Data Brokers Control 70% Of Online Users' Personal Information

Uploaded on 2025-08-07 in NEWS-Cybersecurity News, FREE TO VIEW

A recent investigation by VPNmentor has revealed alarming insights into the global reach of data brokers.

The report finds that at least 70 per cent of the world’s online population now has their Personally Identifiable Information (PII) collected by these firms - often without explicit consent or awareness. 

The findings highlight the power and pervasiveness of data broker activities, often hidden from public view yet deeply embedded in modern digital infrastructure.

In summary:-

  • 70 per cent of online users globally have their PII collected by data brokers.
  • Over 5,000 terabytes of behavioural data are processed daily.
  • AI‑driven profiling is becoming built‑in and unavoidable.
  • Smaller data brokers evade scrutiny as attention focuses on larger entities.

Estimates suggest there are around 5,000 data broker companies operating worldwide, with revenues projected to exceed US $270 billion as the industry continues to expand. These firms gather data from public records, websites, apps, credit agencies, social media, and more, aggregating massive profiles on individuals. 

Processing Petabytes of Personal Behavioural Data

The VPNmentor report states that over 5,000 terabytes of behavioural data are processed daily. This includes digital interactions across websites and apps, public services, and social platforms. Such volume emphasises not only the scale of data broker operations but also their increasing ability to track and profile individuals over time.

AI Makes Profiling Ubiquitous & Inescapable

A key concern highlighted is the role of artificial intelligence (AI) in expanding surveillance. The report warns organisations increasingly include Machine Learning scripts in apps or platforms as non-optional components - meaning every user is automatically profiled, whether they consent or not.

AI thus turns passive data collection into inescapable profiling, fundamentally eroding anonymity.

Small Brokers Slip Below The Regulatory Radar

While large brokers occasionally face scrutiny, the analysis notes that smaller or lesser-known data brokers often evade detection and policy enforcement. Regulators and advocacy groups tend to concentrate on prominent firms, leaving numerous niche operators free to continue to harvest and trade personal data with little oversight.

Data Broker Industry: Scale, Impact & Risks

Independent sources confirm that data brokers routinely aggregate identity and behavioural data across multiple domains. These include demographic and contact details, behavioural history, location data, purchasing habits, credit scores, and even sensitive attributes such as political beliefs or health-related indicators .

Acxiom, for example, claims to hold profiles on 2.5 billion individuals, entailing thousands of data points per person . The US data broker market alone is estimated at between $30 billion and $180 billion, with the global market valued at between $240 billion and $270 billion.

Surveillance & Profiling 

Users leave digital footprintss - such as search queries, website visits, app usage, and social media activity - that are harvested to build detailed profiles. Even basic browsing involves re-identifiable behaviour patterns: studies show that just four domains visited by an individual are enough to uniquely identify up to 95 per cent of users.

Consumer & Societal Harm

Inaccurate or outdated profiles can misclassify individuals, leading to unfair denial of services, higher insurance premiums, or financial discrimination. Transparent control over personal data is often lacking, especially in jurisdictions without robust privacy laws.

Algorithmic Decision-Making

Data brokers feed databases used in algorithmic underwriting, tenant vetting, credit scoring, and profiling - systems that increasingly determine life‑changing decisions. Limited recourse is available when errors are embedded in opaque AI-driven decisions.

Current Regulatory Landscape

Privacy laws vary widely arounf the worls. GDPR laws in the EU offer stringent controls over data collection, usage, and breach notification. In contrast, the United States lacks comprehensive federal regulation, leaving enforcement to patchy state laws such as California’s data broker registry and opt‑out provisions.

Some US states require brokers to register and allow consumer opt‑out, but the industry largely remains opaque. Elevated markets such as California, Oregon, Texas and Vermont have introduced laws targeting brokers, though smaller operators often slip through gaps in enforcement ([Onerep][2]).

What Can Be Done?

1.Stronger Regulation and Transparency:  Broader legal frameworks are needed to mandate data broker accountability, user consent, profiling transparency, and data accuracy controls.

2. Public Awareness and Advocacy: Most individuals remain unaware that their digital footprints feed commercial profiles. Empowering users through education and accessible opt‑out mechanisms is crucial.

3. Technology and Privacy Tools: Privacy tools such as tracker blockers, VPNs, and browsers enforcing opt‑in consent models can reduce visibility to brokers. Automated PII‑removal platforms also offer partial mitigation ([Onerep][2]).

4. Audit and Oversight of Smaller Brokers: Regulators should expand oversight beyond headline brokers to include smaller entities that aggregate and trade user data without transparency.

A Hidden Engine of Surveillance

The VPNmentor research shines a spotlight on the vast and often unseen dimension of data collection by brokers. With AI enabling automated profiling, daily processing of exobytes of human data, and a fragmented regulatory environment, the situation is profoundly concerning.

Understanding that 70 per cent of global online users are represented in data broker databases and that 5,000 TB of behavioural data is processed every day provides powerful context for rising privacy risks. As profiling via AI becomes ubiquitous and smaller brokers slip through regulatory cracks, urgent reforms and user protections are needed.

Without significant changes in policy, oversight, and public awareness, data broker activities will remain one of the most significant and opaque threats to individual privacy in the digital age.

VPNMentor  |  Proton  |  Proton  |   OneRep  |  Wikipedia  |   US Dept. of Justice  |  Arvix  |   Arvix  |  

Image: Rodion Kutsaiev

You Might Also Read: 

Why Smarter Data Protection Is Now A Business Essential:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Security Teams Must Embrace What They Can't Control
Controversial Posts Blocked By Age Verification Rules »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

ActiveCyber

ActiveCyber

ActiveCyber is a source for news, reviews, learning, and technological innovation in the active cyber defense industry.

Komodo Consulting (KomodoSec)

Komodo Consulting (KomodoSec)

Komodo Consulting specializes in Penetration Testing and Red-Team Excercises, Cyber Threat Intelligence, Incident Response and Application Security.

Secudos

Secudos

SECUDOS is an innovative appliance technology and services provider focused on IT security and compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ARCON

ARCON

ARCON offers a proprietary unified governance framework, which addresses risk across various technology platforms.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

Robo Shadow

Robo Shadow

Robo Shadow are trying to bridge the gap between the top tier organisations that can afford everything and everyone else who has to “Make it up as they go along” when it comes to Cyber.

TwoThreeFour

TwoThreeFour

ThreeTwoFour provide tailored cyber security solutions, delivered by highly-skilled, experienced consultants who respond to the real needs of you and your business.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

Novacoast

Novacoast

Novacoast helps organizations find, create & implement solutions for a powerful security posture through advisory, engineering, development & managed services.

Apura Cybersecurity Intelligence

Apura Cybersecurity Intelligence

Apura is a Brazilian company that develops advanced products and provides specialized services in information security and cyber defense.

Cysurance

Cysurance

Cysurance is a next-generation risk mitigation company that insures, warranties and certifies security solutions.

Getvisibility

Getvisibility

Getvisibility enables customers to detect, classify and protect sensitive information increasing data security, governance, compliance and lowering the risk of losing valuable data.

Aeris

Aeris

Aeris IoT Watchtower is the world’s first fully integrated cyber security solution for cellular IoT devices.

Cyberify

Cyberify

Cyberify's mission is to empower organizations to conquer the evolving landscape of cybersecurity through a human-centric, transformative approach.