Going about your daily business—shopping online, buying a home, getting married, using a search engine, liking a Facebook page, registering to vote—leaves an enormous paper trail, and data brokers are scooping it up.

Data brokers are entities that collect information about consumers, and then sell that data (or analytic scores, or classifications made based on that data) to other data brokers, companies, and/or individuals. These data brokers do not have a direct relationship with the people they're collecting data on, so most people aren't even aware that the data is even being collected.

"Most have no idea who these companies are and how they got their data on them, and they would be very surprised to know the intimate details that these companies have collected on people," said Amul Kalia, an analyst and intake coordinator at the Electronic Frontier Foundation (an organization I’ve written for in the past).

Even when consumers are aware of both the existence of data brokers and the extent of data collected, it's difficult to determine which data they can control. For example, some data brokers might allow users to remove raw data, but not the inferences derived from it, making it difficult for consumers to know how they have been categorized. Some data brokers store all data indefinitely, even if it is later amended. The industry is incredibly opaque, and data brokers have no real incentive to interact with the people whose data they are collecting, analyzing, and sharing.

Let’s take a deep dive into the shadowy world of data brokers, what kind of information they collect, and some options you have for minimizing the dissemination of that information. If you want to skip to the part where you can do something about this, check out our Big Ass Data Broker Opt-Out List.

Types of data brokers and the threats they pose to users

The data broker industry is generally divided into three categories. There are people search sites, where users can input a piece of data, such as a person’s name (or a phone number, city/state, email address, social security number, etc.) and get personal information on that person either for free or for a small fee. Information can include aliases, birthdates, interests and affiliations, addresses and address history, education information, employment details, information on marriage, divorce, bankruptcy, etc., social media profiles, property records, and details on relatives. These people search sites include places like Spokeo, PeekYou, PeopleSmart, Pipl, and many more. These sites can be used to research people and find old friends to send them postcards. Because they give access to addresses, court records, and other information people would rather keep private, they can also be used for doxing.

There are data brokers that focus on marketing, such as Datalogix (owned by Oracle), or divisions or subsidiaries of companies like Experian and Equifax. They develop dossiers on individuals which can be used to tailor marketing. Data brokers typically place consumers in categories based on their age, ethnicity, education level, income, number of children, and interests. Companies purchase lists of names, email addresses, interests and offline activity to assist in soliciting or marketing to those individuals. These sites can be used to better tailor marketing, offering consumers great deals or personally tailored discounts or coupons.

But the information can also be used to put people in high-risk classifications based on their search history or to advertise high-interest loans to them rather than low-interest ones for which they’d qualify. For example, searching specific medical conditions such as heart disease or diabetes could be added to your digital biography. Even seemingly innocuous information, like looking at motorcycles or researching diabetes for oneself or a friend—might mean that insurance companies would consider you more likely to engage in risky behavior, according to the FTC. In some cases, these classifications may be based on inaccurate information—and there’s no easy process for consumers to access information, correct it, or remove it.

Lastly, there are data brokers such as ID Analytics that offer risk mitigation products to verify identities and help detect fraud. These are typically the least troublesome to consumers, unless, of course, the information is inaccurate—in which case, it may be difficult to correct. For example, a lender might use a risk mitigation product to determine whether a Social Security number is associated with a deceased person, or whether a mailing address used has been associated with fraud. This can be useful for detecting fraud, but can also stop consumers who happen to have a matching address but are not committing fraud from being able to complete a transaction.

Other threats

In addition to the threats listed above, the information collected on individuals can be used in various other nefarious ways, such as to facilitate identity theft.

“If you can get information on someone online, you might be able to impersonate them or use their credit history, or perhaps get into a password protected website if you can answer security questions about people,” said Paul Stephens, Director of Policy and Advocacy at Privacy Rights Clearinghouse.

Then, of course, information on people search sites can be used nefariously. “It certainly can be used by stalkers to find out the address of someone; it can be used by someone who wants to harass you by phone if they’re able to get your phone number.”

Additionally, companies scooping up tons of data on individuals are vulnerable to security breaches, so the information they’re collecting has ended up in the wrong hands. In addition to the Equifax breach, which affected more than 145 million people, Acxiom was hacked in 2003, and over 1.6 billion records (including names, addresses, and email addresses) were stolen, and some were sold to spammers. Epsilon was hacked in 2011, exposing names and email addresses of millions of people on email marketing lists who were then subject to spam as well as spear phishing attempts. LexisNexis’ parent company RELX has been breached multiple times, exposing social security numbers, mailing addresses, and driver’s license data. In 2015, 15 million records belonging to T-Mobile but stored on Experian’s servers were accessed.

Where do data brokers get your data?

Data brokers collect information from public records, such as property records, court records, driver’s license and motor vehicle records, Census data, birth certificates, marriage licenses, divorce records, state professional and recreational license records, voter registration information, bankruptcy records, etc.

They also collect or buy information from commercial sources, scooping up people’s purchase histories (along with the dates, dollar amounts, payment used, loyalty cards, coupons used, etc.) as well as warranty registration information, etc. from retailers and catalog companies.

Data brokers also collect information from social media sites, web browsing activity, quiz apps, media reports, websites, and other publicly available sources. And, of course, they also exchange or purchase information from one another, and then merge the data with their own records.

Is this even legal?

“There’s nothing unlawful about posting this information online,” said Stephens. “You have to draw a distinction between the data broker and a credit reporting or consumer reporting agency, and that really depends on how the information is used.” The use of consumer reports for credit, insurance, or employment purposes (including background checks) are regulated under the Fair Credit Reporting Act (FCRA), which was passed in 1970, is the law that allows you to access and correct errors in your credit report. It also means that users of consumer reports can only access that information in certain circumstances. For example, employers using consumer reports to screen employees or job applicants must get written permission and explain how they plan to use the report.

Read more: The Motherboard Guide to Not Getting Hacked

But data brokers that aren’t considered consumer reporting agencies aren’t regulated in the same way. People search sites often instruct users to not use the data as a proxy for a traditional credit check (for decisions about credit, housing, employment, insurance, etc.), though whether or not users of sites not regulated by FCRA actually utilize those sites for those purposes, and how often that happens, is difficult to determine.

Griffin Boyce, a system administrator at Berkman Klein Center for Internet & Society at Harvard University, received several hundred dollars in a class action lawsuit settlement from LexisNexis, a corporation that provides business research and risk management services, after trying and failing to fix false information in its records. In 2012, people search site Spokeo paid $800,000 to settle FTC charges that it sold information to human resources, recruiting, and background screening companies without complying with the FCRA.

Meanwhile, another lawsuit against Spokeo is playing out in court. In 2011, a Virginia resident named Thomas Robins accused Spokeo of selling inaccurate information about him, which incorrectly stated he was in his 50s, married, employed in a professional or technical field, and that he had children, none of which was true. Robbins alleged that Spokeo was in violation of federal law by not making reasonable attempts to confirm the information before selling it to third parties. He said that he may have lost job opportunities as a result.

The initial complaint was tossed out by a district judge because Robins didn’t show he’d experienced harm, but he appealed to the 9th Circuit Court of Appeals, and the lawsuit was reinstated. The US Supreme Court ruled 6-2 that Robins must show real harm for the lawsuit to proceed. The 9th Circuit ruled that his alleged injuries were sufficient to merit a lawsuit. Robins’ attorney is seeking class-action status for the lawsuit.

In addition to FCRA regulations, there’s Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive acts or practices. “The mere existence of the site is not necessarily a violation,” explains Tiffany George, a senior staff attorney in the FTC’s Division of Privacy and Identity Protection. The site needs to make misleading statements or commit an act that causes injury to consumers.

In May 2014, the Federal Trade Commission released a 110-page report on data brokers, which included the results of its in-depth study on nine of them in order to shed light on the industry and its practices. “Congress has not passed comprehensive data broker legislation since then,” confirmed Kalia. “The report was good. It had a lot of great recommendations, but unfortunately, our legislature didn’t actually follow them.” Among other things, the recommendations including legislation requiring consumer-facing entities to disclose that they share data with brokers, and allow them to opt out. It also recommended data brokers to create a centralized mechanism, such as a portal, to provide consumers access to their data and the ability to opt out of that data being shared for marketing purposes. It also recommended that Congress consider requiring data brokers to clearly disclose the names and categories of sources of their data, and that data brokers disclose that they not only use raw data but also make inferences based on some of the elements of data collected.

“In a lot of ways there are parallels with the 2017 Equifax data breach because Equifax also aggregates consumer data and you would have thought that would have provided sufficient incentive for Congress to do something about it, but they have actually not done that either,” Kalia adds.

Kalia points out that election campaigns, especially at the federal level, use information from data broker companies to determine to whom to target ads. "We rely on our politicians to think of a way to regulate this industry, but at the same time our politicians are some of the customers of this data broker industry and stand to benefit from their deregulated nature," he said.

That said, Kalia believes that approaching the issue locally may be fruitful. For example, he testified in front of a committee put together by the Vermont Attorney General, since the legislature is looking at regulating the data broker industry.

For now, it is possible for some consumers to opt out of some sites, but the process is time-consuming, difficult, and needs to be regularly repeated because data brokers will just add you again. Some pull data from other sites and update automatically. And then there are data brokers who don’t remove information even when asked.

“One of the reasons that we recommended legislation in our data broker report and one of the things that we note in our data broker report is that there’s a proliferation of these data brokers, and there’s no central source or mechanism for consumers to be able to find out about them or find out what they can do to protect themselves or remove their information, so we recommended that Congress enact legislation for such centralized mechanism for consumers to find out that information,” said George.

She found that sites allowing consumers to opt out may require them to submit identifying information, but variations of her name continued to proliferate, requiring multiple opt-out requests. “A part of our legislative recommendations, we recommended that Congress enact legislation that would require data brokers to be transparent about any limitations of the opt-outs that they may provide to consumers,” she said.

What you can do about it?

Experts agree that opting out might be a good use of time to remove information from people search sites. Some, but not all, of these sites do allow people the opportunity to opt out. But you can’t opt out just once. “A lot of the time these processes are automated, so even if you opt out of the system now they get data again from another source and then your information will be back up on the system,” said Kalia.

Not only does opting out not always work, it can be difficult and complicated, too. Some sites offer a simple and transparent opt-out process, but others don’t allow removal at all. In between those two extremes, some sites require users to jump through many hoops by making phone calls, sending information by mail or fax, or opting out twice on the same page.

Some require users to provide additional information to let them opt out. “For example, a site like Radaris won’t let you remove the information but will give you the chance to ‘control’ the information. But what controlling really means is that you can hide some of the information but not all of it, and you sign up on this website and give them more information than they had previously,” said Joe Sutton, head of DeleteMe at Abine. (Radaris did not respond to request for comment.) DeleteMe is a paid subscription service that removes user’s information from people search sites. It’s a good option for people wanting to remove their information from data broker sites, but still isn’t a catch-all because it is not comprehensive.

If a consumer submits identifying information in an opt-out request that varies from the identifying information in the data broker’s records, the opt-out may not capture all of those records. As a result, consumers may find themselves having to submit many opt-out requests to the same data broker again and again.

So, opting out is best done early and often. “Waiting until you’re targeted by creeps is a bad idea. There are lots of proactive steps people can take to protect themselves, and it only takes two hours a year to maintain,” said Boyce. “The first time I did this, it took about two to four hours. I used to check the most common sites every quarter, but now I do it every six to 12 months. For someone in the public eye, like a celebrity, doing a quick search once a month is not a bad idea. These companies merge and spin off on a regular basis.”

You can subscribe to services such as DeleteMe that offer this type of protection. However, information automatically added from other sites can re-proliferate, and some data brokers only respond to removal requests from the affected person directly, so even if you go with a paid option, you’ll want to hit the sites for which DeleteMe and other removal services don’t do data removal.

Opting out of marketing sites

If your primary concern is making sure that data brokers don’t share intimate information about your financial problems, pregnancy, and obsession with Elvis memorabilia, that can be even trickier, explains Kalia.

“A lot of the times the outputs that the data broker industry offers are not actually very effective," he said. "They will still hold onto that data and contain that data on you. It might be suppressed, which varies from data broker to data broker, and it’s not actually the equivalent of, ‘Okay now we’ll stop collecting data on you because you opted out of our system.’”

There are some strategies to safeguard personal information. Web developer and online security researcher Tony Webster points out that some state motor vehicle departments offer privacy options (though in some states they are limited to victims of identity theft or violent crimes) and that home or cell phone companies may allow users to opt out of directory information sharing and remove numbers from outbound caller ID. He also recommends opting out of pre-shared offers of credit and looking into adding a security freeze to credit reports.

“Companies can give credit bureaus a profile of consumers they're looking for—such as a credit score in a certain range, consumers who live in a certain area, or consumers with student loans—and the credit bureaus will happily sell the personal information of anyone matching that profile, as long as the company said they desire to offer them credit," he said. "It's why you receive credit card offers in the mail. But credit bureaus don't do a good enough job of ensuring the companies obtaining this information are legitimate financial institutions.”

Griffin echoes the recommendation to opt out of pre-approved credit offers. Doing so can help prevent people from stealing your mail and activating credit cards, and it also limits sharing and selling of data to some extent.

“People who've opted-out are typically removed from an entire marketing campaign. When the personal data for that campaign is shared or sold, the opted-out individuals wouldn’t be in that data set,” he said. “A rogue dataset replicates like a virus. A company builds it, expands upon it, and tries to make a marketable profile from it. Then they sell it to someone else. And in the case of a corporate bankruptcy, the business itself typically doesn’t have a say in whether this data is sold. Because in the eyes of the law, your personal data is a sellable asset.”

Freezing credit

A credit freeze restricts access to your credit report, primarily to existing creditors or debt collectors acting on their behalf, and to government agencies responding to subpoenas, warrants, or court/administrative orders. Restricted access makes it difficult for identity thieves to open accounts in your name, because most creditors will want to see this credit report before opening a new account.

“People that are concerned about their privacy should exercise every option that they have. Everyone has to make that determination for themselves as to how far they want to go but certainly in this day and age with all the data breaches, freezing credit is a very good thing to do because it’s probably the most effective way to prevent you from becoming a victim of identity theft,” said Stephens.

The downside of freezing your credit is that it can be a bit of a hassle to temporarily lift the freeze if, for example, you need your credit checked to rent a new apartment (or for any other reason). You’ll need to figure out which credit bureau its using, remember a pin number, and possibly pay a fee. “There is that nuisance factor, but certainly it’s a very effective way to prevent identity theft,” Stephens said.

Stop giving out information

Making your social media information public makes it vulnerable to collection from data brokers, so it can be useful to make accounts accessible only to friends and family. Locking down social media sites and avoiding online quiz apps are good ways to keep data brokers from scooping up data.

Webster further recommends exercising common sense online. “Your date of birth is frequently used as an identifier or security question, so consider not posting a photo of your birthday night celebration on Twitter,” he says. But while making locking down accounts and not putting your data of birth on social media or making can prevent some of these problems, ultimately the only way to prevent your social media information getting scooped up is not to have social media.

Even if you do that, data brokers still collect data from other sources. It’s not only locking down your social media, but also not giving your information out in the first place. Once your information is out there, you can’t get it back, because once one data broker gets your information because you’ve inadvertently disclosed it, there’s really no way to get it back,” said Stephens.

For those willing to go through the effort, the best thing is to be proactive and not give out your information to anybody unless you know that the business is committed to their privacy policy to not selling it to anybody. If you move, that’s your perfect opportunity—you now have a new address that might not appear in the data broker index, and you can opt for a P.O. Box or a mail forwarding service. “Before you give your information to anybody, think to yourself, do they really need this information and what are they going to do with this information,” said Stephens.

File a complaint

Finally, if you come across data broker sites that are behaving unscrupulously, consider filing a complaint with the FTC, as Abine did about BeenVerified in 2012.

“Consumers can file a complaint with the FTC for any practices that a company is engaged in that they feel are unfair or harming them. It goes into our complaint database which is available not only to us but to other law enforcement, and we use that information to inform our investigations as well as our policy work or other work,” said George.