This story was originally published by CalMatters. Sign up for their newsletters.
Breaches at data brokers have cost American consumers more than $20 billion, Congress’s Joint Economic Committee revealed Friday as part of an investigation triggered by The Markup and CalMatters.
The estimated losses stem from identity theft linked to just four recent data breaches involving major brokers, the committee said in a report.
Released by the committee’s Democratic minority, the document repeatedly cited reporting into data brokers from The Markup and CalMatters, done in collaboration with WIRED.
The committee followed up directly on the Markup and CalMatters’ reporting, which in August showed how data brokers were hiding from search engines legally-mandated pages where Californians can request that the brokers delete or stop selling their data.
Shortly after that story was published, New Hampshire Democratic Sen. Maggie Hassan, ranking member of the committee, sent a letter pressing some brokers to explain their practices. In response, the report revealed, four major data brokers engaged with congressional staff and changed their practices to make it easier for consumers to control the use of their data.
Data brokers and the ‘no-index’ tag
Data brokers, as defined in the California law that requires brokers to provide consumers the so-called “opt out” pages, are companies that gather data on consumers, then sell that data to other companies who do not have a direct relationship with the consumers. Typically, companies buy such information from data brokers for marketing purposes.
Brokers can gather the data from information like public records, or more invasive methods like tracking online activity. Though brokers hold potentially sensitive information on consumers, many Americans are unaware they exist.
Under the California law, data brokers that reach a certain size are required to register and provide a clear way for consumers to request that their information be removed, that it not be sold or that they get access to it. But The Markup and CalMatters’ August story examined how several data brokers used code called the “no-index” tag on pages where consumers could exercise their right to opt out.
The tag is used to tell search engines not to index the page, meaning the information may not be returned in search results. The story noted that this created a barrier for consumers looking to block brokers from using their data. Many of the data brokers quickly removed the tag as the story was published.
In response to that initial reporting, Hassan independently contacted five major brokers, asking for more information about their practices. Only one registered broker, called Findem, declined to engage with staff or change its practices, the report said.
“Following Ranking Member Hassan’s requests, most companies took action to make their opt out and other privacy pages more visible for individuals, including by removing ‘no index’ code, adding opt-out links in more prominent locations, and publishing blog content that explains how consumers can exercise their privacy rights,” the report reads. “Ranking Member Hassan welcomes these actions as supporting greater protection for consumers against scams and other harms.”
Billions in losses
The report goes on to estimate the potential losses incurred by consumers because of recent data broker breaches, pegging the number at $20.8 billion.
Congressional staff found that hundreds of millions of people were exposed by just four major data broker breaches in the last 10 years. The breaches counted were a 2017 Equifax incident, impacting 147 million people, as well as others involving Exactis in 2018, 230 million people, National Public in 2023, 270 million people and TransUnion in 2025, 4 million people.
Using estimates of the number of people who experience identity theft after breaches, as well as an assumed median loss of $200 from thefts, the report arrived at the nearly $21 billion figure.
The report calls for action to prevent such losses in the future, including by filling gaps exposed by The Markup and CalMatters’ reporting on brokers.
“The Committee’s findings underscore the need for clear, easy access to opt-out options and more rigorous oversight within the data broker industry. Especially given the Committee’s calculation that U.S. residents have lost more than $20 billion in recent data breaches, additional action is needed to protect Americans from scams connected to data brokers,” the report reads. “At a minimum, opt-out options should be easy to locate and use.”
A new state website allows Californians to remove their personal information from hundreds of brokers at once. The Markup and CalMatters have a guide to using the website here.
