← Home  |  ← Security Analysis

Your IP and browsing habits are a $200 billion commodity. Find out which brokers have a shadow profile on you — and how to remove it.

What Are Data Brokers?

Data brokers are companies that collect personal information from dozens of sources — your ISP, public records, social media, loyalty programs, and purchased app data — and sell it to advertisers, insurers, employers, and marketers without your direct consent. Many brokers build so-called shadow profiles: detailed files about you compiled entirely from third-party sources, even if you never signed up with them or gave them your email.

Unlike hacking, this is entirely legal in the United States. The US data broker industry generates an estimated $200 billion per year and includes over 4,000 companies. The information sold typically includes:

• IP address history and associated browsing patterns
• Name, home address, phone number, email
• Purchase history and financial behavior
• Location history (from mobile apps)
• Political affiliation, religion, health interests

How Your Score Is Calculated

The table below explains all possible risk levels for this indicator.

Risk Level	What It Means
LOW RISK	You are using a VPN or Tor, or you are connecting from outside the US. Your ISP sees only encrypted traffic and cannot easily sell your browsing data to brokers.
MEDIUM RISK	US connection without VPN, ISP not identified as a major data seller. Your IP and connection metadata may be accessible to brokers, but active data selling is less certain.
HIGH RISK	US connection with a major ISP known to monetize user data (Comcast/Xfinity, AT&T, Verizon/FiOS, T-Mobile, Charter/Spectrum, Cox, CenturyLink/Lumen). Your browsing history may be actively sold.

The score uses three data points available from your browser without requiring any personal input:

• VPN / Tor active? — If yes, traffic is encrypted before it reaches your ISP → LOW
• Country: — If outside the US, data broker risk is significantly lower → LOW
• ISP name: — If your ISP is among major US carriers with documented data monetization → HIGH; otherwise → MEDIUM

Major US Data Brokers

These companies are among the largest data brokers operating in the United States. Each has an opt-out process, though it typically requires submitting requests individually.

How to Reduce Your Exposure

1. Use a VPN — The most effective technical solution. A VPN encrypts your traffic before it leaves your device, so your ISP sees only encrypted data going to a VPN server. Your browsing history becomes inaccessible to your ISP and, by extension, to brokers who buy ISP data.

Compare VPNs — find the best one for privacy [↗]

2. Opt out from major brokers — Each data broker is required (or offers voluntarily) to remove your profile on request. This is time-consuming but effective. Tools like DeleteMe, Incogni, or Kanary automate the process. Note: Opting out prevents future collection, but cleaning up years of existing data requires persistent monitoring.

3. Use a privacy-focused browser — Firefox with uBlock Origin, Brave, or Tor Browser reduce the amount of tracking data generated in the first place.

4. Opt out from your ISP's data sharing — Most major US ISPs have an opt-out buried in account settings:

• Comcast/Xfinity: Account > Settings > Privacy > Advertising & Analytics
• AT&T: myAT&T app > Account > Privacy Choices
• Verizon: Account > Privacy Settings > Business & Marketing Insights
• T-Mobile: Account > Privacy & Notifications > Advertising
• Charter/Spectrum: My Account > Settings > Privacy & Permissions

5. Enable Global Privacy Control (GPC) — GPC is a browser signal that automatically tells websites "do not sell my data." Under California (CPRA) and Colorado (CPA) law, businesses are legally required to honor it. Enable it in Firefox (Privacy & Security settings), Brave (enabled by default), or via the Privacy Badger extension in Chrome.

US Privacy Laws by State

There is no comprehensive federal data privacy law in the United States. Protection varies significantly by state:

Law	Details
CPRA — California	California Privacy Rights Act (2023) — The strongest US state law. Gives residents the right to know, delete, correct, and opt out of the sale of their personal data. Applies to businesses with $25M+ revenue or 100K+ consumers.
VCDPA — Virginia	Virginia Consumer Data Protection Act (2023) — Opt-out rights for targeted advertising and data sales. Similar scope to CCPA but no private right of action.
CPA — Colorado	Colorado Privacy Act (2023) — Opt-out rights, universal opt-out mechanism required by 2024.
CTDPA — Connecticut	Connecticut Data Privacy Act (2023) — Right to opt out of targeted advertising and data sales.
TDPSA — Texas	Texas Data Privacy and Security Act (effective July 1, 2024) — Opt-out rights for targeted advertising, data sales, and profiling. Applies to most businesses operating in Texas, with specific exemptions for small businesses as defined by the SBA. Enforced exclusively by the Texas Attorney General — no private right of action.
FDBR — Florida	Florida Digital Bill of Rights (effective July 1, 2024) — Applies only to large controllers with $1B+ global revenue. Grants opt-out rights for targeted advertising and data sales. Narrower scope than CPRA — most small and mid-size businesses are exempt.
No federal law	Most other US states have no comprehensive privacy law. Congress has debated a federal bill (ADPPA) but it has not passed as of 2026. Without state-level protection, residents in states like New York or Georgia have limited recourse against data brokers.

Privacy Laws by Country

Privacy protection varies dramatically around the world. Click to expand the full overview of major national privacy laws and their key provisions.

Law	Details
🌍 Europe
GDPR — EU	General Data Protection Regulation (2018) — The world's strongest privacy law. Requires explicit consent, grants rights to access/delete/port data, and imposes fines up to 4% of global annual turnover. Applies to any company processing EU residents' data regardless of where the company is based.
UK GDPR — UK	UK GDPR + Data Protection Act 2018 — Post-Brexit continuation of GDPR principles. Functionally equivalent to EU GDPR with minor adaptations. Enforced by the ICO (Information Commissioner's Office).
nFADP — Switzerland	New Federal Act on Data Protection (2023) — Aligned with EU GDPR to maintain data transfer adequacy. Applies to Swiss-based data controllers; enforced by the FDPIC.
152-FZ — Russia	Federal Law on Personal Data (2006, updated) — Requires data localization (Russian citizens' data must be stored on Russian servers). Enforcement is inconsistent; state security agencies are broadly exempt.
🌎 Americas
PIPEDA — Canada	Personal Information Protection and Electronic Documents Act — Federal law requiring consent for data collection and use. Several provinces (Quebec, Alberta, BC) have stricter provincial laws. Modernization via Bill C-27 (CPPA) is currently in legislative progress.
LGPD — Brazil	Lei Geral de Proteção de Dados (2020) — Brazil's GDPR equivalent. Covers all data processing of Brazilian residents, grants rights to access/delete/correct, and is enforced by the ANPD authority.
LFPDPPP — Mexico	Ley Federal de Protección de Datos Personales en Posesión de los Particulares (2010) — Basic consent and transparency requirements for private entities. Enforcement is limited compared to GDPR.
🌏 Asia & Pacific
APPI — Japan	Act on Protection of Personal Information (amended 2022) — Asia's most mature privacy law. Grants rights to access, correct, and delete personal data. Stricter cross-border transfer rules added in 2022. Enforced by the PPC.
PIPL — China	Personal Information Protection Law (2021) — Comprehensive law modeled partly on GDPR. Requires consent and data minimization. Key exception: state and national security agencies are broadly exempt from its provisions.
DPDP — India	Digital Personal Data Protection Act (2023) — Newly enacted; implementing rules still being finalized. Covers digital personal data of Indian residents. Enforcement body (DPBI) not yet fully operational.
PIPA — South Korea	Personal Information Protection Act — One of Asia's strictest laws. Broad scope, significant penalties, and strong data subject rights. Enforced by the PIPC.
PDPA — Singapore	Personal Data Protection Act (2012, amended 2021) — Business-friendly framework with consent requirements and mandatory data breach notification. Enforced by the PDPC.
Privacy Act — Australia	Privacy Act 1988 (updated) — Applies to federal agencies and businesses with AUD 3M+ annual turnover. Covers 13 Australian Privacy Principles (APPs). Major legislative reform under review as of 2024.
No law	Most countries in Southeast Asia (outside Singapore), the Middle East, and sub-Saharan Africa have no comprehensive data privacy legislation. Residents in these regions have limited legal recourse against data brokers. This often makes these regions hubs for unregulated data harvesting.

Legal Notice: This information is provided for general educational purposes only and does not constitute legal advice. Laws change frequently — consult a qualified attorney for guidance specific to your situation.