If you’ve started noticing the term “data broker” in the last few months, you’re not alone. While they’ve been a problem for a while, a recent John Oliver segment exploring how they work and a new ad from Apple highlighting the practice have both called attention to the issue, helping to bring this increasingly important practice out from the shadowy corners of the internet. If you’ve ever wondered about the details, here’s what you need to know. 

Data brokers—also called information brokers—are businesses that aggregate, process, and license information to other companies. While some data they sell is environmental or statistical, they often combine data about individual people from multiple sources to create lists of email addresses, phone numbers, or physical addresses that can be sold to marketers. This is the kind of practice we’re concerned about.

Data brokers are under scrutiny at the moment because people are increasingly, and understandably, concerned about privacy. One Pew Research study found that 79 percent of Americans were concerned about how much data companies were collecting about them, and 81 percent of Americans felt the potential risks of data collection outweighed the potential benefits. 

What does a data broker do?

A sterile definition of a data broker is a company that collects, improves, and then sells information to other companies. While strictly a true definition, that paints a much nicer picture than what can happen with data about people. 

First up, collection. Data brokers collect information in lots of different ways, including buying it from third-party companies (e.g., your credit card company, grocery store loyalty program, or a free app), searching public databases (such as court records, housing records, or social media), and directly tracking your activities online. If you’ve ever ticked a box when signing up for a site that says something to the effect of “you agree we can share your data with select third-party partners,” then there’s a good chance that your data was sold to a data broker. Similarly, lots of free apps—including major social media companies and delivery apps—sell the data they collect to third-parties. 

[Related: The dangers of digital health monitoring in a post-Roe world]

Next, data brokers clean up, combine, and generally process the information they’ve gathered. This involves tasks like merging different lists (like linking the purchases you’ve made on one website with biographical information you provided to a dating app), getting rid of redundant data (like purging international buyers from datasets they want to sell to US companies), and otherwise getting it ready to sell in pre-packaged lists or as targeted market segments to other companies. 

Finally, the data brokers sell these lists, often under topics like “high-earning vegetarians,” or “gym goers who buy protein powder,” although sometimes as subjects like “erectile dysfunction sufferers,” “alcoholism sufferers,” or worse.  

How are data brokers legal?

Although data brokers and apps selling personal data are occasionally fined by the FTC for egregious conduct, such as selling information used by scammers to defraud people or sharing sensitive data too broadly, for the most part the practices they use are legal. The US has no federal data protection laws like GDPR—that’s the General Data Protection Regulation—in the EU. 

For a start, most data collection is opt-in. You tick a box saying it’s okay that an app shares your data or service tracks you with a cookie. Even if you never read the privacy policy, it’s technically consent. (On iOS, you can navigate to Settings, then Privacy, then Tracking to learn more about Apple’s attempts to block apps from tracking you; here’s more on the topic for Android users.)

Also, while data brokers claim that the data they sell is anonymized, researchers have found that supposedly anonymous data sets are startlingly easy to de-anonymize. It takes just 15 characteristics (including age, gender, or marital status) to re-identify someone 99.98 percent of the time. In one shocking example last year, a priest resigned after The Pillar, a Catholic news site, identified him using Grindr location data it had bought from a broker. 

And where the US does have privacy laws, like HIPAA, which bans healthcare providers from sharing your data without your consent, they often don’t apply when it comes to the information you might share with an app that’s not part of your healthcare organization, for example. This is why the Electronic Frontier Foundation (EFF) calls for strong federal consumer data privacy laws. 

Watch the John Oliver bit, below.