TL;DR: Congress's Joint Economic Committee released a report on February 27, 2026, calculating that four major data broker breaches cost Americans over $20.8 billion in identity theft losses. The investigation, led by Senator Maggie Hassan (D-NH), also caught five registered data brokers using "no-index" tags to hide their legally-mandated opt-out pages from search engines. Four companies fixed the problem after Hassan's inquiry. One refused to respond at all.

$20.8 Billion: The Receipt

The Joint Economic Committee did the math on four data broker breaches from the past decade [1]:

  • Equifax (2017): 147 million people exposed
  • Exactis (2018): 230 million people exposed
  • National Public (2023): 270 million people exposed
  • TransUnion (2025): 4 million people exposed

Combined exposure: 651 million records. The calculation used identity theft occurrence rates and a median loss of $200 per incident to reach the $20.8 billion figure [2].

That's just four breaches. Data brokers leak constantly. These are only the ones big enough to make headlines.

The Opt-Out Pages Nobody Could Find

CalMatters and The Markup discovered something in their reporting: data brokers were deliberately hiding opt-out pages from search engines [3].

Here's the trick. California law requires data brokers to let you opt out. But nobody said the opt-out page has to be searchable. These companies added "no-index" code to their privacy pages, a tag that tells Google and Bing: don't show this in search results.

The result: when you Googled "[company name] opt out," you found nothing. The page existed. You just couldn't find it without knowing the exact URL.

Senator Hassan's office in August 2025 sent letters to five companies registered as data brokers in California:

  • Comscore
  • Findem
  • IQVIA Digital
  • Telesign
  • 6sense Insights

All five had no-index tags on their opt-out pages.

Four Companies Fixed It. One Ghosted Congress.

After Hassan's inquiry, Comscore, Telesign, 6sense, and IQVIA took action [1]:

  • Removed the no-index tags from opt-out pages
  • Added opt-out links in more visible locations
  • Published content explaining how to exercise privacy rights

Findem didn't respond. At all. No changes. No explanation. Nothing.

"Data brokers shouldn't make it harder for people to protect themselves," Hassan said in the report. "It is encouraging that after we launched our investigation, many companies took steps to improve opt-out options." [1]

The report notes that the no-index tactic wasn't technically illegal, just deeply sketchy. Meeting the letter of the law while burying the compliance mechanism from anyone trying to use it.

Why This Matters Beyond the Numbers

Data brokers collect everything: your name, address, income, health conditions, browsing habits, purchase history, location data. They sell it to anyone willing to pay: advertisers, insurance companies, background check services, and occasionally people who shouldn't have it.

When these companies get breached, the fallout cascades. Your data doesn't just appear once on the dark web. It gets copied, combined with other leaks, and sold repeatedly. The 2017 Equifax breach data is still being used in fraud schemes nine years later.

And the $200 median loss per identity theft victim? That's the direct financial hit. It doesn't count the hours spent on hold with credit bureaus, the loan applications rejected, the rental denials, or the stress of watching your credit score tank because someone opened accounts in your name.

What You Can Do

Check if You're Exposed

Use Have I Been Pwned to see if your email appeared in known breaches. If you're in Equifax, National Public, or TransUnion's breach data (and statistically, you probably are), freeze your credit now.

Freeze Your Credit

Free at all three bureaus. This stops new accounts from being opened in your name. Equifax, Experian, TransUnion.

Use California's Data Broker Registry

California requires data brokers to register and provide opt-out links. The state registry lists 500+ companies. Go down the list. Opt out of each one. Yes, it takes hours. That's by design.

Delete Me Services

Services like DeleteMe or Kanary automate opt-out requests. Worth considering if you don't have time to submit 500 forms manually.

Congress Knows. Nothing Changes.

This isn't the first congressional report on data broker harms. It won't be the last. The U.S. still has no federal data broker regulation.

California's Delete Act (SB 362) created an automated opt-out system launching April 1, 2026. But that only covers California, and only companies that register as data brokers. The industry is largely honor-system compliance.

Meanwhile, data brokers keep collecting. Keep selling. Keep getting breached. And Americans keep paying the $20.8 billion price tag.

References

  1. Joint Economic Committee - Senator Hassan Finds That Data Broker Breaches Cost U.S. Consumers More Than $20 Billion (February 27, 2026)
  2. CalMatters - Following CalMatters investigation, Congress finds data brokers cost consumers tens of billions of dollars
  3. The Markup - Following Markup investigation, Congress finds data brokers cost consumers tens of billions of dollars
  4. Joint Economic Committee - Full Report: Opt-Out Obstacles (PDF)