How Data Brokers Are Selling Your Personal Information in 2026 — and What the New Laws Mean

The Industry You've Never Heard Of — That Knows Everything About You

There's an entire industry built around collecting, aggregating, and selling your personal information. You've never signed up for their services. You've never agreed to their terms. Most people have never heard the names of the companies involved. But data brokers — thousands of them — have files on you that are almost certainly more detailed than anything a stranger could learn about you in person.

In 2026, this industry is facing new legal pressure. Twenty US states now have comprehensive privacy laws in effect. California's DELETE Act is operational. New bills are moving in Vermont, New York, and Connecticut. But the industry continues to operate, the data already collected remains in circulation, and federal legislation remains stalled. Understanding what data brokers know, how the law is evolving, and what you can do about it right now is more relevant than ever.

What Data Brokers Know About You

Data brokers gather information from dozens of sources: public records, social media profiles, loyalty program data, app tracking, ISP purchase histories, court records, voter registrations, and data purchased from other brokers. The profile that emerges is comprehensive:

• Identifiers: Full legal name, known aliases, date of birth, Social Security number fragments
• Contact information: Current and historical addresses, phone numbers (including unlisted), email addresses
• Financial estimates: Estimated income, property ownership, estimated net worth, credit score ranges
• Political data: Party registration, voting history, estimated political affiliation, donation history
• Health inferences: Purchases at pharmacies, health-related search behavior, inferred health conditions
• Personal life: Relationship status, household composition, presence of children, estimated ages
• Consumer behavior: Purchase history across merchants, brand preferences, spending patterns, subscription services
• Location history: Where you live, where you work, places you visit regularly, travel patterns

This data is sold to advertisers, employers running background checks, insurance companies, financial services firms, law enforcement agencies, private investigators, and "skip tracers" — people paid to locate individuals. Your data profile is a commercial product, bought and sold without your knowledge or consent in most US states.

The 2026 Legal Landscape: Progress and Gaps

The 20-State Milestone

As of early 2026, twenty US states have comprehensive consumer data privacy laws in effect. This is a significant milestone — it means roughly 60% of the US population lives in a state with some form of privacy law. But "comprehensive" doesn't mean identical. The strength of these laws varies considerably, and data broker-specific provisions are not always included in general privacy legislation.

New Laws Effective January 1, 2026

Indiana, Kentucky, and Rhode Island joined the list of states with active privacy laws at the start of 2026. Each law gives consumers in those states new rights: the right to know what data is collected, the right to request deletion, and the right to opt out of data sales. Enforcement mechanisms and business compliance timelines vary by state.

California's DELETE Act: The National Standard-Bearer

California continues to lead on data broker regulation. The California DELETE Act created a single centralized portal — known as DROP (Data Removal Open Portal) — where California residents can submit a single request to opt out of and request deletion from all data brokers registered with the California Privacy Protection Agency. Before DROP, consumers had to submit individual opt-out requests to each broker separately — a process that could take hundreds of hours for a thorough opt-out. DROP changes this fundamentally. California residents can now submit one request and have it apply to all registered brokers.

This is arguably the most significant US data broker legislation ever enacted. Other states are watching California's implementation closely as a potential model.

Montana's Landmark Law Enforcement Provision

In May 2025, Montana became the first US state to close the data broker loophole for law enforcement. Previously, law enforcement agencies could purchase data from data brokers to circumvent the warrant requirements that normally apply to government surveillance. Montana's law restricts this practice — a significant civil liberties development that other states may follow.

Bills in Active Movement (March 2026)

Vermont, New York, and Connecticut all have active data privacy or data broker-specific bills moving through their legislatures as of March 2026. Vermont has historically been a leader on data broker regulation. New York's bill, if passed, would cover a population of 20 million and significantly expand the regulatory reach of state privacy law.

No Federal Privacy Law Expected

The American Data Privacy and Protection Act (ADPPA) and similar federal proposals have failed to advance through Congress repeatedly. No federal comprehensive privacy law is expected to pass in 2026. The US will continue to operate under a state-by-state patchwork, which creates uneven protections depending on where you live. If you live in a state without comprehensive privacy legislation, you have significantly fewer formal rights regarding your data.

How to Opt Out of Data Brokers

California Residents: Use DROP

If you live in California, the most efficient action is to use the California DROP portal to submit a universal opt-out request. This covers all brokers registered with the California Privacy Protection Agency in a single submission. Visit the California Privacy Protection Agency's website for current access information.

Everyone Else: A Practical Approach

For residents of other states, the process is more manual but still worthwhile:

• OptOutPrescreen.com: Official opt-out portal for the major credit bureaus' prescreened offers (Equifax, Experian, TransUnion, Innovis). Reduces unsolicited credit and insurance offers.
• DMAchoice.org: The Data & Marketing Association's opt-out service for direct mail and marketing lists.
• Individual broker opt-outs: The largest data brokers with consumer-facing opt-out processes include Whitepages, Spokeo, BeenVerified, Intelius, Acxiom (InfoBase), LexisNexis (for consumers), and PeopleFinder. Each has its own opt-out form, often requiring you to locate your listing first, fill out a form, and sometimes verify via email.
• LimeVPN's data broker check tool: Use our tool at limevpn.com/tools/data-broker-check to see which brokers have data on you and get direct links to their opt-out processes.

A realistic approach for someone outside California: dedicate a few hours to the major brokers, use opt-out automation tools if available in your state, and repeat the process every 6–12 months, as brokers re-acquire and re-publish data regularly.

How a VPN Reduces Future Data Collection

Opt-outs address data that already exists in broker databases. A VPN helps reduce how much new data gets collected going forward:

• ISP browsing history: Without a VPN, your ISP can see every domain you visit and legally sell that data to brokers in states without ISP data sale restrictions. A VPN encrypts your traffic — your ISP sees only that you're connected to a VPN server, not what you're doing online.
• IP-based profiling: Advertisers and data collection networks use your IP address to build behavioral profiles and link your activity across websites. A VPN replaces your real IP with a VPN server IP, making IP-based cross-site tracking less effective.
• Location tracking: Apps and websites that track location based on IP address will see the VPN server's location, not yours. This limits location-based data points that feed into broker profiles.

What a VPN Cannot Fix

Honesty matters in privacy discussions. A VPN addresses specific data collection vectors but does not solve the data broker problem comprehensively:

• Data already in broker databases: A VPN does not remove information that has already been collected and sold. Opt-out requests are the only mechanism for addressing existing data.
• On-device app tracking: Many apps collect data directly from your device, including location, contacts, usage patterns, and app activity. This data can be collected and sold regardless of your VPN status. Addressing this requires reviewing app permissions, using privacy-respecting apps, and considering additional tools like a privacy-focused browser.
• Account-linked data: If you're logged into Google, Facebook, or a retailer's loyalty program, they can track your behavior regardless of your VPN. Reducing this requires behavioral changes: logging out, using private browsing, or switching to privacy-respecting alternatives.

The Practical Privacy Stack for 2026

No single tool solves the data broker problem. A practical approach combines several layers:

• VPN (LimeVPN): Encrypts your internet traffic, hides your browsing from your ISP, replaces your IP address for ad tracking purposes
• Data broker opt-outs: Remove existing data from the major brokers; repeat annually
• Privacy-respecting browser: Firefox with uBlock Origin, or Brave — reduces on-device tracking and fingerprinting
• California DROP (if eligible): Single-submission opt-out for all registered California data brokers
• App permission review: Audit which apps have location, contacts, and microphone access; revoke unnecessary permissions

This stack won't make you invisible — no tool can do that. But it significantly reduces the volume of new data collected about you, limits what's available to brokers going forward, and addresses the data that already exists in their systems.

The Bottom Line

Twenty states with comprehensive privacy laws represents genuine progress. California's DELETE Act is a landmark achievement. But data brokers continue to operate extensively, federal legislation remains absent, and the data already in broker databases remains in circulation. In 2026, the most effective approach is to combine the new legal tools available (particularly if you're in California or another state with strong privacy laws) with practical technical measures — a VPN for ongoing protection and regular opt-out requests to address existing data. The system is imperfect, but the tools to fight back are more accessible than ever.