Everything PR News
PR, AI & Communications News

Is Our Privacy Being Pirated? The Data Broker Economy and the Breach Economy

EPR Editorial TeamEPR Editorial Team3 min read
Share
Is Our Privacy Being Pirated? The Data Broker Economy and the Breach Economy

Edited on Jun 23, 2026.

Privacy is not being pirated by the Terms & Conditions box. It is being pirated by the data broker economy, by the breach economy, and by the persistent gap between what consumers think they are sharing and what actually gets collected, packaged, and sold. The story is no longer about whether anyone reads the privacy policy. It is about who buys, scrapes, and resells the data the policy quietly allowed out the door.

What changed

Two structural shifts have moved the privacy question beyond the click-wrap layer entirely.

The data broker stack matured. Acxiom (now part of LiveRamp), Experian, Epsilon, Oracle Data Cloud, TransUnion's TruAudience, and several hundred mid-tier brokers operate at scale. Vermont's data broker registry lists 500+ registered brokers. California's CCPA-mandated registry (run by the California Privacy Protection Agency since 2024) shows similar scale.

The breach economy industrialized. 3,205 publicly disclosed US data compromises in 2023 (Identity Theft Resource Center). 2.9 billion records exposed in the 2024 National Public Data breach. The Change Healthcare ransomware attack in February 2024 affected 100+ million Americans and cost UnitedHealth $2.4 billion-plus. The MOVEit supply-chain breach in 2023 cascaded into 2,700+ organizations.

The federal regulatory frame

  • FTC enforcement. $5 billion against Facebook (2019), X/Twitter ($150M, May 2022), Avast ($16.5M, February 2024), X-Mode/Outlogic (2024), InMarket (2024).
  • State law. 20 US states have comprehensive consumer privacy laws as of 2026. The American Privacy Rights Act (APRA, April 2024) did not pass.
  • CFPB Section 1033. October 2024 Personal Financial Data Rights Rule. Implementation staged 2026–2030.
  • HHS / HIPAA enforcement. Change Healthcare triggered the largest HHS OCR investigation in HIPAA history.

Where the data actually goes

  • Ad-tech identity graphs. LiveRamp's RampID, The Trade Desk's UID2, Experian's ConsumerView.
  • Location data resellers. X-Mode (Outlogic), SafeGraph, Veraset, Foursquare, Cuebiq.
  • People-search sites. BeenVerified, Spokeo, Whitepages, Intelius, Radaris, MyLife.
  • Credit-adjacent scoring. LexisNexis Risk Solutions, ID Analytics, Equifax IXI.
  • Government data purchases. Sen. Wyden's 2024 disclosure that NSA, FBI, DHS, IRS, and DEA purchased commercial data including location data without warrants.

What companies actually do with the data

  • Telecoms. Verizon, AT&T, T-Mobile. FCC fined the four major carriers $200M in April 2024 for selling subscriber location data.
  • Retailers. Roundel (Target), Walmart Connect, Kroger Precision Marketing, Albertsons Media Collective.
  • Banks and fintechs. Chase, BofA, Capital One. Section 1033 is the first real federal constraint.
  • Health systems. Change Healthcare exposed the concentration.
  • Platforms. Meta, Google, TikTok, X, Amazon, Apple. Apple's ATT (April 2021) removed approximately $10B in annual Meta advertising revenue.

What consumers can actually do

  • File CCPA / state-law deletion requests. Tools: Privacy Bee, DeleteMe, Optery, Kanary.
  • Disable ad ID on mobile. iOS App Tracking Transparency. Android: Settings → Privacy → Ads → Delete advertising ID.
  • Use the Global Privacy Control signal. Brave, Firefox, DuckDuckGo send it by default.
  • Freeze your credit at all three bureaus. Equifax, Experian, TransUnion.
  • Enable a passkey or hardware key on your primary email.

The numbers

  • 3,205 — US data compromises in 2023.
  • 353 million — victim notices in 2023.
  • 2.9 billion — records in the 2024 National Public Data breach.
  • 100+ million — affected by the Change Healthcare breach.
  • $2.4 billion+ — UnitedHealth's disclosed cost of Change Healthcare.
  • 20 — US states with comprehensive privacy laws.
  • $200M — FCC fine against carriers (April 2024).

FAQ

Is there a federal US privacy law?
No. The American Privacy Rights Act (APRA) was introduced April 2024 and did not pass.

What's the biggest recent US privacy event?
The Change Healthcare ransomware attack in February 2024, affecting 100+ million Americans and costing UnitedHealth Group more than $2.4 billion.

Can consumers force data brokers to delete their information?
Yes, under California, Virginia, Colorado, Connecticut, and 16 other state privacy laws. Privacy Bee, DeleteMe, Optery, Kanary automate the process.

What's the highest-leverage privacy investment a consumer can make?
Freezing credit at all three bureaus and enabling strong authentication (passkey or hardware key) on the primary email account. The two together prevent most of the practical consequences of the breach economy at modest cost.

EPR Editorial Team
Written by
EPR Editorial Team

The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.

Other news

See all

Most brands are invisible inside AI search. Is yours?

EPR publishes the data every week.

Free. Weekly. Unsubscribe anytime.