Tracking the surveillance and information practices of data brokers: A systematic review

Archived information

Archived information is provided for reference, research or record-keeping purposes. It is not subject to Government of Canada web standards and has not been altered or updated since it was archived. Contact us to request a format other than those available.

Printable version

About the project

Data brokering is a multibillion-dollar industry comprising thousands of companies specializing in collecting and analyzing consumer data. The Federal Trade Commission in the United States defines data brokers as “companies that collect personal information about consumers from a variety of public and non-public sources and resell the information to other companies” (Federal Trade Commission 2012). There are many buyers of this data. Retail companies rely on information collected by data brokers to create targeted advertisements to boost sales. Political campaign teams use data broker insights to make predictions about and influence voter behaviour. Beyond the private sector, data brokers partner with the Social Security Administration and Departments of Justice, Homeland Security and State (U.S. Government Accountability Office, 2006).

In this systematic review, we examine literature on data brokers and related issues such as methods of surveillance, privacy concerns and government regulations. Following PRISMA guidelines, we conducted a literature search on ProQuest, Web of Science, Google Scholar, IEEE Xplore and JSTOR databases considering all articles published until May 31, 2023. Of 135 articles, 110 met the necessary conditions for further review. This review explores the information-gathering and surveillance practices of data brokers, as well as laws affecting them and recommendations for modifying the current framework. This knowledge will be valuable for informing designs of future research on data brokers and marginalization. We also provide a number of remedies or policy options that should be brought into effect.

Key findings

According to 2020 research by the NATO Strategic Communications Centre of Excellence, there are around 5,000 data brokers worldwide, forming an industry of around $178 billion in revenue (Baccaro, 2021). Data brokers earn money from a variety of sources. They typically offer pre-packaged databases of information to potential buyers (Sherman, 2021). Products are sold in three broad categories: marketing, risk mitigation and people searches (Neally, 2019). Clients use risk-mitigation products to verify customer information through a data broker to prevent fraud (Neally, 2019). Whenever a person attempts to search for themselves, a friend, a neighbour or a business, they are attempting to access a data broker’s ‘people search’ product to find personal information (Neally, 2019). Marketing products are the most well-known products of data brokers and are used to create tailored messages for a client’s consumers (Neally, 2019). Data brokers also earn revenue from brokerage fees and/or any value-added services of data analysis and data management (Oh et al., 2021).

Multiple forms of sensitive data, including location, communications, biometric and license plate reader data, are sold by data brokers to law enforcement and intelligence agencies, and the practice is on the rise, with multiple agencies spending upwards of tens of millions of dollars on multi-year contracts (Shenkman et al., 2022). Many industries, from health insurance and life insurance to banking and e-commerce, purchase data from data brokers to run advertisements and target services (Sherman, 2021).

The practice of data brokerage is secretive and there is often no way to appeal incorrect information (Wayne, 2012). In most cases, individuals can opt out from each data broker. This, however, requires a significant amount of time and gives limited certainty that data has been effectively deleted (Reviglio, 2022). Data brokers often do not give clear guidance on how to opt out of data collection, correct any inaccurate data or delete data.

In the only study that interviewed data brokers, Kim (2023) found that data brokers were highly suspicious of the author’s research inquiries. Crain (2018) argues that data brokers and online advertisers have formed lobby groups and trade groups to deter regulation of any kind (pg. 95). As Reviglio (2022) notes, big data and big tech lobby groups have fought against such legislation, often gutting sections of proposed bills.

Policy implications

There should be a restriction on the purchase of personally identifiable information. There is currently no legal regime that prevents brokers from sharing data with other companies and entities. An array of entities from political campaigns to antivirus companies buy and sell data with brokers. Laws that restrict the purchase of data from data brokers should be implemented. Currently, there are no international laws governing data brokers. Although organizations like the International Association of Privacy Professionals (IAPP), IARC Data Protection Policy and the UN Principles on Personal Data Protection and Privacy provide privacy best practices, data brokers are not obligated to follow them.

There should be an independent body dedicated to regulating data brokers. Further, there should be a law ensuring transparency in data procurement and transfers. Data is exchanged between many data brokers, making accountability challenging. Intermediaries like web browsers, Internet service providers and web servers can also play a role in regulating data brokers. Browsers have moved to increase users’ privacy by limiting the cookies that third parties collect. This initiative shields users from inadvertent exposure. It is advisable to implement a regulatory mandate that addresses not only data brokers but also intermediary browsers like Chrome, Firefox and Safari.

Further information

Read the full report (PDF document, 1.7 Mb)

Contact the researchers

• Dr. Kevin Walby, Department of Criminal Justice, University of Winnipeg: k.walby@uwinnipeg.ca