Part 1 traced who the data brokers are and how the dossier on you gets built. What happens to that dossier after it leaves the broker is the harder part of the picture: it gets sold into a U.S. national-security surveillance apparatus that did not have statutory authority to compel it, it leaks in breaches the centralization model cannot prevent, and it now bumps into a layered patchwork of regulation that is finally establishing a real compliance floor.
The broker economy has, in effect, become a load-bearing piece of the U.S. national-security surveillance apparatus. The breach record proves the industry cannot be trusted to hold what it has aggregated. And the laws that have caught up are mostly state, provincial, and executive — not federal — which means compliance now depends on knowing which jurisdiction you are in down to the operational layer.
How the Broker Dossier Became a Surveillance Pipeline
The Fourth Amendment generally requires a warrant before the government can compel a private actor to hand over information about you. The Electronic Communications Privacy Act of 1986 extended that protection to certain categories of electronic records. Both regimes share a structural assumption that is now almost completely broken: that the government would have to compel the data, because the data was held by an entity (a phone company, an ISP, a custodian) that wouldn’t otherwise sell it.
The data broker market does not require compulsion. Brokers will sell it. That has produced what civil-liberties groups now openly call the data broker loophole: the laws prohibit the government from forcing a primary custodian to disclose certain data, but they do not prohibit the government from buying the same data from a downstream broker who already legally obtained it. The Office of the Director of National Intelligence’s own January 2022 declassified report acknowledged that “Commercially Available Information” (CAI) had overtaken the IC’s existing policies, and that intelligence analysts were now leaning heavily on private sellers for credit histories, browsing logs, and continuous geolocation traces. In May 2024 ODNI issued a formal framework for IC use of CAI — which civil-liberties groups including EPIC and the Brennan Center immediately criticized for institutionalizing the loophole rather than closing it. The framework set cataloging and handling rules. It did not meaningfully restrict the categories of sensitive data the IC could buy.
The same dynamic operates at the domestic-law-enforcement level, and the contracts are more visible there. In 2021, U.S. Immigration and Customs Enforcement signed a roughly $16.8 million contract with LexisNexis Risk Solutions for direct access to LexisNexis’ Accurint Virtual Crime Center, which ingests records from over 10,000 distinct public and proprietary sources, and the company’s LexID identity-resolution system covering over 276 million U.S. consumer identities. Practically, that gave ICE agents one-screen access to utility bills, phone records, jail booking data via Insights Justice Intelligence, and credit-report data tied together by LexID — none of it obtained with a warrant, because none of it had to be. The Travel Intelligence Program operated by the Airlines Reporting Corporation works the same way: a billion-plus travel records compiled from major airlines, sold to CBP and ICE under terms that limit their ability to identify the source. Thomson Reuters’ CLEAR platform runs on the same playbook.
There is a separate, ethically distinct cost. Both LexisNexis and Thomson Reuters are also the dominant legal-research vendors in the United States and Canada — Westlaw and Lexis are the tools defense attorneys, public defenders, and immigration lawyers use to do their actual jobs. The same subscription fees a firm pays to research a client’s case help fund the development of the surveillance databases used to locate that client. The bar’s professional-conduct rules don’t have a clean answer for this; the law-review literature has taken to calling it the “professional paradox,” and there isn’t yet a good way out of it that doesn’t involve giving up the tools.
The downstream consequence isn’t theoretical. Investigations have found that since 2012, ICE has wrongfully detained more than 1,488 individuals, including U.S. citizens, on the basis of incomplete government records and bad commercial broker data. That figure is almost certainly low — it counts identified, documented cases, and there’s no reason to assume the universe of cases is fully visible — but even at face value it represents a high enough false-positive rate to make clear that treating broker inferences as actionable intelligence is operating with worse data than the people relying on it appear to believe.
The Military-Personnel Problem: What $10,000 Buys You
In late 2023, researchers at Duke University’s Sanford School of Public Policy published Data Brokers and the Sale of Data on U.S. Military Personnel — a methodologically straightforward study in which the team simply went and bought data from U.S. brokers using both a U.S.-based .org domain and a foreign-registered .asia domain.
The results, drawn from the study itself:
- The researchers found 7,728 hits for “military” and 6,776 hits for “veteran” across 533 broker sites.
- They purchased records on nearly 50,000 servicemembers for a little over $10,000 — pricing as low as $0.12 per record.
- The records included full legal names, home addresses, emails, phone numbers, ages, family composition (number and ages and sexes of children), homeowner status, net worth, credit ratings, occupations, education levels, religious affiliations, and health-related information.
- Brokers did not differentiate based on the location or domain of the purchaser. The
.asiadomain bought the same data as the.orgone, with the same absence of meaningful KYC.
A foreign intelligence service does not need to mount a cyber operation against U.S. defense systems to map a target population of servicemembers with financial vulnerability, family pressure points, and physical locations. It needs a credit card and a willingness to spend less than the cost of a used pickup truck. That single result has done more to move U.S. policy in this area than the previous decade of consumer-privacy advocacy combined.
The Breach Record: Why Centralization Is the Vulnerability
The structural argument against the broker model has always been that aggregating billions of records about hundreds of millions of people in one place creates an attack surface that no realistic security posture can defend in perpetuity. The empirical record is now severe enough that the structural argument has largely won.
National Public Data (2024). NPD was a Florida-based background-check broker operated by Jerico Pictures, Inc. that aggregated public-records and proprietary feeds into a centralized repository. In late 2023, threat actors quietly exfiltrated the database. In April 2024, an actor using the handle “USDoD” listed 2.9 billion records for sale on a darknet forum. In August 2024, large tranches of the data leaked freely onto the open web, forcing the company to acknowledge the breach. The exposed dataset included unencrypted Social Security numbers, names, mailing addresses, phone numbers, and email addresses for up to 170 million individuals across the U.S., U.K., and Canada. The forensic post-mortems consistently flagged the same pattern: extraordinary volumes of sensitive data with no encryption at rest and inadequate access controls. By the end of 2024 Jerico Pictures had filed for bankruptcy and shut down. The vast majority of victims had never knowingly engaged with NPD at any point in their lives.
Equifax (2017, ongoing). The structural negligence at NPD echoed the original Equifax breach of 2017 — itself a failure to patch a known vulnerability — which exposed the financial and personal data of roughly 147 million people. As late as November 2024, the FTC settlement administrator was still distributing compensation. Equifax operates simultaneously as one of the largest credit bureaus and one of the largest data brokers in North America. The fact that it remains a foundational piece of the consumer-credit infrastructure despite a breach of that magnitude, eight years on, is itself a comment on how little market discipline operates in this sector.
LexisNexis (2026). Earlier in 2026, the threat group calling itself “FulcrumSec” used credential stuffing plus targeted spear-phishing to compromise LexisNexis Risk Solutions and exfiltrate Social Security numbers, driver’s license numbers, bank account numbers, and legal case-file histories for roughly 364,000 people. The structural lesson is the same: the company most heavily integrated with ICE, federal agencies, and Fortune 500 risk teams was not, in the end, a hardened security target.
The shared vulnerability across these incidents isn’t sophisticated. It is the underlying decision to centralize. Once a broker has resolved hundreds of millions of identifiers into a single coherent graph, somebody will eventually get in. The only real question is whether what they take is encrypted, segmented, and minimal — and the record on those questions is poor.
The U.S. Regulatory Pushback
There is no comprehensive federal U.S. privacy law. The CFPB withdrew its proposed expansion of the Fair Credit Reporting Act in May 2025, removing what would have been the most direct federal lever over brokers. What exists instead is a layered patchwork — state laws, an executive order, a national-security statute, and an aggressive FTC posture — that has, taken together, started to bend the industry’s behavior.
California’s Delete Act and the DROP Platform
The structural problem with the consumer opt-out model is that it requires the consumer to identify and individually contact every broker holding their data — a logistical impossibility against a market with hundreds of registered brokers and thousands of unregistered ones. California’s Delete Act, signed in 2023, attacks the problem at the registry layer. The law tasked the California Privacy Protection Agency with building the Delete Request and Opt-Out Platform (DROP), a single state-hosted endpoint where a verified California resident submits one deletion request and every registered broker is legally required to honor it.
The operative dates and mechanics, per the CPPA and privacy.ca.gov:
- Consumers could begin registering on the DROP on January 1, 2026.
- Data brokers must access DROP at least once every 45 days and process deletion requests starting August 1, 2026. Deletion must propagate to the broker’s downstream service providers and contractors.
- After deletion, brokers must continuously suppress that consumer — they are not allowed to silently rebuild the profile from later ingest.
- The penalty for non-compliance is $200 per deletion request per day.
- Starting January 1, 2028, brokers must undergo an independent third-party compliance audit every three years.
The 2025 enforcement record is also relevant. By mid-2025, over 750 brokers had registered across state registries, but California demonstrated it was willing to pursue brokers that hadn’t — including formal action against Accurate Append, National Public Data (already collapsing), and Background Alert. The legislature has since refined the framework via SB 361 to demand more operational transparency around data sourcing and retention at annual registration.
The Fourth Amendment Is Not For Sale Act
This is the federal bill aimed directly at the surveillance loophole described above. It prohibits domestic law enforcement and intelligence agencies from buying data from third-party brokers if obtaining that same data directly from the primary custodian would require a warrant. It passed the House 219-199 in April 2024 — a real bipartisan coalition — but has stalled in the Senate, where defense and intelligence committees have been reluctant to give up agile, warrantless purchase authority under cover of FISA-related debates. As of mid-2026 it remains the most important pending federal bill on broker regulation, and it has not yet moved.
Executive Order 14117 and the DOJ Bulk Data Transfer Rule
Structurally, this is the most aggressive U.S. constraint on the broker market. President Biden signed Executive Order 14117 in February 2024. The implementing DOJ rule — the formal name is the Rule Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons — became effective April 8, 2025, with a 90-day initial grace period and additional compliance phase-ins running through 2025.
The rule treats six jurisdictions as “countries of concern” — China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela — plus entities or individuals controlled by those nations as “covered persons.” It then establishes hard numeric thresholds, measured over a 12-month trailing window, beyond which transfers of specific sensitive-data categories are either categorically prohibited or heavily restricted:
| Data Category | Bulk Threshold | Enforcement Posture (data brokerage) |
|---|---|---|
| Human genomic data | >100 U.S. persons | Categorically prohibited |
| Human ‘omic data (proteomic, epigenomic, transcriptomic) | >1,000 U.S. persons | Categorically prohibited |
| Biometric identifiers | >1,000 U.S. persons | Categorically prohibited |
| Precise geolocation | >1,000 U.S. devices | Categorically prohibited |
| Personal health data | >10,000 U.S. persons | Categorically prohibited |
| Personal financial data | >10,000 U.S. persons | Categorically prohibited |
| Covered personal identifiers | >100,000 U.S. persons | Categorically prohibited |
Where a transfer constitutes “data brokerage” — meaning a sale or license of access to a third party as part of a commercial transaction — the prohibition on transfer to a covered person is absolute. For other transaction types (vendor, employment, investment), transfers are restricted and require a written Data Compliance Program built around CISA security standards, with routine audits, employee training, and access logging. Civil penalties for violations reach the greater of approximately $368,000 or twice the transaction value; willful criminal violations can reach $1,000,000 and up to 20 years’ imprisonment. There are carveouts for ordinary financial-services, telecom, and intra-corporate transactions to avoid breaking standard global commerce.
By using national-security authority rather than consumer-privacy authority, the rule cleared faster and bites harder than anything else U.S. regulators have aimed at the broker market. The enforcement record is still thin as of mid-2026, and whether the on-paper penalties get applied at meaningful scale to U.S.-based brokers selling to U.S.-based intermediaries that resell to covered persons is something the next twelve to eighteen months will clarify.
PADFAA: Protecting Americans’ Data from Foreign Adversaries Act
PADFAA was signed in April 2024 and took effect June 23, 2024, as part of a broader national-security package. It complements EO 14117 by taking the zero-threshold approach: it makes it unlawful for any data broker to sell, license, rent, trade, or transfer any personally identifiable sensitive data of a U.S. individual to a foreign adversary country or an entity controlled by one — no bulk threshold required. The definition of sensitive data is expansive: 17 categories spanning the obvious (health, financial, biometric, precise geolocation) and the less obvious (military status, sexual-behavior information, device log-in credentials, government identifiers).
Enforcement runs through the FTC, which treats violations as unfair or deceptive acts under Section 5. In February 2026 the FTC sent formal warning letters to 13 major data brokers — calling out specifically the brokers known to offer “solutions and insights involving the status of an individual as a member of the Armed Forces,” a direct nod to the Duke study findings. Maximum civil penalties run to roughly $53,088 per individual violation.
FTC Enforcement Against the Location-Data Market
In parallel with the regulatory framework, the FTC has been forcing the most egregious geolocation brokers out of business through Section 5 enforcement.
- InMarket Media (early 2024). The FTC found that InMarket’s SDK — embedded in its own apps like CheckPoints and ListEase as well as third-party apps — was harvesting precise location data from over 100 million unique devices annually, cross-referencing it with demographic data, and sorting users into nearly 2,000 audience categories like “wealthy and not healthy” and “parents of preschoolers.” The resulting consent order was the FTC’s first absolute prohibition on the sale or licensing of precise location data, and required InMarket to destroy previously collected location data unless verifiably de-identified.
- Outlogic / X-Mode (2024). Similar consent order, similar prohibition.
- Kochava (May 2026). On May 4, 2026, the FTC announced a settlement resolving the FTC’s 2022 case against the Idaho-based broker. Kochava is now permanently barred from selling sensitive location data without affirmative express consent. The settlement defines “sensitive” location as precise location associated with medical facilities, religious organizations, education and childcare sites for minors, homeless shelters, domestic violence shelters, and military or federal law-enforcement sites. Kochava must build a Sensitive Location Data Program identifying these locations, run a supplier-assessment program to confirm consumer consent upstream, report incidents of third-party violations, and let consumers find out which businesses received their data and revoke consent.
The common thread across InMarket, Outlogic, and Kochava: the FTC is no longer asking for better disclosure. It is structurally banning categories of broker activity entirely. The approach works well against named defendants but does less to deter the long tail of smaller brokers that won’t register, won’t respond to requests, and don’t have a meaningful U.S. presence to enforce against.
Canada: PIPEDA’s Obsolescence, Quebec’s Vanguard
Canada’s federal trajectory has been the inverse of the United States’. The U.S. has gone the route of state plus executive plus FTC pressure; Canada has tried and largely failed at modernization at the federal level, while one province has built the most stringent privacy regime in North America.
PIPEDA (2000) is the federal private-sector privacy law, and it was written before the data-broker industry as we now understand it existed. Brokers exploit two structural loopholes routinely: they argue that aggregated or “anonymized” data is not “personal information” within PIPEDA’s definition (a claim that holds up poorly against modern re-identification research), and they shift the consent burden upstream to the original “data owners” by collecting indirectly — claiming the implied consent buried in the original app’s terms of service runs all the way through to broker resale. The Privacy Commissioner of Canada cannot levy meaningful administrative monetary penalties under PIPEDA, which means non-compliance is priced into broker operating models as a routine cost.
Canada Post and the Smartmail Marketing case is a useful illustration of the limits. Canada Post — a Crown corporation — runs a Smartmail Marketing Program that monetizes the operational data on the outside of mail (sender, recipient, postal-code demographics) by renting targeted marketing lists. After complaints, the Office of the Privacy Commissioner investigated and found that while the program complied with the Privacy Act’s usage and disclosure rules, it violated Section 5(1) — the requirement that government institutions collect personal information for administrative purposes directly from the individual. The OPC recommended Canada Post cease the practice. Canada Post refused, agreed to minor transparency tweaks the OPC said were insufficient, and continued the program. The OPC noted that the U.S. Postal Service explicitly prohibits the sale or rental of personal information, which is worth knowing the next time someone characterizes broker-style monetization as standard global practice.
Bill C-27 (the Digital Charter Implementation Act) would have replaced PIPEDA with the Consumer Privacy Protection Act, created a tribunal with binding-order authority, and added the Artificial Intelligence and Data Act on top. It collapsed on the order paper following the 2025 snap election, in part because the AIDA component drew sustained criticism for vagueness. The IAPP and Osler have both reported that the 2026 plan is to reintroduce privacy modernization separately from AI regulation, ideally before the summer recess, framed around a “data sovereignty” agenda. The expected emphasis: restrictions on onward data transfers, codified risk-assessment requirements for transfers to weaker-protection jurisdictions, and stronger safeguards for children’s data. Whether any of this materializes — and what it looks like if it does — is genuinely uncertain; the plan has been described but not introduced, and what eventually passes may differ substantially from what is currently anticipated.
Quebec’s Law 25 is what fills the vacuum in the meantime, and it is genuinely strict. The law phases culminated in September 2024 with full enforcement. Key requirements:
- Express opt-in consent for collection and processing of personal data. Default privacy settings must be set to maximum.
- Mandatory Privacy Impact Assessments before transferring data outside Quebec.
- A 30-day data portability requirement.
- Maintenance of a confidentiality-incidents register; immediate notification to the regulator of breaches involving risk of serious injury.
- Administrative monetary penalties up to CAD $10 million or 2% of global revenue; penal fines up to CAD $25 million or 4% of global revenue for serious violations.
Enforcement runs through the Commission d’accès à l’information du Québec (CAI), which has the authority and the appetite to use these penalties. Because segregating Quebec residents from broader Canadian datasets is technically difficult and operationally expensive, most North American brokers operating in Canada are effectively adopting Law 25 as their Canadian baseline. In the absence of working federal law, the province has become the de facto regulator.
What Regulation Now Hands the Individual
As of mid-2026, the regulatory pushback has moved the ball in concrete ways for an ordinary person:
- A California resident can submit one deletion request through DROP and reach every registered broker in the state at once. The continuous-suppression requirement means the broker is supposed to keep deleting that profile every time it tries to rebuild, on a 45-day cadence, indefinitely.
- A foreign-adversary buyer cannot legally purchase your sensitive data from a U.S. broker without exposing the broker to FTC enforcement under PADFAA and, above the bulk thresholds, criminal liability under the DOJ rule.
- A location-data broker cannot sell your visits to a clinic, place of worship, shelter, school, or military site without affirmative express consent — or it ends up where Kochava ended up.
- A Quebec resident can demand a copy of their structured personal data within 30 days, force opt-in consent on collection, and trigger a regulator with the authority to impose CAD $25 million in penal fines for serious violations.
That is genuinely more than the same individual had two years ago. It is also nowhere near enough. The Delete Act covers California; the DOJ rule covers transfers to specific foreign jurisdictions; PADFAA covers adversary-nation transfers; Quebec covers Quebec. None of them, individually or together, dissolve the dossier. They make it more expensive to build, more dangerous to sell to the wrong buyer, and slightly more deletable when you ask politely with the right paperwork.
The broker still exists. The graph still exists. The next quarterly ingest is still scheduled. Statutory deletion is a meaningful new lever, but using it well requires knowing which laws apply to you, which buttons to push, and which ongoing practices to adopt so that the dossier doesn’t simply rebuild around you the moment you stop paying attention.
The Floor, Not the Ceiling
The data broker economy did not become a national-security and consumer-rights problem because of one specific company or one specific incident. It became a problem because the underlying commercial model — silent aggregation of personal data without consent, indefinite retention, centralization for linkage at scale, resale to whoever can pay — turns out to scale into surveillance infrastructure and into a high-value cyber target at the same time. Those two failure modes are inseparable from the value proposition.
Regulation has caught up partially, asymmetrically, and almost entirely outside the U.S. federal track. The California Delete Act / DROP, the DOJ Bulk Data Transfer Rule, PADFAA, FTC location-data prohibitions, and Quebec’s Law 25 are individually meaningful and collectively a real shift. They establish a floor: a baseline of behavior the most aggressive brokers can no longer engage in without enforcement risk, a deletion mechanism that gives consumers their first real lever, and a set of penalty thresholds severe enough that the larger players have started rebuilding their compliance functions in response.
Knowing the floor exists is different from standing on it well. Filing a DROP request correctly, running the data-inventory exercise to figure out whether a vendor pipeline is exposed to the DOJ rule, picking the right removal service for a given risk profile and configuring it so the dossier doesn’t quietly rebuild on the next quarterly ingest — those are operational questions the statutes do not answer. The shadow economy mapped in Part 1 is still running. The regulatory floor slows it. What determines whether you live well inside it or become its product is the practice you maintain on top of that floor.
Continue to Part 3 — Privacy Practices: The Operational Stack That Actually Works. Previously: Part 1 — Who Data Brokers Actually Are and How They Build You.