which reduces how quickly your record reappears after removal.

Credit reference and data enrichment companies

Experian, Equifax and TransUnion all hold data on UK adults and all have subject access and suppression processes. These companies operate under both UK GDPR and specific financial regulation, which means their processes are generally more responsive than smaller brokers. Each has an online portal for data requests. You are entitled to a free statutory credit report from each of them, which shows a significant portion of what they hold.

Experian also operates a marketing services division separate from its credit business, which sells data to advertisers. You can opt out of this separately. Look for their marketing opt-out page, distinct from the credit report section.

Acxiom

Acxiom is one of the largest data brokers operating in the UK. They have a consumer portal called AboutTheData (primarily US-facing) and a separate UK data rights process through their privacy policy. Submit a request via their UK contact channel citing Article 17 of UK GDPR. Their response rate has improved since increased regulatory scrutiny, but follow up if you do not hear within the statutory period.

Oracle Data Cloud and LiveRamp

Both operate in the UK market. Both have opt-out and data request mechanisms accessible from their privacy policies. These are primarily B2B operations, so their consumer-facing pages are less prominent, but they exist and they are legally required to honour valid requests.

Direct marketing suppression services

The Mailing Preference Service (MPS), run by the Direct Marketing Association UK, allows you to register to stop unsolicited direct mail. The Telephone Preference Service (TPS) does the same for unsolicited sales calls. Neither covers all brokers and neither removes your underlying data, but they reduce the practical effect of it being traded for marketing purposes. Both are free to register with.

The whack-a-mole problem

Here is the honest part. Even if you successfully remove yourself from every broker you can identify, your data will likely reappear. Brokers re-acquire data continuously from the sources described earlier. If you continue using loyalty cards, apps with location permissions, or services that share data with third parties, the pipeline refills. Some brokers also restore deleted records when they receive a fresh data feed containing your information, treating the new feed as an update rather than a conflict with your deletion request. This is legally questionable under UK GDPR but it happens.

This is not a reason to give up. Reducing your broker profile makes you a less attractive and less complete target. It limits what can be sold about you and what a fraudster or an intrusive employer can find. But it requires ongoing attention, not a one-time fix.

Practical takeaway: Register with the MPS and TPS today if you have not already. Then work through broker opt-outs methodically, starting with the ones that appeared in your name search. Keep a simple log of who you contacted and when, so you can follow up and track reappearance.

Keeping your footprint small from here

Prevention is easier than removal. Not perfectly easy, but meaningfully easier.

The most effective single habit is being selective about what you share when signing up for services. A competition entry, a loyalty card, a free app: each is a potential data source. Ask whether the service is worth the data it will collect. Often it is not.

Review the app permissions on your phone. Location access granted to an app you use occasionally is a continuous data feed. Most apps function perfectly well without always-on location, contacts access or access to your photo library. Both iOS and Android let you audit and restrict permissions by app.

Consider using a separate email address for commercial signups. This does not prevent data collection, but it limits the enrichment that comes from linking your commercial activity back to your primary identity. It also makes it easier to spot which company sold your address when spam arrives.

Browser privacy matters too. The tracking infrastructure that feeds broker databases often operates through cookies, pixels and fingerprinting techniques. A privacy-respecting browser with sensible default settings reduces this significantly. The Mozilla Foundation's privacy resources explain what these mechanisms are and what browser settings address them. Similarly, a VPN (the category of tool, not any specific product) can obscure your IP address from the trackers embedded in websites, though it does not address data you actively provide to services.

Check your social media privacy settings periodically. The data that social platforms collect and share is one of the more controllable inputs into the broker ecosystem, because the platforms themselves offer settings that limit third-party data sharing, even if those settings are not prominently advertised.

Finally, set a reminder to repeat your broker opt-outs every twelve months. Not because you failed the first time, but because the industry refills its records and your opt-out status does not last forever at many companies.

None of this is about achieving perfect privacy, which is neither realistic nor necessary. It is about making informed choices and reducing the amount of your life that circulates as a commodity without your knowledge or meaningful consent. That is a reasonable thing to want. And it is more achievable than the industry would prefer you to believe.

Practical takeaway: Spend ten minutes this week reviewing app permissions on your phone. Revoke location access for any app that does not genuinely need it to function. It is one of the highest-impact, lowest-effort changes you can make to your data footprint.

Questions people ask

Is it legal for data brokers to sell my personal information in the UK?
It can be legal, but only if they have a valid legal basis under UK GDPR. Many brokers rely on 'legitimate interest' as their basis, which is permissible in some circumstances but must be balanced against your rights and interests. Where brokers process sensitive categories of data, such as health information, the legal bar is higher. The ICO has the power to investigate and fine brokers who cannot demonstrate a lawful basis.
How do I find out which data brokers have information about me?
There is no central registry, which is one of the more frustrating aspects of this industry. A practical starting point is searching your name in quotation marks alongside your town in a search engine, which surfaces people-search sites. You can then send subject access requests to those companies and to the major brokers such as Experian, Equifax, TransUnion and Acxiom. Each response will sometimes name other organisations they share data with, which gives you a trail to follow.
Can I make data brokers delete my information under UK law?
Yes, under Article 17 of UK GDPR you can request erasure in certain circumstances, including where the data is no longer necessary for its original purpose or where you object to processing based on legitimate interest. Brokers may push back by asserting their legitimate interest, but this claim is not automatically valid and you can challenge it via the ICO. The honest caveat is that deletion is not permanent: brokers often re-acquire data from ongoing sources, so your record may reappear over time.
What is a subject access request and how long does it take?
A subject access request (SAR) is a formal request under Article 15 of UK GDPR asking an organisation to tell you what personal data they hold about you, where they got it, and what they use it for. The organisation has one calendar month to respond, extendable by two further months for complex cases. It is free to make and you do not need a solicitor. The ICO provides template wording on its website.
Do loyalty card schemes sell my shopping data to data brokers?
Some retailers do share or sell aggregated and pseudonymised purchase data with third parties, including data enrichment companies. The specifics depend on the retailer's privacy policy, which should disclose this. Even pseudonymised purchase data can be re-identified when combined with other sources such as your postcode and age bracket. Checking the privacy policy of any loyalty scheme you use will tell you what they claim to share, and you can object to third-party sharing under UK GDPR.
What is the edited electoral register and should I opt out?
The electoral register exists in two versions. The full register is used only for elections and statutory credit checks. The edited register is a version that local councils are required to make available for commercial sale, and it is one of the most widely traded sources of name and address data in the UK. You can opt out of the edited register at any time by contacting your local council, and doing so does not affect your right to vote or your ability to pass a credit check.
Can data brokers share my information with scammers or fraudsters?
Not intentionally, but it happens in practice through two routes. First, fraudsters sometimes set up businesses that purchase broker data through legitimate-looking commercial accounts. Second, data brokers have been the target of significant data breaches, exposing records to criminal actors. A fraudster with your name, address, date of birth and phone number has most of the ingredients for identity fraud or a convincing impersonation call. Reducing your broker profile limits the damage any single breach can cause.

← All Vivid Zero guides