Your personal data isn’t completely safe—even if you think it might be. Recently:
Some of these scenarios are out of your control. But decisions you face every day—such as opting into policies that sell your data to data brokers and joining social media platforms with a history of breaches—are within your control.
To best protect your data, you need to understand the digital landscape, its vulnerabilities, and the actionable steps you can take. Your data is your responsibility to secure, and your awareness of the tools you can deploy is the first step.
Much of the sensitive data about people online is public by their consent. For example, social media accounts that list your friends and family, display your online personal photo albums, and include your telecommunication information (like your phone number) are available to billions of people.
To secure information available by consent, services like LastPass can create complex passwords for you and auto-change them regularly for less than $5 per month. Other exposure points, such as website cookies or emails, might not come to mind as readily but still contain sensitive personal information.
Cookies are more than just annoying pop-ups when you open a news article. They’re the mechanism that allows you to log in to websites without typing in your credentials every time, but they also track and store your preferences and behavior for marketing and analysis. This data can be used or sold to third parties for various purposes.
Websites often offer the option to disable unnecessary third-party cookies, as required by applicable law. Browsers also offer settings that allow you to block cookies, with Chrome preparing to phase out third-party cookies entirely. To limit your data being tracked or sold, disable unnecessary cookies on your browser and individual websites.
Your email accounts contain a wealth of personal information, often considered private. Deleting old email accounts removes their data so that it’s not exposed in a breach, and adding multifactor authentication or email encryption, often free as browser extensions, can add another layer of security to your communications. However, these preventative strategies don’t eliminate risk. If you have concerns, check whether your email has been breached at websites like have i been pwned.
Maintaining personal data security is a difficult and iterative process, but smarter personal decisions can help regulate the information in your control. However, some personal data is held by data brokers or the government and is harder to remove.
The panopticon is the ideal prison, where the watchman can see everything, and the occupants must assume they’re being watched even if they’re unaware of the actual observation. That’s not much different from the $200 billion industry of data brokers.
More than 4,000 brokers harvest data to sell for purposes like finding people, mitigating hiring risk, verifying financial history, and performing marketing analytics. They all use information from public records, cookies, and the sale of data from credit card companies and mobile applications.
In the landscape of commodified data, buyers are plentiful, from individuals and corporations to the Department of Homeland Security and the MS-13 gang. Even if buyers are harmless, data brokers like National Public Data are still regularly breached.
Moreover, security measures like anonymized datasets, required by California’s Consumer Privacy Act and the European Union’s GDPR, are insufficient. Need proof? In 2016, researchers were able to reidentify the sexual preferences of German politicians from a dataset of three million individuals. To better understand how this affects you or your loved ones, search for yourself or them on websites like Fast People Search or the National Public Data Breach Check.
Many data brokers will respond to your removal requests, but you must submit requests broker by broker. Even the largest third-party services like DeleteMe cover only around 500 brokers. But brokers are often noncompliant with requests, such as in New Jersey, where they ignored address remove requests of law enforcement officers being targeted by the gang MS-13. Ironically, you must provide personal information to the broker during your removal request that verifies the records you’re asking to be eliminated.
On the bright side, legislation is beginning to remedy the issue of underregulation. California’s Delete Act, which will take effect in January 2026, requires brokers to register if they’re operating in California and then allows you to send a single removal request to those brokers all at once. Those who don’t are subject to penalties for noncompliance.
Until then, or if you’re not in California, your best options are smarter personal decisions and broker-by-broker removal requests.
The federal government has a history of surveillance using data and information mismanagement. From NSA surveillance leaked by Edward Snowden to FBI searches of Americans’ communications through Section 702 of FISA, the American people should no longer be surprised that we’re being watched.
But you may find it jarring to hear of instances of poor security and data mismanagement like these:
Moreover, the role of data brokers in government surveillance is often overlooked:
On the bright side, awareness of these data privacy issues is increasing, and legislation to curtain brokers and government intrusion is becoming the center of the conversation. For instance, the Fourth Amendment is Not For Sale Act would prohibit law enforcement and intelligence agencies from buying data from brokers.
No single bill can solve all these challenges. However, California’s soon-to-be-implemented DELETE Act, the European Union’s recent Data Act, and legislative proposals like the Fourth Amendment is Not For Sale are good starting points for systemic change.
