Case Study: The Data Broker Industry: A Hidden Economy

"Data brokers operate in the shadows. They collect, aggregate, and sell the personal information of hundreds of millions of Americans, yet most people have never heard of them." — Chairwoman Edith Ramirez, Federal Trade Commission, 2014

Overview

Most people have never heard of Acxiom, Epsilon, Oracle Data Cloud, or LexisNexis Risk Solutions. Yet these companies — and hundreds like them — maintain detailed profiles on virtually every American adult, compiling data from public records, commercial transactions, online activity, and purchased datasets into profiles containing hundreds or thousands of data points per person. The data broker industry generates billions of dollars in annual revenue by selling, licensing, and sharing personal data with marketers, financial institutions, insurers, employers, law enforcement agencies, and other data brokers. This case study examines how the industry works, who its major players are, how it is (and is not) regulated, and what the Vermont Data Broker Registry revealed when it pulled back the curtain on an industry that had long preferred to remain invisible.

Skills Applied: - Analyzing the economics of data markets using concepts from Section 11.4 - Identifying information asymmetries in multi-party data transactions - Evaluating transparency and accountability mechanisms for data markets - Connecting data brokerage to the broader themes of privacy externalities and market failure

The Industry: Structure and Scale

What Data Brokers Do

A data broker is a company that collects personal information from various sources and sells, licenses, or shares that information with other companies. The individuals whose data is traded typically have no direct relationship with the data broker, no knowledge that the transaction is occurring, and no practical way to discover what is held about them.

The FTC's landmark 2014 report, "Data Brokers: A Call for Transparency and Accountability," identified approximately 4,000 data brokerage firms operating in the United States. The industry is far larger and more varied than most people realize, ranging from massive corporations with billions in revenue to small firms that specialize in a single data niche.

The Major Players

Acxiom (now LiveRamp). Founded in 1969 in Conway, Arkansas — originally as a direct mail processing company — Acxiom grew into one of the world's largest data brokers. At its peak, Acxiom claimed to maintain profiles on approximately 700 million consumers worldwide, with an average of over 1,500 data points per U.S. consumer. These data points span demographics, purchase behavior, financial indicators, property records, vehicle registrations, media consumption, online activity, and inferred characteristics (political affiliation, health interests, lifestyle preferences).

In 2018, Acxiom sold its marketing services division (including its consumer database) to Interpublic Group for $2.3 billion and rebranded as LiveRamp, focusing on data connectivity services — helping companies link their own customer data to external data sources. The sale itself illustrated the economic value of the data: a single company's consumer database was worth $2.3 billion.

Epsilon. Epsilon, a subsidiary of Publicis Groupe (one of the world's largest advertising holding companies), is one of the largest marketing data providers in the United States. Epsilon maintains a consumer database covering over 250 million individuals and processes billions of transactions annually. Its data products include consumer profiles used for targeted advertising, customer loyalty program management, and predictive analytics. Publicis Groupe acquired Epsilon in 2019 for $4.4 billion — placing an explicit price tag on the value of consumer data assets.

LexisNexis Risk Solutions. A division of RELX Group, LexisNexis Risk Solutions specializes in risk assessment, identity verification, and fraud prevention. Its databases combine public records (court filings, property records, voter registrations, professional licenses), commercial data (credit applications, insurance claims), and aggregated consumer data. LexisNexis is used extensively by law enforcement, financial institutions, and insurance companies. Notably, LexisNexis's relationship with law enforcement creates a pathway for government access to commercial data that might otherwise require a warrant — a point raised by civil liberties organizations.

Oracle Data Cloud (formerly BlueKai and Datalogix). Oracle entered the data brokerage market through acquisitions, purchasing BlueKai (online behavioral data) in 2014 and Datalogix (offline purchase data) in 2014. Oracle Data Cloud combined online browsing behavior with offline purchase records, creating a comprehensive view of consumer activity across digital and physical worlds. In 2020, following GDPR concerns and increased regulatory pressure, Oracle announced the shutdown of its third-party advertising data business — a significant retreat that signaled the regulatory headwinds facing the industry.

How the Data Flows

The data broker ecosystem operates through layered collection, aggregation, and distribution:

Collection tier. Data enters the ecosystem from hundreds of sources: - Public records (voter registrations, property deeds, court filings, birth and death records, professional licenses) - Commercial transactions (loyalty card purchases, warranty registrations, catalog orders, magazine subscriptions) - Online tracking (cookies, device fingerprints, app SDKs, social media activity) - Self-reported data (surveys, sweepstakes entries, product registrations) - Purchased data (from apps, websites, and other brokers) - Inferred data (derived from algorithms that predict characteristics — income level, political affiliation, health conditions — based on observable behavior)

Aggregation tier. Brokers match data from different sources to build unified consumer profiles. This process — called "identity resolution" or "data onboarding" — links offline identity (name, address, phone number) to online identity (device IDs, cookie IDs, email addresses), creating a single profile that spans a person's digital and physical life.

Distribution tier. Aggregated profiles are sold, licensed, or shared with: - Marketers and advertisers (for targeted campaigns) - Financial institutions (for credit risk assessment and fraud detection) - Insurance companies (for risk modeling and pricing) - Employers (for background checks) - Law enforcement (for investigations, sometimes without warrants) - Political campaigns (for voter targeting) - Other data brokers (for further aggregation)

The Economics

The data broker industry generates estimated revenue of $200-250 billion annually in the United States, though precise figures are difficult to determine because the industry is fragmented and many transactions are private. Revenue models include:

  • Per-record pricing. Brokers charge per consumer record accessed, with prices ranging from fractions of a cent (for basic demographic segments) to several dollars (for detailed financial or health-related profiles).
  • Subscription licensing. Large customers pay annual fees for ongoing access to consumer databases.
  • Custom analytics. Brokers sell not just raw data but analytical products — predictive models, consumer segments, and look-alike audience profiles.
  • Identity resolution services. Companies pay brokers to match their own customer records to broader datasets, enriching their internal data with external attributes.

The Categories of Harm

Marketing and Price Discrimination

Data brokers enable practices that most consumers would find troubling if they understood them. One example is personalized pricing — the practice of charging different consumers different prices for the same product based on their data profile. A consumer identified as affluent, living in a high-income ZIP code, and recently searching for luxury goods might see higher prices than a consumer with a different profile. This is not hypothetical — it has been documented in airline pricing, hotel booking, and e-commerce.

Financial Exclusion

When financial institutions use data broker profiles for credit decisions — beyond traditional credit reports regulated by the Fair Credit Reporting Act (FCRA) — consumers can be denied credit, insurance, or employment based on data they have never seen and cannot dispute. The FTC's 2014 report found that some data broker products were used in ways that appear to fall under FCRA requirements but were marketed as falling outside the Act's scope.

Surveillance by Proxy

Data broker records are routinely purchased by law enforcement agencies, sometimes circumventing the warrant requirements of the Fourth Amendment. If the government cannot legally compel a technology company to produce location data without a warrant (as established in Carpenter v. United States, 2018), it can instead purchase similar data from a data broker who obtained it commercially — exploiting the "third-party doctrine" and the absence of legislation specifically regulating government purchase of commercial data.

Vulnerable Populations

Data brokers have been documented selling lists specifically categorized by vulnerability: "Rural and Barely Making It" (consumers in financial distress), "Suffering Seniors" (elderly people with health problems), and "Ethnic Second-City Strugglers" (minority consumers in mid-size cities). These lists have been used to target predatory lending, dubious health products, and financial scams at the people least equipped to resist them.

The Vermont Data Broker Registry: Pulling Back the Curtain

What Vermont Did

In 2018, Vermont became the first U.S. state to require data brokers to register with the government. Act 171, the Vermont Data Broker Law, defined a data broker as a business that "knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship." The law required registered brokers to:

  • Provide their name, contact information, and a description of their data practices
  • Disclose whether they allow consumers to opt out of their databases
  • Implement minimum data security standards
  • Report data breaches to the state

What the Registry Revealed

The Vermont registry provided the first comprehensive public accounting of the data broker industry's scope. Key findings:

Scale. By 2023, over 370 data brokers had registered with Vermont — a number that likely understates the total, since many small brokers may not be aware of or comply with the requirement.

Diversity. Registered brokers ranged from multinational corporations (Acxiom, Experian, TransUnion) to specialized firms focused on narrow data categories (rental history, social media monitoring, political data, health conditions).

Opt-out gaps. While many registered brokers claimed to offer opt-out mechanisms, the processes were often burdensome, requiring consumers to submit requests individually to each broker — an impossible task given the number of brokers that hold data on any given consumer. Some brokers' opt-out processes required providing additional personal information (driver's license, Social Security number) to verify identity, creating the paradox of surrendering more data in order to limit data collection.

Limited enforcement. Vermont allocated minimal resources to enforcing the registry requirements. The law did not include a private right of action (consumers cannot sue brokers directly for violations), and penalties for non-compliance were modest.

The Significance

Despite its limitations, the Vermont registry established an important precedent: the principle that data brokers should be visible and accountable to the public and to government. Before Vermont, data brokers operated with no registration requirement, no disclosure obligation, and no minimum security standards in most U.S. jurisdictions. The registry made it possible, for the first time, for journalists, researchers, and policymakers to identify specific companies operating in the data brokerage space and to begin evaluating their practices.

Other states have followed Vermont's lead. California's CCPA and its successor, the CPRA, include data broker registration requirements. The FTC and several federal legislative proposals have called for federal data broker regulation.

International Comparison

GDPR and Data Brokers

The EU's GDPR does not use the term "data broker," but its requirements apply directly to data brokerage activities. Under the GDPR:

  • Data brokers must have a lawful basis for processing personal data (Article 6). Consent of the data subject is one basis, but the sweeping, non-transparent collection characteristic of data brokers makes valid consent nearly impossible to obtain.
  • The right to access (Article 15) requires data brokers to tell individuals what data they hold about them — upon request.
  • The right to erasure (Article 17) allows individuals to demand deletion of their data under certain conditions.
  • The right to object (Article 21) allows individuals to object to processing based on legitimate interests.

In practice, GDPR enforcement against data brokers has been uneven, and many U.S.-based brokers simply stopped serving European markets rather than comply.

The Structural Problem

The fundamental economic challenge of regulating data brokers is that the individuals whose data is traded have no visibility into, voice in, or bargaining power over the transactions. Traditional consumer protection assumes a relationship between buyer and seller — but in the data broker market, the "product" (the consumer) is not a party to the transaction. The buyer (the marketer, insurer, or law enforcement agency) and the seller (the data broker) transact without the knowledge or consent of the person whose data is exchanged.

This structure is not an accident — it is the business model. Data brokerage is profitable precisely because it aggregates and sells data that individuals did not knowingly provide and would not consent to sharing if asked. Transparency and informed consent are not merely lacking; they are incompatible with the industry's economic logic.

Discussion Questions

  1. The invisible market. Most Americans have never heard of Acxiom, Epsilon, or LexisNexis Risk Solutions, yet these companies hold detailed profiles on nearly all of them. Why is this market so invisible? What structural features of the data broker industry prevent consumers from being aware of it? Could greater transparency change consumer behavior, or would the privacy paradox persist?

  2. The vulnerability problem. Data brokers have been documented selling lists of "Suffering Seniors" and "Rural and Barely Making It" consumers to companies selling predatory products. Is this ethically different from targeted advertising in general? If so, where would you draw the line between acceptable targeting and predatory targeting? What regulatory mechanism could enforce that line?

  3. The law enforcement question. If the government cannot legally obtain location data without a warrant (per Carpenter v. United States), should it be able to purchase equivalent data from a data broker? How should the law address the gap between Fourth Amendment protections and the commercial data market?

  4. Vermont as a model. The Vermont Data Broker Registry provides transparency but limited enforcement. Is transparency alone sufficient to address the harms of data brokerage, or are stronger regulatory tools (licensing, data minimization requirements, purpose limitations, consumer approval for sales) needed? What would a comprehensive federal data broker law look like?

Your Turn: Mini-Project

Option A: The Opt-Out Experiment. Select three data brokers from the Vermont registry (or from any published list of data brokers). Attempt to exercise your opt-out rights with each. Document: (a) how easy it was to find the opt-out process, (b) what information you were required to provide, (c) how long the process took, (d) whether you received confirmation that your data was removed, and (e) whether the process was burdensome enough to constitute a barrier. Write a one-page analysis of your experience and what it reveals about the practical effectiveness of opt-out rights.

Option B: Data Broker Economics. Using publicly available financial data (SEC filings, news reports, analyst estimates), research the revenue model of one major data broker (Acxiom/LiveRamp, Epsilon/Publicis, LexisNexis/RELX, or Oracle Data Cloud). Write a two-page analysis covering: (a) the company's total data-related revenue, (b) the sources of its data, (c) its major customer segments, (d) how it prices its products, and (e) what share of its revenue would be affected by a comprehensive data minimization regulation.

Option C: The Consumer Profile. Request your consumer profile from at least one data broker that offers a data access mechanism (Acxiom/LiveRamp and some others provide this). Review what data they hold on you. Write a two-page analysis covering: (a) what data was accurate, (b) what data was inaccurate, (c) what data surprised you, (d) what the data reveals about the inferences the broker has drawn about you, and (e) what rights you have to correct or delete the data under current law.

References

  • Federal Trade Commission. "Data Brokers: A Call for Transparency and Accountability." FTC Report, May 2014.

  • Vermont Secretary of State. "Data Broker Registry." https://sos.vermont.gov/data-brokers/

  • Sherman, Justin. "Data Brokers and Sensitive Data on U.S. Individuals." Duke Technology Policy Lab, 2021.

  • Christl, Wolfie. "Corporate Surveillance in Everyday Life." Cracked Labs, Vienna, 2017.

  • Dixon, Pam, and Robert Gellman. "The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Your Future." World Privacy Forum, 2014.

  • Carpenter v. United States, 585 U.S. ___ (2018).

  • Ramirez, Edith (FTC Chairwoman). "The Privacy Challenges of Big Data: A View from the Lifeguard's Chair." Keynote Address, Technology Policy Institute Aspen Forum, August 2013.

  • Singer, Natasha. "Mapping, and Sharing, the Consumer Genome." The New York Times, June 16, 2012.

  • Pasquale, Frank. The Black Box Society: The Secret Algorithms That Control Money and Information. Cambridge, MA: Harvard University Press, 2015.