Understanding Data Brokers: Practice, Perception, and Privacy. Hint: They’re Not All The Same

A traditional data broker is generally understood to be a company whose primary business model revolves around collecting information about individuals, aggregating it from multiple sources, and then selling or licensing that information to other organizations. Most consumers never interact with these companies directly and may not even be aware of their existence. Data brokers typically operate behind the scenes in industries such as advertising, finance, insurance, and analytics, and are often distinguished by the absence of any direct relationship with the individuals whose data they collect and commercialize.

Conventional data broker operations rely on sourcing data from a broad array of inputs, including public records, commercial transactions, online activity, surveys, loyalty programs, mobile applications, and third-party data providers. While individual data points may appear routine or low-risk in isolation, data brokers specialize in aggregating, correlating, and linking these signals across contexts. Over time, this enables the creation of increasingly detailed profiles that describe a person’s characteristics, interests, behaviors, or predicted future actions, often without the individual’s awareness or meaningful opportunity to intervene.

These profiles are then packaged and distributed through data feeds, audience segments, enrichment products, or similar offerings. Buyers may include advertisers seeking highly granular targeting, lenders assessing credit or risk, insurers evaluating exposure, or retailers supplementing their internal datasets. Importantly, traditional data brokers typically operate independently of any single client’s instructions. They determine how data is collected, combined, reused, and monetized, and frequently sell the same data repeatedly for different purposes, maximizing reuse rather than minimizing exposure.

Because this model depends on scale, reuse, and limited consumer visibility, data brokers have increasingly drawn regulatory scrutiny. Individuals are often unaware that their information is being collected, profiled, and sold, and historically have had limited ability to understand, access, or control these practices. This opacity, as opposed to single data points, has been a central concern driving modern privacy legislation and regulatory oversight of the data broker industry.

In everyday terms, a data broker is commonly understood as an entity that collects information about people from many disparate sources, packages that information into a commercial product, and sells or licenses it onward. This colloquial understanding is important, as it explains why the term “data broker” can carry negative connotations and why it is sometimes applied broadly, even to companies whose operations differ materially from that model.

A common example is a people-search website that enables users to look up individuals by name, phone number, email address, or address, and view information about that person and their known associations.

Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), however, “data broker” has a specific statutory definition. California law defines a data broker as a business that knowingly collects and sells personal information of consumers with whom it does not have a direct relationship. This legal definition governs regulatory obligations, even where it diverges from how consumers or the public typically understand the term.

DealerX acknowledges that the definitions of “personal information” under the CCPA and CPRA are broad. Accordingly, where required, DealerX registers as a data broker and complies with all applicable registration and operational obligations. At the same time, DealerX does not “sell” consumer personal information in the way that term is commonly associated with traditional data brokers, which typically aggregate consumer information and make it broadly available to third-party purchasers. DealerX does not create, maintain, or monetize independent consumer profiles outside the specific context in which the data is collected and used, automotive. Rather, DealerX processes client data within that limited context and derives aggregated insights from contextual signals and keywords associated with related browsing activity. These insights enable brands to reach relevant prospective audiences through targeted omnichannel communications, without relying on persistent individual consumer profiles unrelated to automotive intent or on the broad resale of personal information.

Understanding this distinction helps clarify why DealerX may be treated as a data broker under the statute, while operating in a manner that is materially different from what most consumers associate with traditional data broker practices in real-world terms.

How We’re Responding to the Evolving Privacy Landscape in California

At MarketOps/DealerX, we take consumer privacy seriously and maintain full compliance with both the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Our commitment to transparency, accountability, and user empowerment guides every aspect of our data handling practices.

Visibility ≠ Compliance: Why Indexing Is Not a Privacy Requirement

There has recently been some discussion around the visibility of our privacy-related web pages in search engine indexes. We want to be clear: there is no legal or regulatory requirement under California law mandating that these pages be indexed by Google or any other search engine.

In fact, publicly indexed pages are statistically more susceptible to malicious activity, including denial-of-service attacks, scraping, and malware injection. These risks exist even for highly secure and compliant sites.

While we were previously unaware of any “noindex” or “nofollow” settings affecting specific pages, we now recognize that such configurations offer important security and operational benefits — and are not at odds with compliance.

Our Tools Are Built for Access, Not Obscurity

Regardless of search engine visibility, our privacy tools are built with accessibility in mind. Our California privacy rights framework is fully implemented across our website and enables residents to easily exercise their rights — including the right to opt out of the sale or sharing of personal information — without navigating through layers of legal jargon or buried links.

These tools are prominently displayed, easy to understand, and efficient. In fact, we’ve already processed thousands of verified consumer requests without receiving a single complaint, which we view as a strong validation of our user experience and compliance efforts.

We also publish relevant privacy request statistics in a transparent manner, ensuring we meet our obligations and uphold the trust of our users.

Preparing for California’s DROP System

Looking ahead, California’s privacy landscape is evolving once again with the implementation of the Delete Request and Opt-Out Platform (DROP) — a centralized, state-run system launching by January 1, 2026 under the Delete Act (SB 362). This one-stop platform will allow California residents to submit a single deletion or opt-out request that is automatically routed to all registered data brokers.

As a registered data broker, we pay an annual fee to the California Privacy Protection Agency (CPPA), which in turn funds the development and maintenance of this DROP system. We view this as a meaningful step toward simplifying privacy rights for consumers while reinforcing compliance expectations across the industry.

Once DROP is live, it will provide a centralized and streamlined mechanism that renders any debate over page indexing essentially moot — consumers will have a direct, authoritative channel to exercise their rights, independent of individual web page configurations.

Commitment to Transparency and Privacy

We remain committed to:

  • Meeting and exceeding all legal obligations under California privacy law.
  • Offering user-friendly tools that respect and honor consumer privacy rights.
  • Providing full transparency about how we manage, protect, and process consumer data.

FTC March 4th Guidance

Browsing and location data are sensitive. Full stop.

DealerX values your privacy. Following the FTC’s expanded March 4th guidance DealerX has further depreciated the use of 1st party location data relating to service department defection. We’ve done this by increasing the size of the cohort groups used to indicate database defections. This may impact your advertising spends by increasing the cost associated with sharing your dealership’s value proposition, but we believe it to be a fair exchange to exhibit (“DealerX”) and our clients (“Company”) commitment to privacy.

We’ve also applied the same approach to our ANON website visitor data by expanding the amount of potential cohorts who are retargeted.

At DealerX we continue to strive for consumer privacy rights while mitigating our clients exposure to advertising fraud, cyber threats, unnecessary waste and *KYC requirements.

*KYC = Know your customer.

https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/03/ftc-cracks-down-mass-data-collectors-closer-look-avast-x-mode-inmarket

This website uses cookies to improve your experience. They help the website to remember your preferences and settings so that you don't have to keep entering them every time you visit. Cookies also help us to track how you use the website so that we can improve your experience. You can choose to accept or decline cookies. If you decline cookies, some features of the website may not work properly. To learn more about cookies, please visit our privacy policy.

Accept All Cookies