Data Brokers: Who Has Your Email and How to Opt Out

What a data broker actually is

A data broker collects personal information and sells it to third parties you have no relationship with. The category covers two broad types. Marketing and identity brokers (think Acxiom, LiveRamp, Oracle, Epsilon) build advertising and identity-resolution profiles. People-search sites (Spokeo, Whitepages, BeenVerified, Intelius and the rest) repackage public and purchased records into a search box where anyone can look you up by name.

The scale is hard to picture until you see the numbers regulators have pulled out of these companies. In its landmark 2014 study, the Federal Trade Commission examined nine brokers (Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future) and found that one held data on more than 1.4 billion consumer transactions and over 700 billion data elements, while another added more than 3 billion new data points every month. Around the same period, an FTC commissioner described Acxiom alone as holding information on about 700 million active consumers worldwide, with some 1,500 data points per person.

That study is now over a decade old; the databases have only grown since. The discomfort is widespread, too. Pew Research found that 68% of Americans are concerned about how companies use their data.

How brokers got your email in the first place

Your address rarely arrives at a broker through one dramatic leak. It accumulates from ordinary, mostly-legal sources, which is exactly why it is hard to claw back.

• Public and government records supply a steady feed: voter files, property and deed transfers, court filings, business registrations, and professional licenses, some of which carry contact details.
• Commercial transactions add more, including loyalty programs, warranty cards, online purchases, subscriptions, and sweepstakes entries, where the fine print often grants the right to share what you typed in.
• Partner "data sharing" moves identifiers between companies through marketing agreements buried in privacy policies, app SDKs, tracking pixels, and cookie syncing.
• Broker-to-broker sales spread it further: once one broker has your email, it becomes a product that other brokers buy, so a single exposure propagates.
• Breaches round out the picture. When a service you signed up for is compromised, the leaked list is a ready-made enrichment source. Have I Been Pwned now tracks more than 17.5 billion compromised accounts.

A practical takeaway falls out of that list: the address you reuse everywhere is the one that ties the profile together. The address you use once and discard does not.

Your legal right to be deleted (CCPA and GDPR)

Two laws do most of the heavy lifting for opt-out requests, and citing them in writing tends to get a faster, more complete response than a polite ask.

California: the CCPA

The California Consumer Privacy Act gives residents the right to request deletion of personal information a business collected and to opt out of its sale or sharing. Businesses must respond within 45 calendar days, extendable by another 45 (90 days total) if they notify you. When you file, state plainly that you are exercising your CCPA right to delete and to opt out of sale.

European Union / UK: GDPR Article 17

If you are in the EU or UK, GDPR Article 17, the "right to erasure," lets you obtain erasure of your personal data without undue delay. The controller must tell you what action it took, and in any event within one month of receiving the request under Article 12(3). Reference "Article 17" explicitly; brokers operating in Europe recognize the phrase.

These rights have teeth beyond paperwork. In 2024 the FTC brought its first-ever actions banning location brokers X-Mode Social and InMarket from selling precise location data, and later that year barred Gravy Analytics (Venntel) and Mobilewalla from selling location data on people visiting sensitive places such as reproductive-health clinics or places of worship. Other US states (Virginia, Colorado, Connecticut and more) have passed their own consumer-privacy laws with similar delete and opt-out rights; the mechanics differ, but the right to ask is broadly available.

The big shortcut: California's Delete Act and DROP

For years the honest answer to "can I opt out of every broker at once?" was no. California changed that. The Delete Act (SB 362) created the Delete Request and Opt-out Platform, or DROP, and the California Privacy Protection Agency confirms that as of January 1, 2026, California residents may use DROP to submit one request to all active data brokers.

The mechanism is the part that matters. Rather than you contacting each company, the system delivers your privacy instructions to every registered broker at once, and more than 500 brokers were registered in the state as of the end of 2025. It is also ongoing rather than one-and-done: under the regulations the CPPA approved, a broker that has received a deletion request must delete any new data it collects about that consumer every 45 days.

Two honest caveats. First, DROP only reaches brokers that register, and under-registration is a known weakness of these laws. Vermont, the first state to require registration, listed 257 registered brokers, a number experts consider low, and California itself had estimated roughly 1,000 brokers would register, far more than actually did. Second, DROP is a California-resident right. If you live elsewhere, the manual process below is still your path, backed by whatever state or national law applies to you.

How to opt out manually, step by step

Whether you are supplementing DROP or you live outside California, the manual route is straightforward but repetitive. Treat it as a project with a checklist.

1. Set up a dedicated opt-out address before you start. Confirmation links from brokers are themselves a signup, so do not use your primary inbox. A disposable address works for one-off confirmations; a permanent alias works if you want to track replies over weeks. Keep your real address out of the loop.
2. Build a tracking sheet with one row per broker, with columns for the opt-out URL, the date you filed, whether you got a confirmation, and your re-check date. You will not remember otherwise.
3. Start with the large marketing brokers. Their data feeds smaller ones, so removing yourself there has a cascade effect. Search "[broker name] opt out" or "do not sell my personal information" to find each company's current request form; URLs change often, so a fresh search beats a stale bookmark.
4. Work through the people-search sites next. These are what expose your name, address, and email to casual searchers. For each, find your own listing first, then submit the removal using its opt-out page; most email you a confirmation link you must click.
5. Invoke the law in the request by adding one line: "I am exercising my right to delete under the CCPA" (or "under GDPR Article 17"). It moves you from a courtesy request to a legal one with a response deadline.
6. Re-check on a schedule, because brokers re-acquire data from new sources, so a removal is rarely permanent. Re-run your searches every three to six months and resubmit where you reappear.

In our experience running a disposable-email service, the confirmation step is where people stall: the link lands in an inbox they have already abandoned. If you use a temporary address, extend its timer or keep the tab open until the confirmation arrives, which usually happens within seconds, then click it before the inbox expires.

When to pay a removal service instead

Doing this by hand across hundreds of brokers is a real time cost, and the maintenance never ends. Subscription services automate the searching, filing, and re-checking. They do not have magic access; they file the same opt-outs you would, just at scale and on a recurring sweep.

Two things to weigh before subscribing. A service that needs to find your listings necessarily processes your personal data to do its job, so read its own privacy terms. And no service covers every broker or replaces the legal rights above: California residents still get more reach from DROP, and a CCPA or GDPR letter is free. For a broader look at monitoring and identity tools, see our guide to identity protection services.

Prevention: keep your email out of the pipeline

Removal is cleanup. The cheaper, more durable move is to stop new data from entering. A broker cannot sell what it never receives, and the address that never enters a low-trust signup never becomes a row in anyone's database.

Use a disposable address for low-stakes signups

This is the single most effective prevention step, and it is the job a temporary inbox is built for. For a newsletter, a one-time download, a free trial, a contest, a forum, or a Wi-Fi portal, use a disposable email address instead of your real one. New mail appears in the inbox automatically within seconds, you read the code or click the link, and the address deletes itself on a short timer (with unlimited extension if you are still waiting). Because the address is discarded, it has nothing to enrich and no profile to join. Email-based fraud is not hypothetical, either: the FTC's Consumer Sentinel data showed email-related fraud reports up about 30% year over year, and every list your address sits on is one more place it can leak.

Reserve your real address for accounts that matter

Keep your primary email for banking, healthcare, government, employers, and two-factor recovery, meaning anything you must log back into. The fewer places your real address appears, the smaller your profile and the less there is to delete later.

Freeze your credit

A credit freeze blocks credit-based broker and lender access to your file. It is a free legal right under federal law, with bureaus required to place a freeze within one business day and you contacting each nationwide credit-reporting company separately. It will not pull you from marketing brokers, but it closes one of the more damaging downstream uses of your data.

Read the share line before you submit

Most data sharing is something you technically agreed to. Before a signup, skim for a "we may share your information with partners" clause; where there is a "do not sell my personal information" link, use it at the point of collection. For the full routine, see our guide to protecting your privacy online.