The companies selling your personal information in Australia — and what you can do about it

What a data broker is

A data broker collects, derives, or licenses personal information about individuals, then sells, licenses, or shares it to other organisations for purposes like risk scoring, marketing, fraud prevention, investigations, and analytics.

The industry spans two public-facing shapes: people-finder style sites that sell lookups to anyone with a credit card, and B2B databases sold into insurers, lenders, landlords, employers, and platforms you never interact with directly.

Market sizing estimates for the global data brokerage economy run into the hundreds of billions of USD by mid-decade; Australia is not a rounding error in that picture — local credit, property, loyalty, and marketing ecosystems generate high-value consumer graphs.

Australian data brokers by category

Credit and financial reporting agencies — Experian Australia, Equifax, Illion, and related bureaux — compile creditworthiness signals, repayment behaviour, defaults, and derived affordability estimates used in lending and insurance pricing.

Property intelligence firms — CoreLogic, RP Data, REA Group, Domain — transform search behaviour, valuations, and ownership signals into products sold into finance and insurance workflows.

Loyalty and retail programs — Flybuys, Woolworths Rewards, Everyday Rewards, Myer One — convert basket-level behaviour into segments that can be monetised through partnerships and ad tech pipes.

People-finder networks publish contact graphs and household composition signals. Marketing data platforms stitch mobile behaviour, demographics, and purchase intent across app ecosystems — often without consumers naming the downstream buyer.

How data brokers get your information

Brokers are not magical. They assemble profiles from a finite toolkit: public records and licenced government datasets where available, voluntary disclosures in terms and conditions, partnerships with publishers and loyalty schemes, inferred modelling from web and app telemetry, purchased feeds from other brokers, and breach-derived or scraped datasets where enforcement is uneven.

The result is a composite identity: not always accurate, but persuasive enough to price risk, target ads, and prioritise outbound sales.

Australian law still applies to much of this processing when organisations are APP entities or otherwise covered — which is why deletion rights can bite even when the industry prefers you never ask.

Why this is different from spam

Spam is annoying. Broker profiling is structural: the same attributes used to personalise an ad can influence whether you are offered a loan, how much you pay for insurance, whether a landlord short-lists you, or whether an employer buys a background report you never see.

Because the harm is statistical and delayed, it is easy to dismiss — until you are on the wrong side of a scoring threshold with no transparency into the underlying file.

That is the difference between ‘marketing’ and ‘market power’: brokers sell the infrastructure other industries use to decide.

American tools don't cover Australian databases

Products built primarily around CCPA and GDPR workflows optimise for US and EU legal triggers — web portals, statutory timelines, and broker lists tuned to those markets.

Australian brokers operating under the Privacy Act 1988 are a different compliance surface: different entities, different request language, different escalation paths, and different regulators.

If your data is in Equifax Australia, a US deletion workflow does not relocate it. You need Australian requests — ideally sent from your own email for standing — and a system that tracks Australian entities by default, not as an afterthought.