Every time you download an app, sign up for a service, or browse the web, invisible companies are watching. Data brokers — businesses that collect, package, and sell personal information — have built a multi-billion dollar industry around your data. In 2026, this industry faces growing scrutiny from regulators, but the threat to your privacy remains enormous.
Here is how data brokers operate, what new laws mean for you, and what concrete steps you can take to protect yourself.
What Are Data Brokers and Why Should You Care?
Data brokers are companies that collect personal information from public records, social media, purchase histories, location data, and online activity. They aggregate this data into detailed consumer profiles and sell them to advertisers, insurance companies, employers, landlords — and sometimes scammers.
The scale is staggering. According to the FTC, the data broker industry generates over $200 billion annually in the United States alone. Companies like Acxiom, Experian, and CoreLogic hold profiles on more than 250 million Americans. These profiles can include your full name, home address, phone number, email, income level, health conditions, political affiliations, and browsing habits.
The real danger goes beyond targeted advertising. In 2024, the CFPB found that data brokers routinely sell sensitive financial and location data to bad actors — including stalkers, scammers, and even foreign intelligence services. One FTC enforcement action revealed a broker selling real-time location data that could track individuals to specific buildings.
New Laws Fighting Back: California’s DROP Act and Federal Proposals
Regulators are finally catching up. California’s Delete Request Options and Protections Act (DROP Act, SB 362), which took effect on January 1, 2026, is the strictest data broker law in the United States. It allows California residents to submit a single deletion request that applies to every registered data broker in the state — over 500 companies.
Before this law, consumers had to contact each broker individually. With hundreds of brokers operating, practical deletion was nearly impossible. The DROP Act created a centralized mechanism through the California Privacy Protection Agency, making mass deletion a one-step process.
Other states are following. Over 30 U.S. states now require data broker registration. Virginia, Colorado, Connecticut, and Texas have enacted comprehensive privacy laws with broker-specific provisions. The FTC has proposed federal rules restricting the sale of sensitive data categories — including precise location, health, and financial information — without explicit consumer consent.
In Europe, GDPR already provides strong protections. Brokers operating in the EU must demonstrate a lawful basis for processing and honor deletion requests within 30 days. Brazil’s LGPD similarly requires explicit consent for data sharing and grants consumers the right to request deletion.
How Data Brokers Exploit Your Messaging Data
Most people do not realize that messaging metadata is a goldmine for data brokers. Even if your messages are encrypted, the metadata — who you talk to, when, how often, and from where — can reveal intimate details about your life.
A 2025 Stanford University study demonstrated that messaging metadata alone could predict a person’s medical conditions, religious affiliations, and political beliefs with over 85% accuracy. Apps that do not protect metadata effectively hand this information to anyone willing to pay.
This is where your choice of messaging app becomes critical. Many popular messaging platforms collect extensive metadata and share it with third-party partners. Their privacy policies often include broad language permitting data sharing for “business purposes” — a category elastic enough to include data brokers.
As we covered in our post about AI-powered phishing attacks, the more personal data available about you, the easier it becomes for attackers to craft convincing personalized scams.
How to Protect Yourself from Data Brokers
Taking control requires action on multiple fronts. First, exercise your legal rights. If you are in California, use the DROP Act deletion portal. In the EU, submit GDPR deletion requests. In Brazil, invoke your LGPD rights. Second, audit your app permissions. Revoke location access, contact sharing, and advertising identifiers wherever possible. Third, use privacy-focused tools. Switch to browsers that block trackers, use a VPN, and — critically — choose a secure messaging app that minimizes data collection.
Review every app’s privacy policy for language about “third-party sharing” or “business partners.” If the policy is vague, assume the worst.
Why PhizChat Keeps Your Data Out of Broker Hands
PhizChat was designed with a simple principle: your conversations belong to you. With end-to-end encryption as the default for every message, call, and file transfer, PhizChat ensures that no one — not even PhizChat itself — can read your communications.
But encryption alone is not enough. PhizChat also minimizes metadata collection, does not share user data with third parties, and does not monetize your information through advertising partnerships. There are no “business purpose” loopholes in the privacy policy. Your data stays yours.
In a world where data brokers profit from every digital interaction, choosing a secure messaging app that respects your privacy is not optional — it is essential. PhizChat gives you that protection without compromising the features you need for daily communication.
FAQ
What is a data broker and how do they get my information?
A data broker is a company that collects personal information from public records, online activity, purchase histories, and app data. They aggregate this into profiles and sell them to businesses, advertisers, and sometimes malicious actors.
Can I delete my data from data brokers?
Yes. California’s DROP Act (2026) allows one-step deletion from all registered brokers. GDPR and LGPD also provide deletion rights. However, brokers can re-collect data, so ongoing vigilance is necessary.
How does a secure messaging app protect me from data brokers?
A secure messaging app with end-to-end encryption and minimal metadata collection — like PhizChat — prevents brokers from accessing your conversation data, contact patterns, and location information.
Are data brokers legal?
Data brokers operate legally in most jurisdictions, though regulations are tightening. Over 30 U.S. states require broker registration, and federal rules restricting sensitive data sales are under consideration.