Recently we surveyed 500 people about digital privacy and what they know about companies that collect and trade their personal information. Companies commonly known as “data brokers.”
Here’s a quick summary of the results:
- 43.9% of the surveyed people knew what data brokers are
- Out of those who knew what data brokers are, 95% were concerned about associated risks
- 43.9% were worried that they might get breached and collected data will leak
- 26.2% were concerned that this data might be used against them
- 24.9% didn’t want their personal information used by advertisers
- But despite concerns, only 19.7% said they tried to contact such companies to remove their personal data
- 46.5% didn’t know whom they should contact
- 40.6% didn’t even know they could do that
- 27% didn’t know what to say
- And 20% just didn’t care enough
So with this article, we decided to make a primer for people who want to exercise their right to privacy and answer some key questions:
- What are data brokers and what are the associated risks with them handling your personal data?
- Who to write to, what to say to get your data removed and what to say back when they try to make you jump through hoops.
Disclaimer: because the topic can get quite complicated as we dig deeper, we’ll mostly stick to surface-level understanding to get to the actionable part quickly.
What are data brokers?
Data brokers are companies that collect, aggregate and resell your personal information. Often without your knowledge.
How they operate
- Your personal information is collected from commercial, publicly available and government sources
- That information is then aggregated and sold to other companies
- Other data brokers buy your data, combine it with other information they have about you and resell that package again
- In the end, unknown companies that you never gave consent to handling your data have thousands of data points about you and your life
What are the risks of data brokers handling your data?
As with any group of 1000+ members, not all data brokers are equally problematic. Some of them are more of a nuisance rather than a risk.
Brokers that collect anonymized marketing information can be annoying and you might feel icky that they include you in a category like “interested in baby products,” but they’re generally less problematic than any service that has your full name, address, phone number and other personal information, and then sells that information to other unknown entities.
Unless that category they add you to contains information about politics or attitudes toward certain policies, then even anonymized data can be weaponized.
With that in mind, here are the most common risks associated with data brokers collecting and trading your personal information:
- Data breaches and associated risks.
- Unsolicited advertising and spam.
- Used by doxxers, abusers, stalkers.
- Attempts to influence your vote.
- Determine ineligibility for a job or a loan.
- Classify the riskiness of a lifestyle.
Assuming that’s enough to convince you that you don’t want random companies having this personal data about you, let’s discuss your rights in terms of having that data removed.
What are your rights to protect personal information?
Under GDPR, your rights are:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure/to be forgotten
- Right to restrict processing
- Right to data portability
- Right to object
For the scope of this guide, we’ll be focusing on the right to erasure/right to be forgotten.
In simple terms, it means that you have the right to request companies to delete what information they have about you.
There are a few things to keep in mind here:
- When it comes to data brokers that scrape the internet, they might need to keep some information that can then only be used to make sure they don’t re-add you to their databases when scraping. That data cannot be used for any other purpose.
- There’s such a thing as “legitimate interest,” which essentially means that the company claims that the service provided is so beneficial that it overrides your right to privacy. Credit reporting agencies and fraud prevention services often try to claim it.
- Outside of data brokers, it’s a good idea to request data removal from services that you’re no longer using. Just keep in mind that this usually means the account will be closed/inaccessible as well.
Remember: even in the cases above, you still have the right to request information about what data is being collected about you and for how long!
If you live in California, your rights under CCPA are quite similar to those of GDPR, with one key difference that relates to data removal:
Under CCPA, companies can set their own procedures for data removal. Unfortunately, that means that they can make you jump through increasingly complicated hoops in hopes that you’ll just give up.
But what if you live outside of the EU/California?
Many other countries and states have their own variations of digital privacy laws, but that’s outside the scope of this guide.
But often, for the sake of simplicity, companies don’t bother checking your jurisdiction and will just comply with requests for data removal, so my advice — don’t hesitate to ask.
(Even in this industry, not everyone is a malicious agent)
How to get data brokers to remove your data
Now that we know our rights let’s get to the actionable part — start removing your personal data from data brokers!
To do that, we’ll need to know:
- Who to contact
- What to write to them
- What to say when they reply with objections
How to contact data brokers to remove your personal data
There are thousands of data brokers and requesting data removal manually would literally take you weeks and months of your life.
The system is broken by design and while there are some services that offer to contact companies on your behalf, they don’t handle the follow-up and you’re left with your inbox flooded with follow-up requests from companies you never heard of (and your data still not removed).
Instead, our recommendation would be to start with the largest ones because, as discussed earlier in the guide, data brokers tend to trade data in-between themselves and if you can cut a large supplier of that data, that will have the biggest impact.
So here’s the starter list of some of the biggest data brokers:
- Acxiom — firstname.lastname@example.org
- Verisk — email@example.com
- Peopleconnect / Intelius — firstname.lastname@example.org
- AccuData — email@example.com
- CoreLogic — firstname.lastname@example.org
- Epsilon — email@example.com
- Equifax — firstname.lastname@example.org
- DirectMail — email@example.com
- Oracle — firstname.lastname@example.org
- TowerData — email@example.com
You can also find more here.
What to say to request the removal of personal data from data brokers
This part is pretty simple.
(Important: remember to change your name)
“Subject: Data removal request
I hereby submit a request for implementation of the following rights under Section 1798.105 of CCPA, Articles 7(3), 17 and 21 of GDPR and other applicable privacy legislation which grant individuals certain rights in relation to the protection of their personal data (information):
1) To obtain erasure (deletion) of personal data (information) without undue delay;
2) To withdraw any consent given to the processing of personal data (information);
3) To object to the processing of personal data (information) concerning the below individual, including but not limited to profiling and direct marketing.
The information necessary to confirm the identity of the individual on behalf of which this request is submitted:
E-mail address: [Email]
Please confirm your compliance with the request without undue delay and in any event within 45 (forty-five) days of receipt of this request.
What to say when data brokers refuse to comply initially
As said, not everyone is malicious in this industry and you’ll encounter companies that will just comply with your initial request and remove your personal data.
But more often than not, you’ll get one of the following replies and because they know most of the people requesting data removal don’t have lawyers specialising in privacy laws to advise on, they use language meant to sound legit and somewhat intimidating, hoping either you’ll comply or give up.
Here are some common replies from data brokers and what you can say back:
Provide more information
It might sound ridiculous, but often when you request companies to remove your personal data they’ll come back asking for more data.
There is some sense to it. Because in cases they don’t have email addresses next to personal information, they need a way to identify the person requesting data removal (and in case of request to get that data to confirm they are giving it to the right person.)
Unfortunately, some data brokers use this clause as a way to avoid complying with your request and will ask for something ridiculous like your driver’s license or utility bills as proof of identity.
Remember, this is not a bank or some other legit institution asking for this information, it’s some random company profiting off your personal information and holding it hostage. You should not have to provide such sensitive information!
Good thing, both GDPR and CCPA support that requirements to confirm identity must be proportionate to the request.
So here’s what to say back:
“Please note that I have already provided all the information necessary to identify the principal to identify myself. Therefore, I am not obliged to provide any further information.
Your request to initiate manual research on users’ side is excessive and requires disproportionate effort”
You can use this whenever you feel that what the company is asking from you is unreasonable based on your request.
Fill in the opt-out form
When you have data on hundreds of millions of people, them requesting their data removed can become very expensive. So data brokers (and many other companies) figured out that just because they are profiting off your data doesn’t mean they should spend a lot of money on handling removal requests.
So instead, they send automated replies saying that the right way to get your data removed from their servers is to fill this form or call that number and just offload the work to you.
The reality is that if you call under CCPA, unfortunately, they have that right. Meaning that they can make the process of exercising your right to privacy slow, frustrating and discouraging.
(That said, even under CCPA, you can try the replies outlined below — some brokers comply.)
However, under GDPR, you don’t have to fill out their forms or jump through other hoops companies set out, but they have an obligation to comply with your request. This means you have two routes:
a) fill out the form that they link to
b) reply with the following:
“In response to your request to fill in some kind of form, please note that I do not have such an obligation.
If there is any legal obligation to do that, please send me a link to a relevant legal act.
On the other hand, you have an obligation to erase my personal information/data without further delay. Therefore, I repeatedly hereby request to erase all my personal information/data. You can treat this letter as withdrawal of my consent on which the processing is based.
Please confirm by email that my personal information/data has been completely erased.”
What data do you want us to remove?
Similarly, they can ask a seemingly innocent question — what data do you want us to remove, or “send us a link you want to remove” (common for people finder and real estate data brokers).
The problem is that again it offloads the work of identifying what data they have about you to you. And realistically, there’s no way for you to go through all pages and be sure that you found everything associated with your personal information.
So instead to make them do their job, here’s what to say:
“Please note that I have already provided all the information necessary to identify me.
Therefore, I am not obliged to provide any further information and find your requirements excessive. Therefore, your request to initiate manual research is disproportionate to my side.
As well as, even if I could do that, there is no guarantee that your system has avoided errors, typos or other mistakes in association with my data.”
4. “Your data removal request has been completed”
A very deceitful tactic that some of the brokers undertake is to send a reply saying something like “Your data has been removed” or “Your request has been completed,” etc. in the subject line.
But if you actually open the email, they actually say that you need to fill out some form to complete the request.
These companies count on you not reading the reply, so they don’t have follow through with your request.
Remember to open the emails you get from data brokers and follow the recommendations from 2. Fill in the opt-out form on how to deal with this group.
What if it doesn’t work?
Data brokerage is a massive business and every time we exercise our rights to privacy, we’re essentially attacking what they consider their assets.
So don’t be surprised that they try to fight back.
If stuck, here’s a couple of things to say:
- Please confirm that you refuse to proceed with our data removal request despite the fact that I have provided all the necessary information to identify myself.
- Please be advised that since you’re refusing to exercise my right to have my personal data removed, I will be issuing a complaint detailing this situation with request to review your business practices.
And you know what — if companies refuse to comply with your request for data removal, you SHOULD inform local consumer protection and/or personal data protection authorities and draw attention to it.
Digital privacy laws are still young and their limits are to be tested. If we draw light to the flaws in the current system AT SCALE, we can still impact how it all plays out.