Mar 09, 2026 · 5 min read
Data Brokers Cost Americans $21 Billion—And Hid the Opt-Out Button
A congressional investigation found that four data broker breaches exposed 651 million people. The brokers made it nearly impossible to delete your data.
$20.8 Billion in Stolen Identities
The Senate Joint Economic Committee released a report on February 27 estimating that data broker breaches have cost American consumers $20.8 billion in identity theft losses. The figure comes from just four breaches at major data aggregation companies over the past decade, each of which exposed hundreds of millions of people.
The breaches: Equifax in 2017 exposed 147 million people. Exactis in 2018 exposed 230 million. National Public in 2023 exposed 270 million. TransUnion in 2025 exposed 4 million. Combined, 651 million records were compromised across the four incidents. Congressional staff calculated the losses using identity theft rates following each breach and a median loss of $200 per theft.
The Hidden Opt-Out Pages
The investigation was triggered by reporting from CalMatters, The Markup, and WIRED, which discovered that data brokers were deliberately hiding their opt-out pages from search engines. The companies used "no index" tags, a simple line of code that tells Google and other search engines not to include the page in search results.
Under California law, data brokers are required to provide consumers with a way to delete their data or stop its sale. By blocking these pages from search results, the brokers complied with the letter of the law while making it nearly impossible for ordinary people to actually find and use the opt-out mechanism. You would need to know the exact URL to reach the page. A Google search would return nothing.
Five Brokers, One Holdout
Senator Maggie Hassan, the ranking Democrat on the Joint Economic Committee, contacted five registered data brokers directly: Comscore, Findem, IQVIA Digital, Telesign, and 6sense Insights. She asked each to explain why their opt-out pages were hidden from search engines and demanded they fix the problem.
Four of the five companies responded. They removed the blocking code, made opt-out pages more visible, and added direct links to their privacy settings. One company, Findem, refused to respond and maintained its barriers. The fix was trivial: removing a single HTML tag. The fact that it took a senator's letter to make it happen says everything about the industry's relationship with consumer rights.
What Data Brokers Actually Know About You
Data brokers collect and sell information about nearly every American adult. Their databases typically include your full name, home address, email addresses, phone numbers, employment history, estimated income, purchasing habits, health conditions, religious affiliations, political leanings, and family relationships. Some brokers maintain profiles with over 1,500 data points per person.
This data comes from public records, loyalty programs, app usage, website tracking, and purchases from other companies. When a broker gets breached, attackers do not just get one piece of information. They get everything, a complete profile that makes identity theft, phishing, and social engineering vastly more effective.
The Opt-Out Problem Is Systemic
Even when opt-out pages are findable, the process is designed to be exhausting. There are hundreds of registered data brokers in the United States alone. Each requires a separate opt-out request. Many demand you verify your identity by providing additional personal information, creating a paradox where exercising your privacy rights requires giving up more of your data. Some brokers re acquire your information within months, resetting the process entirely.
California's Delete Act, which launched a centralized deletion platform in 2024, is the most significant attempt to fix this. It lets residents submit a single request that cascades to all registered brokers. But the system only covers California registered brokers, and enforcement remains a challenge. Most Americans have no equivalent tool.
What Congress Is Recommending
The Senate report calls for "clear, easy access to opt-out options and more rigorous oversight" of data brokers. Senator Hassan stated: "Data brokers shouldn't make it harder for people to protect themselves. This report shows the scope of the threat that people face from data broker breaches."
Whether those words translate into federal legislation remains an open question. The data broker industry has successfully resisted comprehensive federal regulation for decades, and the current political landscape makes new privacy legislation uncertain at best. In the meantime, the industry continues to collect, package, and sell your personal information, and the $20.8 billion cost of their security failures keeps growing.
Protecting Yourself Today
You cannot opt out of a system that does not want you to leave, but you can reduce your exposure. Use unique email addresses for different services so a breach at one company does not compromise your accounts everywhere. Enable two factor authentication on every account that supports it. Freeze your credit with all three major bureaus to prevent identity thieves from opening accounts in your name.
If you are in California, use the Delete Act's centralized platform. If you are not, services like DeleteMe and Kanary automate the broker by broker opt-out process for a fee. The fact that you need to pay a company to undo what other companies did without your permission is its own indictment. But until Congress acts, it is the best option available.