The Report
On February 27, 2026, the Joint Economic Committee released a report that puts a dollar figure on what the privacy community has warned about for years. Identity theft from four major data broker breaches cost U.S. consumers over $20.9 billion. Four breaches. The actual total across hundreds of brokers is far higher.
| Broker | Year | People Exposed |
|---|---|---|
| Equifax | 2017 | 147 million |
| Exactis | 2018 | 230 million |
| National Public Data | 2023 | 270 million |
| TransUnion | 2025 | 4.4 million |
Median expected loss per victim: $200. But the Equifax settlement alone was $425 million, with individual claimants seeking up to $20,000. The committee excluded massive incidents like the 2019 People Data Labs exposure because U.S.-specific breakdowns were unavailable. The real number is significantly higher than $20.9 billion.
They Were Hiding the Delete Button
The investigation revealed that data brokers were inserting noindex code into their legally mandated opt-out pages — hiding them from Google and every other search engine. The page existed. They made it invisible. You were never supposed to find it.
Senator Hassan sent investigative requests to five brokers. Four removed the noindex code. One company — Findem — did not respond to Congress at all. Their opt-out page still has the code. According to their own 2024 disclosures, Findem failed to process 80% of privacy requests. Eight out of ten people who asked to be deleted were ignored.
What This Means
1. Data brokers are a real financial threat. $20.9 billion in documented losses from four breaches. Your name, SSN, and financial records sit in databases run by companies that have proven they cannot keep that information safe.
2. Brokers actively resist your right to delete. Hidden opt-out pages. Ignored deletion requests. 80% of requests unprocessed. The system is designed to keep your data in their hands.
3. You have more legal leverage than you think. Twenty states have comprehensive privacy laws. California's DROP system lets residents request deletion from every registered broker at once. Legal citations and public pressure work — this congressional report proved it.
California’s DROP
The DROP system went live January 1, 2026. One request deletes your data from every registered broker in the state — over 500 companies. Free. Government-run. Brokers must comply within 45 days.
DROP only covers registered brokers. It does not cover facial recognition databases, plate reader networks, dating app data, or unregistered brokers. Individual removal work fills those gaps.
What You Can Do
Check your state. Twenty states have privacy laws as of 2026. If yours does, you have legally enforceable deletion rights. If not, submit opt-out requests anyway — most brokers honor them regardless.
Search yourself. Spokeo, BeenVerified, Whitepages, TruePeopleSearch. That is what everyone else can find, including scammers with your breached data.
Submit opt-outs. Tedious, multi-step, designed to discourage completion. If you have the time, do it yourself. If not, that is what we exist for.
They compile your information without consent. They sell it to anyone who pays. They get breached and expose hundreds of millions. And when you try to exercise your legal right to delete, they hide the button. That is the industry.
What It Comes Down To
The data broker pipeline — collect, aggregate, sell, breach, exploit — enables targeted financial scams at scale. When a criminal syndicate buys a profile with your name, address, phone, and SSN, the phishing email they send is not generic spam. It is targeted, convincing, and it works.
A United States senator had to intervene to make data brokers stop hiding legally mandated deletion pages. That tells you everything about how this industry operates.
— J. Daniel, Dark Scrub
Sources: Joint Economic Committee Minority Report (Feb 27, 2026); WIRED; CalMatters; The Markup.