Skip to content

Understand the ecosystem

How Data Brokers Obtain Your Data

A calm, factual look at where the information in a data-broker profile actually comes from — public records, everyday data sharing, and the consent you may have given without noticing — so the picture feels understandable rather than alarming.

In short

Data brokers obtain your data mostly from ordinary, already-existing sources: public records such as electoral or company registers, information shared between businesses, and details you provided when you signed up for a service or agreed to terms. They then combine these scattered pieces into a single profile and license it to others.

Public records and openly available sources

A large share of the information data brokers hold begins life in the open. Many countries maintain public registers — the electoral roll, company filings, property and land records, court listings, professional licences — that are designed to be inspectable by anyone. These records exist for legitimate reasons, such as transparency in business and the running of elections, and brokers can draw on the parts that are openly available.

Alongside formal registers, there is the wider trail of openly available activity: a public social-media profile, a directory listing, a review you left, a forum post, a mention on a page someone else published. None of this is hidden or secret — it is simply information that is already visible to anyone who looks. A broker's contribution is not usually to uncover something private, but to gather these scattered, already-public fragments into one place.

It can be reassuring to know that this is the bulk of the picture: most of what ends up in a profile was never concealed in the first place. Understanding that the raw material is largely ordinary and public is the first calm step toward making sense of how a profile comes together.

  • Public registers — electoral roll, company filings, property and court records, professional licences.
  • Openly available activity — public profiles, directory listings, reviews, posts, and mentions on pages others made.
  • The broker's role is mainly to gather and combine, not to expose something hidden.

Data sharing between businesses

The second major source is information that moves between organisations. When you interact with a company — buying something, signing up for a newsletter, entering a competition, using a loyalty card — that company collects details about the interaction. In some cases, depending on what you were told and agreed to, that information can be shared with, sold to, or licensed to other businesses, including brokers who specialise in assembling profiles.

This is why a profile can contain details you do not remember giving to the company that holds them: the data reached the broker indirectly, passed along a chain of businesses rather than handed over by you directly. Marketing lists, analytics partnerships, and supplier relationships are common routes. The information is rarely dramatic — it is often everyday commercial data such as an address, a purchase category, or a rough estimate of interests.

Knowing this helps explain a common, unsettling feeling: that a company you have never heard of seems to know things about you. Usually there is no mystery — the data simply travelled through ordinary business relationships rather than appearing from nowhere.

  • Information collected during everyday transactions can be passed between businesses.
  • Marketing lists, analytics partnerships, and supplier relationships are typical routes.
  • This is why a broker you have never contacted may still hold details about you.

Consent chains — the agreements you may have given

The third source is the most personal: the agreements you have made along the way. Under data-protection law, consent is one lawful basis an organisation can rely on to use your personal data — but consent given to one company, buried in a long set of terms or a pre-ticked-looking checkbox, can sometimes permit onward sharing you did not focus on at the time. This is what people mean by a consent chain: a single agreement that quietly authorises a series of later uses.

It is worth being precise here. Valid consent under the UK GDPR must be freely given, specific, informed and unambiguous, and you can withdraw it at any time. In practice, though, consent is often broad and easy to overlook, which is how data can end up further along a chain than you expected. Reviewing the privacy settings and marketing preferences on services you use, and withdrawing consent where it is offered, is one practical way to narrow that chain over time.

If you would like to see what a particular organisation actually holds about you, you can make a Data Subject Access Request (DSAR) — your right under the UK GDPR (Article 15) to ask for a copy of your personal data and information about how it is used. That is often the clearest way to replace guesswork with fact. This is general information, not legal advice; if you have a specific concern, consider speaking to a qualified adviser or your data-protection authority.

  • Consent given to one company can sometimes permit onward sharing you did not focus on.
  • Valid UK GDPR consent must be freely given, specific, informed and unambiguous — and can be withdrawn.
  • Reviewing privacy and marketing settings, and using a DSAR, helps you see and narrow the chain.

Frequently asked questions

Do data brokers hack or steal data to build profiles?

Generally no. The everyday model of a data broker relies on ordinary sources: public records, openly available activity, and data shared between businesses under their terms. Their work is mostly gathering and combining information that already exists, rather than breaking into systems. Unlawfully obtained data is a separate matter handled by data-protection and criminal law.

How can a company I have never contacted have my data?

Usually because the data reached it indirectly. Information you gave to one organisation can, depending on what you agreed to, be shared or licensed along a chain of businesses until it reaches a broker. So a company you have never dealt with directly may still hold details about you, drawn from public records or passed along by others.

Can I find out what a data broker holds about me?

Often, yes. Where data-protection law applies, you can make a Data Subject Access Request asking the organisation for a copy of the personal data it holds about you and how it is used. Under the UK GDPR this is the right of access (Article 15), and it can turn assumptions into something you can actually see.

Does OSINTA monitor data brokers or scan for my data?

No. OSINTA is self-only and does not monitor, watch, or scan anyone or anything on your behalf. It helps you understand your own digital footprint from already-public information and frame and route your own data-rights requests, with your say-so at every step. It cannot promise removal, because that decision rests with whoever holds the data.

Related terms

This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.

Reviewed by OSINTA's founding lawyer — 2026-06-27.

See what a company actually holds about you

OSINTA helps you understand your own footprint and frame and route your own rights requests — you stay in control of every step. There is no rush and no pressure.

See the DSAR guideJoin the waitlist