REFOG Blog Login

Data Brokers and Your Teen's Personal Information

Data brokers quietly collect and sell your teen's personal information. A calm, practical guide to how it happens, why teens are exposed, and how to opt out.

July 3, 2026 · 14 min read · By REFOG Team
A single paper dossier fanned into many identical copies across a sage surface
The short version: data brokers are companies that quietly assemble and sell a profile of your teen — name, addresses, relatives, habits — from apps, public records, schools, and breaches, without ever meeting them. Federal privacy law mainly covers children under 13, so a teenager's data is broadly fair game. You cannot un-publish the internet, but you can meaningfully shrink what is exposed: opt out of the big people-search sites, use Google's removal tools, and, above all, minimize what gets collected in the first place.

What a data broker is

A single paper card passing along a row of small folded paper trays on a sage surface

A data broker is a company that collects personal information about people from many sources and sells it — typically to marketers, other businesses, or anyone who pays — without having any direct relationship with the people whose data it holds. California's privacy regulator defines one as a business that knowingly collects and sells the personal information of a consumer it has no direct relationship with. The privacy nonprofit EPIC puts it more bluntly: firms that collect, aggregate, package, and sell huge volumes of personal data, often without consumers knowing they exist.

That last part is the whole point for a parent. Your teen never signed a contract, never clicked “agree,” and in most cases has no idea the company exists. The broker simply gathers pieces that are already out there and assembles them into one record it can sell.

The business runs in three moves: collect, aggregate, sell. Brokers pull from public records (court filings, property deeds, voter rolls), from commercial feeds (loyalty programs, purchases, warranty cards), and from online activity, then merge it all into a profile and sell access to it. The scale is hard to picture. The Federal Trade Commission's landmark 2014 report on the industry found that brokers collect and store billions of data elements covering nearly every U.S. consumer with minimal transparency — one broker held over 700 billion aggregated data elements, and another maintained more than 3,000 “data segments” for nearly every American. Those specific figures are a decade old now, but the industry has only grown, and they remain the clearest picture regulators have published of how deep the profiles go.

How your teen's data gets sold

Several small paper streams flowing from scattered sources into one folded paper bin on a sage surface

Your teen's data reaches brokers through ordinary, everyday activity — apps, schools, public records, and breaches — not because they did anything wrong. And unlike a younger child, a teenager has almost no legal shield standing in the way.

That is the fact worth sitting with. The federal children's privacy law, the Children's Online Privacy Protection Act (COPPA), mainly limits how online services collect data from children under 13. There is no comparable federal privacy rule covering 13-to-17-year-olds, so a teenager is far more exposed than a younger child. The FTC's 2024 staff report A Look Behind the Screens studied nine major platforms and found they often treated teens exactly like adult users, collected vast amounts of data, and could retain it indefinitely — including data bought from brokers.

HOW THE DATA GETS OUT
  1. Apps and their hidden codeMany apps carry embedded advertising kits (SDKs) that quietly send location and device data to third parties. In one FTC case, the broker X-Mode was collecting precise location straight from apps that ran its code — then selling it on.
  2. Ad auctionsEach time an app loads an ad, a “bid request” can broadcast device details — and often location — to many companies at once. Brokers harvest those broadcasts even when they never show an ad.
  3. School “directory information”Under education-privacy rules, schools may release basic student details — names, birthdates, photos, sometimes addresses — as “directory information” unless a parent opts out.
  4. Public recordsProperty deeds, court filings, and voter rolls are bought in bulk and merged in. A family record ties a teen to an address and to their relatives.
  5. Data breachesWhen a company is breached, the data spills into circulation. The January 2025 Gravy Analytics breach exposed location traces gathered from roughly 12,000 apps, including ones popular with teens.
  6. Scraped social profilesPublic posts, usernames, and photos are copied and matched to the rest, which is how a throwaway handle gets tied back to a real, named teenager.
Most of these happen invisibly and without consent. That is why a teen's profile can exist even when they have been careful — the data is collected around them, not from a form they filled in.

This is not hypothetical for young people specifically. After California began requiring brokers to register and disclose what they sell, roughly two dozen admitted they collect data on minors, and dozens more sell precise location. Duke University researchers documented brokers openly advertising packages of student and teen data — with major names including Equifax, Experian, and TransUnion stating in Vermont's registry that they collect data on minors.

What's in a broker profile

A folded paper file thick with layered slips of paper resting on a sage surface

A broker profile is a dossier — far more than a name and an email. It layers together the factual, the historical, and the guessed-at, until a stranger can learn more about your teen in five minutes than most of their teachers know.

EPIC's itemized list of what a people-search profile can contain gives a sense of the range:

  • Identity and contact: full name, aliases and former names, birthdate, current and past home addresses, phone numbers, and email addresses.
  • Life and records: education, employment, property records, and details drawn from marriage, divorce, bankruptcy, and court filings.
  • Relationships: relatives, associates, and links to social-media accounts — the connections that tie an anonymous handle to a real family.
  • Inferred traits: beyond the facts, brokers guess. The FTC found they sort people into scored segments and infer sensitive attributes — interests, income band, and more — from patterns in the data.

Two things make this worse than it sounds. First, the profiles can simply be wrong. In a case that reached the U.S. Supreme Court, Spokeo, Inc. v. Robins, a man found the site's profile of him falsely said he held a graduate degree, was a married professional, and was well off — when he was, in fact, unemployed. A guessed-at profile of a teenager can be just as inaccurate, and just as public. Second, the same underlying record is spread across many sites; a 2024 peer-reviewed study found a handful of companies sit behind most of the people-search sites people recognize.

It helps to make this concrete. Picture a 16-year-old who reuses one gaming handle everywhere, mentions their high school in a bio, and appears in a parent's public post celebrating a move to a new house. Separately, none of that seems dangerous. But a people-search site already lists the family's address from property records — so a broker (or anyone reading one) can stitch the handle to the school, the school to the town, and the town to the exact front door. Your teen never handed any single site the full picture; the profile is assembled from them, piece by piece.

The real risks

A single folded paper key casting a long soft shadow across a sage surface

The risk is not that a profile exists — it is what an exposed profile makes possible: identity theft, doxxing, and scams that feel personal because they are built from real details. It is worth being precise here, because the honest picture is less frightening than the marketing around it, and more useful.

Identity theft. A minor's Social Security number is a clean slate with no credit history, which makes it valuable and lets misuse go unnoticed for years. Child identity fraud is real and sizeable: a 2022 Javelin study estimated 915,000 U.S. children were victims of identity fraud in a single year, and that 1.7 million had data exposed in a breach. But here is the caveat the fear-sellers skip: the single largest source of child identity theft is not anonymous brokers — it is people the child knows, often a relative. Brokers and breaches are the stranger vector; treat them as one exposure to manage, not the whole story.

Doxxing and stalking. This is where broker data does the most direct harm. A people-search listing hands over exactly what someone needs to find a person in the physical world — names, current and past addresses, phone numbers, and linked accounts. The anti-violence network NNEDV describes these sites as a standard tool for locating people, and removing a record is one of the few things that can keep a stranger from learning it. If your teen is ever targeted, our guide on doxxing and how to protect your teen walks through the response step by step.

Tailored scams. Real details make a phishing message or a fake “you've won” text far more convincing. A scammer who already knows a teen's name, town, and school does not have to guess — the personal touch is what gets a guarded teenager to click.

When it crosses into coercion, get real help. Occasionally exposed personal details are used to threaten or extort a young person — for example, threats to “dox” or send police to their home, or sextortion that pressures them for images or money. This is not something to handle alone. In the U.S., call 911 if anyone may be in immediate danger, report online exploitation of a minor to the FBI's IC3 and to NCMEC's CyberTipline, and if your teen is in crisis, call or text the 988 Suicide & Crisis Lifeline. Make clear to your teen that being targeted is not their fault.

Opting out: a realistic guide

A wide paper sheet being trimmed down to a small neat square on a sage surface

To opt out, you work through the biggest sites one at a time, use search-engine removal tools, and — if you are in California — send a single deletion request to every registered broker at once. You will not clear everything, but you can take down the most sensitive, most-viewed listings, which is where most of the real risk sits.

Start with the largest people-search sites. Each has its own opt-out page, each usually requires you to find the specific listing and confirm by email, and each may hold more than one record — so this is a sit-down-for-an-afternoon task, ideally done with your teen so they learn the habit:

These opt-out pages and their verification steps change often, so follow the instructions on each site's live opt-out page rather than a saved link. Next, use Google. Its Results about you tool flags search results that expose a home address, phone, or email and lets you request removal — though note it is currently for adults 18 and over, so for a younger teen a parent uses Google's standard removal request forms instead. Google also runs a dedicated process to remove images of anyone under 18 from image results, and a parent or guardian can file it on the child's behalf. Removing a search result does not delete the source, but it makes the detail far harder to stumble onto.

If you live in California, there is now a shortcut worth using. The state's DROP (Delete Request and Opt-out Platform), created under the Delete Act, lets a resident submit one request that directs every registered data broker — over 600 of them — to delete their data. Critically for families, the state agency confirms that a parent may submit a request on behalf of a child. Consumers can submit requests as of January 2026, and brokers must begin honoring them by August 2026 and re-check the platform at least every 45 days. It covers only California residents and California-registered brokers, and it will not erase underlying public records — but it replaces hundreds of separate opt-outs with one.

Finally, a word on paid removal services, because parents ask. They help, but less than the ads imply. A 2024 Consumer Reports study found the services removed only about 35% of a person's listings after four months — and that doing the opt-outs by hand worked around 70% of the time, beating every paid service tested (Optery and EasyOptOuts performed best). Choose carefully: reporting revealed that one service, Onerep, shared ownership with an active people-search broker. Consumer Reports' free Permission Slip app is a low-effort middle path that sends stop-selling requests on your behalf.

Why removal is whack-a-mole

A folded paper card popping back up again and again in a receding row on a sage surface

Removal is whack-a-mole because brokers constantly rebuild their databases from the same public sources you can't delete — so a record you take down today can quietly reappear months later. Knowing this in advance is what keeps opting out from feeling like failure.

The FTC is candid about it: opting out does not delete the underlying public records, so if those records change your information can reappear for sale, and it can still surface through the listings of relatives and neighbors. Many privacy laws also carve out “publicly available information,” which means data pulled from public filings often stays fair game even where deletion rights exist. And the sheer number of brokers — an April 2025 analysis counted around 750 across state registries, and that is only the ones that registered — means no family can hand-clear them all.

You can even see the assumption built into the law. California's DROP requires brokers to re-check the deletion platform at least every 45 days — a rule that only makes sense because everyone involved knows the data keeps coming back. So reset the expectation: opting out is not a one-time delete, it is periodic maintenance, twice a year or so. Which is why the most durable protection is not removal at all — it is making sure less gets collected in the first place.

Long-term data hygiene

A small tidy stack of folded paper squares held closed by a paper band on a sage surface

The durable win is minimizing what gets collected — a handful of habits that quietly shrink your teen's footprint at the source, so there is less for any broker to gather, merge, and sell. Do these with your teen, not to them; the aim is a young person who understands why, not one who feels policed.

  • Freeze your teen's credit. Since 2018, federal law lets a parent place a free credit freeze on a child under 16 at all three bureaus (a 16- or 17-year-old usually has to place their own — check each bureau's process). It is the single most effective step against identity theft on that clean-slate SSN, and it stays until you lift it.
  • Lock down app permissions — especially location. Apps are a main pipeline of precise location to brokers. Review each app's access to location, contacts, and photos, and set location to “while using” or off. Limit ad tracking too: on iPhone, turn off “Allow Apps to Request to Track” (Settings › Privacy & Security › Tracking) and review Location Services; on Android, delete or reset the advertising ID and turn off ad personalization. Screen Time on iPhone and Family Link on Android can lock these choices in place.
  • Minimize what's out there. Use a separate email for shop and sign-up accounts, keep usernames unique so profiles are harder to link, delete old accounts nobody uses, and skip the fun online quizzes — many exist to harvest answers as data.
  • Opt out of school directory information. Ask the school how to exclude your teen's details from “directory information” releases; it is usually a single form at the start of the year.
  • Re-check twice a year. Put a recurring reminder to re-run the big opt-outs and re-search your teen's name, since listings return.

None of this requires vanishing from the internet, and none of it works as a single heroic afternoon. It works as a rhythm. The same habit that shrinks broker exposure — knowing what is out there and tidying it regularly — is the one that protects your teen everywhere else too. If you want a place to start, sit down together and audit your teen's footprint, then work through the pillar guide's walkthrough on cleaning up and locking down. For the bigger picture of what a footprint even is, start with what a digital footprint is.

Keep the long view. Your teen's data being out there is not a verdict on your parenting or their carefulness — it is the default condition of growing up online in a market built to collect. What you can control is how much is exposed and how routinely you tend it. Do that, and you turn an overwhelming problem into a manageable, twice-a-year habit.

Frequently asked questions

What is a data broker, in simple terms?

A data broker is a company that collects personal information about people from many different sources and sells it — usually to marketers, other companies, or anyone who pays — without ever having a direct relationship with the people whose data it holds. California's privacy agency defines one as a business that knowingly collects and sells the personal information of consumers it has no direct relationship with. Your teen never signed up, never agreed, and in most cases has no idea the company exists; the broker simply assembles a profile from records that are already out there.

How do data brokers get a teenager's personal information?

Mostly from ordinary activity, not hacking. Apps and games quietly share location and device data through embedded advertising code; ad auctions can broadcast device and location data as ads load; schools can release basic "directory information"; public records like property and court filings are bought in bulk; and data breaches spill everything into circulation. The U.S. Federal Trade Commission found in 2024 that major platforms often treat teen users the same as adults and retain their data, including information bought from brokers. Because so much is collected indirectly, a teen's profile can exist even though they were careful.

Is it legal for data brokers to collect and sell a minor's data?

In much of the U.S., yes. The federal children's privacy law, COPPA, mainly limits how online services collect data from children under 13 — so for a 13-to-17-year-old there is no comparable national rule stopping brokers from collecting and selling their data. Some states have started to fill the gap: California requires brokers to register and honor deletion requests, and a handful of states now extend protections to under-18s. But absent a specific state law, much of a teen's data is collected and traded legally, which is exactly why family-level habits matter.

How do I remove my teen's information from data brokers?

Work through it in order. Opt out of the biggest people-search sites directly (Spokeo, Whitepages, BeenVerified, Intelius, Radaris) — each has its own opt-out page and needs its own request. Use Google's tools to remove personal details and, for anyone under 18, request removal of their images from Search. If you live in California, the state's new DROP tool lets you send one deletion request to every registered broker at once, and a parent can file it on a child's behalf. Then plan to repeat the checks, because records reappear.

Can you ever fully delete your data from data brokers?

Realistically, no — and it helps to know that going in. Brokers constantly rebuild their databases from public records and commercial feeds, so a record you remove can reappear months later. The FTC itself notes that opting out does not delete the underlying public records, and your teen's details can still surface through relatives' listings. The honest goal is to shrink and bury what is exposed, keep the most sensitive details (home address, phone) off the big sites, and treat removal as twice-a-year maintenance rather than a one-time fix.

Do paid data-removal services actually work?

Partly, and less than their marketing suggests. A 2024 Consumer Reports study found that removal services cleared only about 35% of a person's listings after four months — and that doing the opt-outs manually worked roughly 70% of the time, beating every paid service tested. If you want the convenience, the better performers were Optery and EasyOptOuts; be cautious about who you trust, since one service, Onerep, was found to share ownership with a data broker it was supposed to remove you from. Consumer Reports' free Permission Slip app is a reasonable middle option.