Data Brokers and Law Enforcement Access

Every day, a quiet marketplace trades in the details of your life. Data brokers are companies that collect, package, and sell personal information about millions of people who have never knowingly done business with them. The products they assemble can include your home address history, the apps on your phone, your shopping habits, your inferred religion or health conditions, and—most sensitively—the precise location of your phone over time. Increasingly, law enforcement agencies are among their customers. Understanding how this market works, and what the Constitution does and does not say about it, helps you make informed choices about your own privacy.

How data brokers build a profile of you

You rarely hand information to a data broker directly. Instead, brokers aggregate it from many sources and stitch the pieces together into a profile linked to your name or a device identifier. Common sources include:

  • Public records such as property deeds, voter registrations, court filings, and licenses.
  • Commercial transactions like loyalty programs, warranty cards, and online purchases.
  • Apps on your phone. Many free apps embed advertising software development kits (SDKs) that quietly transmit your location, device ID, and usage to third parties, who resell it.
  • Web tracking through cookies, pixels, and browser fingerprinting.
  • Other brokers, who buy and merge one another’s datasets, multiplying the reach of any single leak.

The result is a remarkably detailed dossier. Location data is especially revealing: a month of phone pings can show where you sleep, worship, seek medical care, attend protests, and meet friends. Even when a dataset is labeled “anonymous,” researchers have repeatedly shown that location patterns can be re-identified to a specific person.

Why law enforcement buys instead of subpoenaing

The Fourth Amendment generally requires police to get a warrant—approved by a judge and supported by probable cause—before searching places where you have a reasonable expectation of privacy. Buying data sidesteps that process. Rather than serving a court order on a phone carrier, an agency can simply purchase access to commercial location databases from a broker, often through ordinary procurement, without any judicial review or notice to the people whose data is included.

Federal agencies including components of the Department of Homeland Security and the IRS, along with state and local police, have acknowledged purchasing commercial location and other data. Agencies argue this is just buying a commercially available product. Civil-liberties advocates counter that the government is using a checkbook to obtain information it would otherwise need a warrant to get—a workaround sometimes called the data broker loophole.

The third-party doctrine and what Carpenter changed

The legal foundation for this practice is the third-party doctrine. In cases from the 1970s, the Supreme Court held that information you voluntarily share with a third party—such as the numbers you dial (Smith v. Maryland) or your bank records (United States v. Miller)—loses Fourth Amendment protection, because you no longer have a reasonable expectation of privacy in it. For decades, this principle let the government obtain many records held by businesses without a warrant.

That began to shift in Carpenter v. United States (2018). The Supreme Court ruled that the government generally needs a warrant to obtain historical cell-site location information (CSLI)—the record of which towers a phone connected to—from a wireless carrier. The Court reasoned that the “deeply revealing” nature of comprehensive location tracking, and the fact that carrying a phone is not truly voluntary in modern life, made the old doctrine a poor fit. Carpenter was a landmark, but the Court wrote it narrowly and did not overturn the third-party doctrine wholesale.

The unresolved gray area

Carpenter involved data the government compelled a carrier to hand over. It did not squarely decide whether the government may simply buy similar location data on the open market. Lower courts and scholars disagree about whether a purchase escapes the warrant requirement or whether Carpenter’s logic—privacy in the whole of your movements—should apply regardless of how the government acquires the data. This is an active, unsettled question, and the answer may differ by jurisdiction and by the type of data involved.

Proposed reforms

Lawmakers and regulators have responded on several fronts. Proposals such as the Fourth Amendment Is Not For Sale Act would bar agencies from buying data they would otherwise need a warrant or subpoena to obtain. The Federal Trade Commission has brought enforcement actions against brokers over the sale of sensitive location data, and several states have passed broker-registration and deletion laws. California’s Delete Act, for example, aims to create a single request that removes you from registered brokers at once. None of this is uniform nationwide, so protections vary widely by state.

Practical steps to shrink your footprint

You cannot erase yourself from every database, but you can meaningfully reduce what is collected and sold.

  1. Audit app permissions. On both iOS and Android, set location access to “While Using” or “Ask Every Time,” and revoke it entirely for apps that don’t need it—flashlights, games, and many utilities do not.
  2. Reset or limit your advertising ID. Turn off “personalized ads,” and on iOS disable “Allow Apps to Request to Track.” This breaks a key link brokers use to follow you across apps.
  3. Opt out of major brokers. Sites like Spokeo, Whitepages, BeenVerified, and Acxiom offer opt-out forms; a paid removal service can automate this if the manual process feels overwhelming.
  4. Tighten browser privacy. Block third-party cookies, use tracker-blocking extensions, and prefer a privacy-respecting search engine.
  5. Minimize what you share. Skip loyalty cards tied to your identity where you can, use a secondary email for signups, and review the privacy settings on social accounts.
  6. Use your state rights. If you live in California, Colorado, Connecticut, or another state with privacy laws, exercise your right to access, delete, and opt out of the sale of your data.

None of this requires technical expertise, and you don’t have to do it all at once. Each step you take removes a thread from the profile others can assemble. This article is general legal information, not legal advice; for your specific situation, consult a qualified attorney.

The Fourth Amendment protects the data on your phone and the digital location records it generates, so police generally need a warrant to search your device or track you through it, and that protection applies to state and local police through the Fourteenth Amendment.

Constitutional basis: Fourth Amendment, Fourteenth Amendment. Your state constitution may add further protections.

Key court cases:

These are landmark federal cases that establish the rights described above. How they apply can depend on your state, the federal circuit you are in, and the specific facts of an encounter. This is general legal information, not legal advice.

Frequently asked questions

Is it legal for police to buy my data from a broker?

Under current law it often is, because the data is treated as a commercially available product rather than a compelled search. This remains a contested legal gray area, and courts have not definitively settled whether buying sensitive location data requires a warrant. Some agencies have faced litigation and policy limits over the practice.

What did Carpenter v. United States actually decide?

In 2018 the Supreme Court held that the government generally needs a warrant to obtain historical cell-site location records from a phone carrier. The Court found that long-term location tracking is so revealing that the old third-party doctrine doesn't fit. It was a narrow ruling and did not eliminate the third-party doctrine for all records.

What is the third-party doctrine?

It is a legal principle holding that information you voluntarily share with a third party, like a bank or phone company, generally loses Fourth Amendment protection. The idea is that you no longer have a reasonable expectation of privacy once you share it. Carpenter created an important exception for comprehensive cell-site location data.

Can I completely remove myself from data brokers?

Not entirely, because brokers constantly re-collect information from public records and apps. You can substantially reduce your footprint by opting out of major brokers, limiting app permissions, and resetting advertising identifiers. In some states, deletion laws give you stronger rights to have data removed.

Which apps are the biggest source of location data?

Free apps that embed advertising SDKs are a major source, including some weather, navigation, gaming, and utility apps. They may transmit your location to third parties even when you aren't actively using them. Reviewing and restricting location permissions is the most effective single step you can take.

Do privacy laws protect everyone in the U.S. equally?

No. There is no comprehensive federal privacy law, so protections depend largely on your state. States like California, Colorado, and Connecticut offer rights to access, delete, and opt out, while residents of other states have far fewer options.

This article is general legal information, not legal advice, and may not reflect the most current law or the law in your jurisdiction. Laws vary by state and change over time. For advice about your specific situation, consult a licensed attorney.

Knowing your rights is the first step

Join thousands committing to calmly and consistently exercise their constitutional rights.

Take the Pledge