Part 3 of our series on online privacy. Parts 1 and 2 are at news.atozofcyber.co.uk
You have probably never heard of most data brokers. That is, in a sense, the point. They are not consumer brands. You have never signed up to one directly, never agreed to their terms of service in any meaningful way, and would struggle to name even one if asked. And yet some of them hold more detailed information about you than companies you interact with every day.
This article explains what data brokers are, how they get your information, what they do with it, and — crucially — what UK law actually allows you to do about it.
So what actually is a data broker?
A data broker is a company whose business is collecting personal information and selling or sharing it with others — usually for marketing, identity verification, fraud prevention, or background checks. They do not provide you with a service in any direct sense. You are not their customer. You are their product.
Data brokers fall into several broad categories. People-search sites compile public records — electoral rolls, property records, court records, social media — into searchable profiles, often sold to anyone willing to pay a small fee, including people you may not want finding you. Marketing data brokers compile and sell profiles built from loyalty card data, browsing history, and purchase records, used to target advertising. Financial and credit data brokers — companies like Experian, Equifax, and TransUnion — compile financial histories used for credit decisions; these operate under somewhat more regulation than other categories but still hold extensive personal data. B2B data brokers compile professional profiles — your job title, employer, work email, and career history — often scraped from LinkedIn and company websites, sold to sales and recruitment companies.
How they get your data
Almost none of it requires hacking or anything illegal in the traditional sense. The methods are mundane, which is part of why the practice has grown so large with relatively little public awareness.
Public records — the electoral roll, Companies House filings, the Land Registry, court judgments — are, by design, public. Data brokers scrape and compile them at scale. Social media profiles, particularly those left public, are systematically scraped. Loyalty card schemes and online purchases generate data that is frequently sold onward, often disclosed somewhere in terms and conditions that almost nobody reads in full. And brokers buy and sell data from each other constantly — meaning a single piece of information you shared once, years ago, with one company, may now exist in dozens of separate broker databases, each periodically refreshing and re-acquiring it from the others.
This last point matters enormously for what comes next. It is the reason a single opt-out request rarely solves the problem completely.
What this data is actually used for
Much of it is mundane — more accurately targeted advertising, more relevant offers. But the uses extend further, and not always benignly.
Price discrimination. Some companies use data broker profiles to determine what price to show you — the same flight or insurance product can be offered at different prices to different people based on inferred willingness to pay.
Background and tenant screening. People-search data is used, sometimes informally, by landlords, employers, and even individuals checking up on a new contact, often without the safeguards that apply to formal credit or criminal record checks.
Fraud risk. Ironically, the same aggregated personal data that helps companies prevent fraud is also a resource for criminals. The UK government's own ongoing review into data brokers and national security explicitly raises the concern that hostile actors — including cyber criminals — can acquire UK personal data through the open data broker market, sometimes at speed and scale, for use in identity theft, scam targeting, and worse.
Building the toolkit behind the scams in our last series. Every scam covered in our Don't Get Scammed series benefits from data broker information. A criminal who buys a profile containing your name, address, phone number, and rough financial profile has exactly the raw material needed to make an HMRC scam, a bank impersonation call, or a romance scam significantly more convincing.
What UK law actually gives you
This is the genuinely useful part, and it has changed meaningfully in the past year.
Under UK GDPR, you have several distinct rights that apply directly to data brokers. The right of access (Article 15) lets you ask any organisation what personal data they hold about you. The right to object (Article 21) gives you an absolute right to object to your data being used for direct marketing — brokers cannot refuse this on any grounds. The right to erasure (Article 17) — sometimes called the right to be forgotten — lets you request deletion where the data is no longer necessary for its original purpose, or where you have successfully objected to its processing.
Privacy law specialists who work in this area consistently advise the same practical approach: do not send a bare erasure request alone. A combined letter citing all three rights — access, objection, and erasure — together is significantly more effective, because it removes the broker's ability to claim a narrow legitimate interest in retaining the data while still using it for marketing.
The Data (Use and Access) Act 2025, whose main provisions came into force on 5 February 2026, has adjusted some of the technical detail around how organisations respond to these requests, but it has not weakened your fundamental right to object to marketing use or to request erasure. Organisations have one month to respond to a valid request, extendable to three months for genuinely complex cases, and must inform you if they are extending the deadline.
If a broker ignores your request, responds beyond the deadline without justification, or refuses without citing a specific, valid exemption, you can complain to the ICO at ico.org.uk/make-a-complaint, free of charge.
A practical approach
Start with a search, not a request. Search your own name alongside your town or previous addresses to identify which people-search sites currently display information about you. This tells you where to focus first.
Send a combined request. To each broker you find, send a written request — email is sufficient — citing your rights under Articles 15, 21, and 17 of the UK GDPR: access to what they hold, objection to marketing use, and erasure of data no longer necessary for its purpose. Send this to the company's data protection officer or the privacy contact listed on their site. Keep a copy and note the date sent.
Be realistic about scope. It is not possible to remove yourself from every broker in existence, and certain data — Companies House filings, Land Registry records, court judgments — exists in mandatory public registers that erasure rights do not reach. The goal is meaningful reduction of your most exposed and most exploitable data, not total invisibility.
Expect to repeat the process. Because brokers continuously re-acquire data from each other and from public sources, a successful removal is not permanent. Privacy specialists in this field generally recommend revisiting the process every three to six months, as records that were removed can reappear at the next data refresh.
Consider whether a paid removal service is worth it for you. A number of services now exist that automate the broker opt-out process across dozens of companies and monitor for re-listing. Whether this is worth paying for depends on how much exposure concerns you and how much time you are willing to spend doing it manually. For most people, a manual pass focused on the handful of brokers that appeared in your initial search is a reasonable and free starting point.
What does this mean for me?
Search your own name alongside your town to see which people-search sites currently hold information about you.
Send combined requests citing Articles 15, 21, and 17 of UK GDPR to each broker you find — this is more effective than an erasure request alone.
Complain to the ICO for free if a broker ignores your request or refuses without valid justification.
Treat this as an ongoing task, not a one-off — set a reminder to repeat the process every few months.
Understand the bigger picture: every piece of data a broker holds about you is a piece of raw material available, in principle, to the people running the scams covered in our previous series. Reducing your exposure here makes you a less convincing target everywhere else.
🧠 The Human Factor
| Technology involved | Data broker databases compiled from public records, social media scraping, loyalty schemes, and data shared between brokers — largely operating without most people's awareness |
| Root cause | Personal data, once shared anywhere, is frequently aggregated, resold, and re-aggregated across an ecosystem of companies that the people whose data it is rarely interact with directly or knowingly consent to |
| What was at risk | Identity theft, price discrimination, informal background checks without proper safeguards, and — as the UK government's own national security review has flagged — exploitation by hostile actors and cyber criminals |
| Prevention | Combined access, objection, and erasure requests under UK GDPR Articles 15, 21, and 17; regular repetition of the process; realistic expectations about what mandatory public registers cannot remove |
Next in the series: Taking back control — a practical action plan for reducing your digital exposure.
References and sources
- ICO: Right to erasure guidance — ico.org.uk
- UK Government: Data brokers and national security call for views — gov.uk
- Data (Use and Access) Act 2025, provisions in force from 5 February 2026 — gov.uk
- European Data Protection Board: Data Brokers Market Study (March 2026) — edpb.europa.eu
- Privacy Insight Solutions: Data Brokers in the UK: Your Rights & the DUAA 2025 (April 2026)