Data brokers know where you live, what you buy, where you've worked, and who you're related to. They know your estimated income, your political affiliation, and probably your chronic health conditions. They compile this information from public records, commercial transactions, social media activity, and other data brokers, then package it for sale to marketers, insurers, employers, and anyone else willing to pay.
The data broker opt out process exists because of state privacy laws—primarily the California Consumer Privacy Act (CCPA) and its successors—that give consumers the right to request deletion of their personal information. But the process is deliberately inconvenient. Each broker has its own opt-out mechanism, many require you to verify your identity by providing more personal information, and none of them make it easy to stay opted out as new data flows in.
I've seen organizations struggle to protect executive privacy, only to discover that senior leaders' home addresses and family details are readily available through commercial data brokers. I've watched compliance teams build sophisticated data governance programs while their own employees' information circulates freely in the broker ecosystem. The gap between what we think privacy law protects and what actually happens is substantial.
This guide covers what you need to know: which brokers matter most, how the manual opt-out process actually works, whether paid removal services are worth it, and how to maintain an opt-out posture over time. None of it is easy, but some approaches are more effective than others.
What Data Brokers Actually Do
Data brokers aggregate information from multiple sources to create detailed profiles of individuals. The sources include:
- Public records: Property deeds, voter registration, court filings, professional licenses, business registrations
- Commercial transactions: Purchase histories, warranty registrations, loyalty programs, credit applications
- Online activity: Web browsing patterns, social media posts, app usage, location data
- Other brokers: They buy and sell data among themselves, creating redundant copies across multiple databases
The profiles are sold to multiple categories of buyers. Marketing companies use them for targeted advertising. Insurance companies use them for risk assessment. Employers use them for background checks. Landlords use them for tenant screening. Political campaigns use them for voter outreach. Private investigators use them for skip tracing.
The business model depends on comprehensive coverage and fresh data. A data broker's value proposition is that they have everyone in their database, with recently updated information. This creates two problems for anyone attempting a data broker opt out: you need to identify all the major brokers, and you need to repeat the process periodically as your information re-enters their systems.
The Difference Between Data Brokers and People Search Sites
People search sites are the consumer-facing version of data brokerage. Sites like Spokeo, BeenVerified, and Whitepages let anyone search for individuals by name, phone number, or address. They're powered by the same underlying data infrastructure as commercial data brokers, but they monetize through subscription fees and one-time report purchases rather than bulk data sales.
The distinction matters for opt-out purposes because people search sites typically have visible opt-out pages—they're required to under state privacy laws, and they benefit from appearing cooperative. Commercial data brokers that sell only to businesses often have less accessible opt-out processes, buried in privacy policies or requiring written requests.
Start with people search sites if you're doing this manually. They're easier to find, their opt-out processes are documented, and removing your information from them addresses the most immediate privacy exposure: anyone with an internet connection finding your home address in thirty seconds.
Major Data Brokers and How to Opt Out
There are hundreds of data brokers, but a few dozen account for most of the consumer-facing exposure. Here are the major ones, organized by category, with their opt-out mechanisms.
People Search Sites
Spokeo aggregates data from social networks, public records, and marketing lists. Their opt-out process requires you to search for your listing, copy the URL, then submit it through their suppression form. They ask for an email address to confirm the request. Processing takes several days. URL: spokeo.com/optout
BeenVerified operates similarly but requires you to create an account to manage opt-out requests. This means providing an email address and password to the same company you're asking to delete your data. The irony is intentional—they're collecting information even as you request removal. URL: beenverified.com/faq/opting-out
Whitepages has multiple properties (Whitepages Premium, 411, Addresses.com) that require separate opt-out requests. Each one needs you to locate your profile and submit a removal form. Expect 24-48 hours for processing. URL: whitepages.com/suppression
Intelius owns multiple brands including Instant Checkmate, TruthFinder, and US Search. Opting out of one doesn't opt you out of the others. Each requires a separate request with identity verification. URL: intelius.com/optout
Marketing and Analytics Brokers
Acxiom is one of the largest data brokers, selling consumer profiles to marketers and analytics companies. They operate an opt-out portal called AboutTheData that lets you view (some of) what they know about you and request suppression. The process requires creating an account and verifying your identity. URL: acxiom.com/about-us/privacy
Epsilon operates similarly, with an opt-out form that requires your name, address, and email. They don't show you what data they hold, just confirm that your opt-out request has been processed. URL: epsilon.com/privacy-policy
Oracle Data Cloud (formerly Datalogix and BlueKai) provides an opt-out through the Digital Advertising Alliance's consumer choice page rather than a direct mechanism. This opts you out of targeted advertising but doesn't necessarily remove your data from their systems. URL: datacloudoptout.oracle.com
Background Check and Screening Services
These brokers sell to employers, landlords, and financial institutions. They're subject to the Fair Credit Reporting Act (FCRA), which provides some consumer protections that pure marketing brokers don't have.
LexisNexis operates consumer reporting databases separate from their legal research platform. Opt-out requires a written request with identity verification—typically a signed form mailed or faxed with a copy of your driver's license. URL: lexisnexis.com/privacy
CoreLogic requires similar written verification but allows online submission of the request form. Processing takes 7-10 business days. URL: corelogic.com/privacy
The Manual Opt-Out Process: What to Expect
Executing a comprehensive data broker opt out manually takes 15-20 hours spread over several weeks. Here's the realistic timeline and workflow.
Week 1: Identify your listings. Search for yourself on major people search sites using variations of your name, current address, previous addresses, phone numbers, and email addresses. Create a spreadsheet documenting which sites have your information and what they're showing. Take screenshots—profiles can change between when you find them and when you submit opt-out requests.
Week 2: Submit opt-out requests for people search sites. Most require you to locate the specific URL of your profile and submit it through their opt-out form. Use a dedicated email address for confirmations—you'll get dozens of automated messages, and you want them separated from your regular inbox. Some sites ask you to verify the request by clicking a link in the confirmation email, so monitor that inbox.
Week 3-4: Follow up on requests that weren't processed and address sites that require written verification. Brokers like LexisNexis and CoreLogic need signed forms and identity documents. Send these via certified mail if you want delivery confirmation, though standard mail usually works.
Week 5-6: Re-check your listings. Many will be removed, but some sites re-populate data from partner sources or require multiple removal requests. Submit second-round opt-outs for any profiles that reappeared or weren't processed the first time.
The pattern I see most often: people start this process with energy, submit requests to 10-15 sites, then stop when they realize how many brokers exist and how often information reappears. Persistence matters more than perfection. Removing your data from the 20 most visible sites eliminates 80% of the casual exposure risk.
Speaking on Privacy and Data Governance
Carl delivers keynotes on privacy compliance, data governance, and the practical challenges of protecting personal information in regulated industries. His presentations are built on real implementation experience, not vendor narratives.
Book Carl to SpeakPaid Removal Services: Are They Worth It?
Several companies offer subscription services that automate data broker opt out requests on your behalf. The major ones are DeleteMe, Kanary, Privacy Bee, and Optery. They charge $100-$300 per year and promise to monitor dozens of data broker sites, submit removal requests, and handle follow-ups.
The value proposition is time savings. Instead of spending 15-20 hours yourself, you pay someone else to do it. For executives, high-profile professionals, or anyone whose time is worth more than $15 per hour, the math works. For organizations looking to protect senior leadership from doxing and harassment, these services are a reasonable control. I discuss broader strategies in my guide on executive privacy protection.
What These Services Actually Do
Paid removal services maintain lists of data brokers and people search sites, monitor them for your information, and submit opt-out requests when they find it. Most provide quarterly or monthly reports showing which sites had your data and which removals succeeded.
They have advantages that individual users don't:
- Established relationships with major brokers, sometimes including bulk removal processes not available to consumers
- Automated monitoring that catches new listings within days rather than months
- Dedicated staff who understand each broker's specific opt-out requirements and quirks
- Persistent follow-up on requests that fail or sites that re-list information
But they have limitations. They can only submit opt-out requests under existing privacy laws—they can't force brokers to comply faster than legally required. They typically cover 30-80 sites, not the hundreds of smaller brokers that exist. And they can't prevent your information from entering broker databases in the first place; they're reactive, not preventive.
Which Service to Choose
DeleteMe is the most established, with consistent coverage and reporting. They monitor approximately 30 major sites and provide detailed removal reports. Annual subscription runs around $130 for one person.
Kanary offers broader coverage (50+ sites) and includes dark web monitoring for leaked credentials. Pricing is similar but includes more comprehensive identity monitoring features. Better for executives or anyone with elevated risk.
Privacy Bee focuses on exercising privacy rights beyond just opt-outs, including data access requests and do-not-sell requests under CCPA. Useful if you want to see what data brokers actually have, not just remove it.
Optery provides tiered pricing based on coverage—their basic plan covers major sites, while premium tiers extend to 100+ brokers. Good option if you want to start small and expand.
My assessment: if you're doing this for personal privacy and your threat model is "I don't want my home address easily findable," start with DeleteMe or Optery's basic tier. If you're protecting executives or individuals with genuine security concerns, use Kanary or Optery's premium service. If you want maximum control and transparency about what data exists, use Privacy Bee.
Opting Out Under State Privacy Laws
The data broker opt out rights that exist today come from state privacy laws, primarily California's CCPA and CPRA, but increasingly from laws in Virginia, Colorado, Connecticut, and other states. Understanding what these laws actually require helps calibrate your expectations about what's possible.
Under CCPA, consumers have the right to request that businesses delete their personal information. Data brokers are required to comply within 45 days. But the law includes exceptions: they can refuse deletion if they need the data to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech rights. In practice, most people search sites comply because the cost of storing your data is low and the reputational cost of refusing deletion is high. Commercial data brokers that sell only to businesses sometimes resist, citing legitimate business purposes.
The CPRA, which went into effect in 2023, strengthened consumer rights and created the California Privacy Protection Agency to enforce them. It introduced the concept of "sensitive personal information"—including precise geolocation, Social Security numbers, and health data—and gave consumers the right to limit its use. For more context on how CCPA evolved into CPRA, see my breakdown of CCPA vs CPRA differences.
Other states have followed California's model with variations. Virginia's CDPA, Colorado's CPA, and Connecticut's CTDPA all provide deletion rights, but with different scopes and exceptions. The patchwork creates complexity for data brokers operating nationally—they need to handle requests differently depending on the requester's state of residence.
How to Exercise Your Rights
Most data brokers now have "Do Not Sell My Personal Information" links in their website footers, required by CCPA. These typically lead to opt-out forms or email addresses where you can submit requests. For brokers without visible opt-out mechanisms, send a written request to their privacy contact, citing your rights under the applicable state law.
Include your full name, current address, previous addresses if you've moved recently, email address, and phone number. Yes, you need to provide personal information to request deletion of personal information. The broker needs to verify your identity before processing the request—otherwise anyone could request deletion of anyone else's data. Some brokers accept requests with minimal verification, others require driver's license copies or utility bills. The more sensitive the data they hold, the more verification they typically require.
Keep records of your requests and their responses. If a broker refuses or ignores your request, file a complaint with your state attorney general or privacy regulator. Enforcement is inconsistent, but regulators do investigate patterns of non-compliance.
For a broader overview of how state privacy laws work and which states have them, see my guide to U.S. state privacy laws in 2026.
Privacy Compliance Keynotes for Your Conference
Carl speaks on GDPR, CCPA, state privacy laws, and the practical realities of data governance at industry conferences and corporate events. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventMaintaining Your Opt-Out Posture Over Time
Data broker opt out isn't a one-time event. Information re-enters broker databases continuously as public records update, companies sell customer lists, and brokers share data with each other. Maintaining an opt-out posture requires periodic re-checking and re-submission.
Set a calendar reminder every six months to search for yourself on major people search sites. Use the same search terms you used initially: name variations, addresses, phone numbers, email addresses. Check the top 10-15 sites where your information previously appeared. If new listings show up, submit fresh opt-out requests.
This is where paid services provide the most value—they automate the monitoring and re-submission. If you're doing it manually, six-month intervals catch most re-listings before they've been live long enough to spread. Quarterly checks are better if you have elevated privacy concerns.
Preventing New Data from Entering Broker Systems
Opt-out requests remove existing data but don't prevent new data from being collected. Reducing the flow of information into broker databases requires changing behavior:
Use a P.O. box or commercial mail receiving agency (CMRA) for online purchases and account registrations. Your residential address won't appear in merchant databases or shipping records that brokers purchase.
Opt out of data sharing at the point of collection. When registering for accounts, check privacy policies for opt-out instructions. Many companies sell customer lists to brokers unless you explicitly object.
Limit social media exposure. Remove or lock down posts containing location check-ins, employer information, and family details. Brokers scrape social media to enhance their profiles.
Use privacy-focused services where possible. Email providers that don't scan messages for advertising, browsers that block trackers by default, VPNs that hide your IP address—these reduce the volume of behavioral data that flows to analytics brokers. I cover these techniques in detail in my guide on how to protect your privacy online.
Consider voter registration privacy programs. Many states allow domestic violence survivors, law enforcement officers, and judges to use confidential address programs that shield their residential addresses from public voter rolls. Eligibility is limited, but if you qualify, it eliminates a major source of address information.
None of these measures are absolute. Public records still exist, commercial transactions still generate data trails, and determined investigators can still find information. But you're not trying to achieve perfect anonymity—you're raising the cost and effort required to compile a detailed profile. Casual exposure through people search sites is easy to address. Sophisticated targeting is harder, and may require legal intervention or professional security services.
When Data Broker Opt Out Matters for Organizations
Most discussions of data broker opt out focus on individual privacy, but organizations have reasons to care about employee and executive exposure in broker databases.
Executive protection: C-suite leaders, board members, and high-profile employees are targets for harassment, social engineering, and physical security threats. Their home addresses, family details, and personal phone numbers appearing in people search sites create attack surfaces. Organizations with mature security programs often cover the cost of paid removal services for executives as a standard benefit. This isn't paranoia—I've seen cases where activist investors or disgruntled former employees used broker data to locate and harass executives at home.
Mergers and acquisitions: M&A activity generates public filings that data brokers quickly index. Executive movements, new entity registrations, and property transactions all signal deals in progress. Sensitive negotiations benefit from minimizing the information available through commercial searches.
Compliance and regulatory risk: Organizations in regulated industries handle sensitive employee data—Social Security numbers, health information, financial details. If that data leaks and ends up in broker databases, the organization faces HIPAA, GDPR, or state privacy law violations. Monitoring for employee data in people search sites provides an early warning system for breaches or insider threats.
Recruitment and retention: Offering data broker removal as an employee benefit signals that the organization takes privacy seriously. This matters in industries where employees handle classified information, sensitive client data, or work in roles that attract public scrutiny. Defense contractors, healthcare organizations, and financial institutions increasingly include privacy protection in executive compensation packages.
Building Organizational Policy Around Data Broker Exposure
Organizations that take this seriously establish policies covering:
- Which roles qualify for company-paid removal services (typically C-suite, board members, security personnel, and employees with classified clearances)
- Whether to offer voluntary opt-out support for all employees through self-service tools or reimbursement programs
- How to handle situations where employee data appears in broker databases unexpectedly, which may signal a data breach or unauthorized disclosure
- Training for executives and high-risk employees on privacy hygiene: using separate contact information for public-facing activities, limiting social media exposure, understanding how public records create exposure
For organizations with formal privacy programs, data broker monitoring can be integrated into broader privacy impact assessments and data governance frameworks. If you're building privacy infrastructure from scratch, this is secondary to core compliance requirements—get GDPR, CCPA, or sector-specific regulations handled first, then address broker exposure as a residual risk. Context on building comprehensive privacy programs is available in my overview of GDPR compliance for U.S. companies.
The Limits of Opt-Out: What It Doesn't Solve
Data broker opt out addresses one category of privacy exposure: information compiled from public records and commercial sources and resold through searchable databases. It doesn't solve broader privacy problems.
It doesn't remove your information from the original sources. Property records, voter registration, court filings, and corporate registrations remain public. Anyone can still find this information by going to county recorders' offices or state databases. Opt-out only removes it from aggregated, searchable indexes that make it convenient to find.
It doesn't stop companies you do business with from collecting and using your data. Your bank, health insurer, employer, and online retailers all maintain detailed records of your activity. Opt-out rights under privacy laws let you request deletion, but most companies have legitimate business reasons to retain customer data, and they'll cite those reasons to refuse deletion.
It doesn't protect you from data breaches. When companies suffer security incidents and customer databases leak, that information circulates in criminal forums and eventually makes its way to brokers who specialize in "alternative data sources." Opt-out requests to mainstream brokers don't reach underground markets.
It doesn't stop government surveillance. Law enforcement and intelligence agencies access commercial data broker information through contracts and subpoenas. Even if you've opted out of consumer-facing sites, government agencies can still access broker data through business-to-business channels.
The value of data broker opt out is narrow but real: it makes casual searches less productive. Someone Googling your name won't immediately find your home address, phone number, and list of relatives. That's worth the effort for most people, and critical for anyone with genuine security or harassment concerns. But it's not comprehensive privacy protection—it's one control among many that need to be layered together.
Strategic Implications: Privacy as a Continuous Process
The deeper lesson from data broker opt out is that privacy requires ongoing effort. It's not a state you achieve and maintain; it's a posture you actively sustain against continuous pressure.
This mirrors what I see in regulatory compliance: organizations that treat compliance as a project fail when regulations change or auditors ask unexpected questions. Organizations that treat it as a program—with defined processes, assigned accountability, and continuous monitoring—succeed because they're built to adapt. Privacy works the same way.
For individuals, this means accepting that perfect privacy is unachievable and expensive, then deciding which exposures matter most and addressing those. For most people, that's people search sites and a few major brokers. For high-risk individuals, it's paid monitoring services and behavioral changes that reduce data generation. For everyone, it's periodic re-checking and willingness to repeat the process.
For organizations, it means integrating data broker monitoring into existing security and compliance programs rather than treating it as a separate initiative. Executive protection, insider threat detection, and privacy compliance all benefit from knowing what employee and leadership data is publicly available. The investment is small relative to the risk reduction, particularly for organizations in regulated industries or with high-profile leadership.
The vendors selling privacy services want you to believe that you can buy your way to comprehensive protection. You can't. The legal frameworks regulating data brokers want you to believe that opt-out rights solve the problem. They don't. What works is understanding the specific exposure you face, addressing the highest-priority risks, and accepting that you'll need to revisit this periodically as circumstances change. That's less satisfying than a definitive solution, but it's what actually works in practice.