Data brokers 7 min read

How do data brokers get rich off your back?

It's a fairly murky business, to be honest. Most internet users have never even heard the term "data broker" — and yet these companies probably know more about us than our own friends do. Here's how the invisible market for privacy actually works, and why GDPR alone isn't enough to push it back.

TL;DR

Data brokers are companies that collect your purchase histories, clicks, locations and social interactions to resell them as targeted profiles. The average user is targeted by several hundred trackers a day (CNIL). GDPR gives you the right to demand erasure, but you have to contact each broker one by one — which is exactly why automated services like Sheeldy exist.

Section 01

The vast invisible market for privacy

When you browse, you leave traces. A lot of them. Data brokers are companies whose sole business model is to vacuum up those crumbs of information, cross-reference them and resell them as ultra-targeted profiles. According to the CNIL (France's data protection authority), the average user is targeted by hundreds of trackers every day.

~4,000 data brokers identified globally according to Privacy International. The biggest ones (Acxiom, Experian, Oracle, LiveRamp) hold profiles on more than 700 million people.

The real problem is that you feel like you gave consent by clicking "Accept" on a cookie banner written in deliberately confusing language. Except data is often resold in cascade: you hand your email to an e-commerce site, it lands at a broker, who resells it to advertisers, recruiters, insurers or even political marketing agencies.

Section 02

Cascading resale: one email, ten brokers

The mechanism is simple, and that's exactly what makes it so effective. At each step, your data gains value because it gets enriched by other sources:

  1. Collection: you hand over your email to grab a 10% discount on an e-commerce site.
  2. Commercial sharing: that site shares your profile with its ad partner to measure its campaigns.
  3. Aggregation: a broker cross-references that email with your purchase history, approximate location pulled in by a weather app, and an estimated age inferred from your Facebook activity.
  4. Resale: the broker sells that enriched profile to several ad networks, which then resell it to the end advertisers.
  5. Recycling: your profile ends up in databases used for cold prospecting, informal credit scoring, or worse — aggressive cold-calling.

At every step, you lose the thread. And that's precisely why GDPR provides a right to erasure: to let you walk that chain back and cut it.

Section 03

The types of data they collect

If you think "just your email" isn't worth much, take a look at what a broker can attach to that single identifier:

Category Concrete examples Typical source
Identity Full name, date of birth, gender, marital status Forms, public records
Contact Email, phone, postal address, social accounts E-commerce, loyalty programmes, data breaches
Financial Estimated income bracket, purchase history, credit behaviour Partner banks, loyalty programmes
Behaviour Sites visited, searches, session length, devices used Third-party cookies, mobile app SDKs
Location Places visited, commute routes, travel Weather apps, GPS, public Wi-Fi
Inferences Interests, presumed political opinions, health, orientation Statistical models cross-referencing everything above

That last row is the most problematic: data brokers don't just resell what you gave them. They infer things about you from statistical correlations. You might find yourself classified as "probably pregnant", "probably job-hunting", or "probably in debt" without ever having declared any of it.

Section 04

GDPR: a strong enough shield?

On paper, the General Data Protection Regulation (GDPR) in Europe is strict. You have the right to request erasure of your data (Article 17), a right of access (Article 15), a right to object (Article 21). And penalties can climb up to 4% of global annual revenue.

In practice though, good luck. Trying to contact every broker one by one is a full-on slog when there are thousands of them:

That's why the fight against spam and abusive advertising has to happen upstream, using masking tools (email aliases, virtual shields) so these brokers only get junk data to work with — and by automating GDPR requests with the major players.

Section 05

Taking back control, concretely

Three concrete actions, sorted by effort/impact ratio:

1. Systematically reject third-party cookies

A click on "reject all" instead of "accept all" on every banner. It's free, takes two seconds, and shuts off the very first source of collection. EU law since 2021 requires the "reject" button to be just as accessible as the "accept" one.

2. Use email aliases

Instead of handing over your real address, create a unique alias for each service. If a site gets breached or resells your email, you immediately know where the leak came from, and you can disable the alias without touching your main inbox.

3. Trigger GDPR requests at the major brokers

This is exactly what Sheeldy automates: we contact the main data brokers (European and international) to demand the erasure of your data on your behalf, track the legal deadlines, and follow up if they don't respond. No commitment, from €5/month.

Frequently asked questions

What is a data broker?
A data broker is a company whose business model is to collect, cross-reference and resell your personal data to third parties: advertisers, recruiters, insurers, banks, political agencies. They vacuum up your purchase histories, your clicks, your location data, and rebuild ultra-detailed profiles that they monetise.
How many data brokers hold my data?
Several hundred on average for an active internet user. The main known brokers (Acxiom, Experian, Oracle Data Cloud, Epsilon, LiveRamp and their European equivalents) then resell those profiles in cascade to thousands of downstream buyers.
Is GDPR enough to protect against data brokers?
On paper yes, in practice no. GDPR gives you the right to demand erasure, but you have to contact each broker one by one, prove your identity, and follow up if they don't respond within 30 days. That's why services like Sheeldy automate the requests on your behalf.
How do data brokers get my data?
Through several channels: advertising cookies, commercial partnerships with e-commerce sites, public records, data breaches, mobile apps that resell location permissions, loyalty programmes, online forms. A single signup can feed a dozen brokers in cascade.
How can I limit my exposure to data brokers?
Three concrete actions: use email aliases so you stop exposing your real address, systematically refuse third-party cookies, and trigger erasure of your data at the main brokers through a service like Sheeldy.
Factual sources Reports from the CNIL on data monetisation and advertising profiling · Studies by the NGO Privacy International on the data broker industry · Articles 15, 17 and 21 of Regulation (EU) 2016/679 (GDPR).

In a nutshell

Data brokers thrive on invisibility. Understanding their business model — mass collection, cross-referencing, cascading resale — is the first step in protecting yourself. GDPR provides the right legal tools, but exercising them by hand is well out of reach for a single user. That's exactly why platforms like Sheeldy exist: to turn a theoretical right into actual erasure.

Keep reading
Practical guide

How to unsubscribe from data brokers: full guide to the right to be forgotten
Cybersecurity

How to limit personal data leaks on the internet