Can Companies Legally Sell Your Personal Data?

Short answer: It depends on where you live. In the United States, most companies can sell your personal data unless you tell them to stop. In the European Union, selling personal data without a valid legal basis like your explicit consent may violate GDPR. The rules are different depending on your country, your state, and the type of data involved.

Can companies sell your personal data without telling you? If you’ve ever searched for a product online, only to see ads for it everywhere else within minutes, you’ve already felt the answer. Your browsing habits, purchase history, location data, and even your health interests get collected, packaged, and transferred between companies often before you’ve had a chance to read a single privacy policy. The uncomfortable truth is that in many places, this is perfectly legal. But a growing number of laws are starting to change that, and knowing which ones apply to you is the first step toward taking back control. If you’re new to data privacy law, our guide on What Is GDPR and Why Should You Care covers the basics of Europe’s approach.

The Short Version

  • In the U.S., companies can generally sell your data unless you actively opt out and only if you live in a state with a privacy law that gives you that right.
  • Under the EU’s GDPR, companies need a lawful basis (usually your consent) before processing or sharing your personal data with third parties.
  • The UK GDPR follows similar rules to the EU, enforced by the Information Commissioner’s Office (ICO).
  • As of 2026, roughly 20 U.S. states have privacy laws on the books, but there is still no federal privacy law covering the entire country.

What “Selling Your Data” Actually Means Under the Law

When most people hear “selling data,” they picture a company handing over a spreadsheet of names and email addresses in exchange for cash. The legal definition is much broader than that.

In California, the CCPA defines a “sale” as selling, renting, releasing, disclosing, or transferring personal information to another business or third party for monetary or other valuable consideration. That last part matters. A company doesn’t need to receive cash if it gets any benefit in return, like free analytics, advertising services, or audience data, the transfer may count as a sale under state law.

In the EU, GDPR doesn’t use the word “sale” at all. Instead, it regulates any processing of personal data which includes collecting, sharing, transferring, or making it available to others. Any company that wants to process your data must have one of six lawful bases listed in Article 6 of the regulation. The most common one people hear about is consent your clear, informed agreement. But companies also rely on bases like “legitimate interest,” which has been the subject of growing debate and legal challenges across Europe.

In the UK, the framework mirrors the EU approach. The UK GDPR (retained after Brexit) still requires a lawful basis for data processing, and the ICO can investigate and fine companies that don’t comply.

The practical takeaway: whether or not a company “sells” your data in the traditional sense, your information is almost certainly being shared, transferred, or made accessible to other parties. The legal question is whether that activity requires your permission.

Real-World Examples

The “free” app that isn’t free. You download a weather app that doesn’t charge you a penny. But it collects your location data 24/7 and shares it with advertising networks and data brokers companies whose entire business model revolves around buying and reselling personal information. Under CCPA, this counts as a “sale.” Under GDPR, it likely requires your explicit consent, especially for location data, which is considered sensitive.

The loyalty card trade-off. A retail chain offers a loyalty program with discounts and points. The sign-up form mentions that your purchase history may be shared with “marketing partners.” In the U.S., this disclosure in a privacy policy is often enough to make the sharing legal as long as you had the chance to opt out. In the EU, the company would generally need to get your active, informed consent before sharing that data with outside partners.

The data broker pipeline. Your name, address, phone number, income bracket, and online browsing habits end up on data broker databases aggregated from public records, online purchases, social media activity, and app usage. These profiles get sold to advertisers, insurance companies, landlords, and more. California now requires data brokers to register with the state and participate in the Delete Request and Opt-Out Platform (DROP), launched January 1, 2026. This system allows consumers to send a single deletion request to all registered data brokers in California at once.

What People in This Situation Typically Do

  1. Check which laws apply. Privacy rights depend on where you live. California, Colorado, Connecticut, Virginia, Texas, and roughly 15 other U.S. states now have privacy laws. EU residents are covered by GDPR. UK residents fall under UK GDPR.
  2. Submit opt-out requests. In states with data selling laws, companies must include a “Do Not Sell or Share My Personal Information” link on their websites. Under CCPA, you click that link, submit the request, and the company must stop selling your data. As of 2026, companies must also honor Global Privacy Control (GPC) signals a browser-level setting that automatically tells websites not to sell or share your data.
  3. Request data deletion. Under GDPR, you can ask any company to delete your personal data the so-called “right to erasure.” Under CCPA, California residents have a similar right. Several other U.S. states now offer this too.
  4. Use data removal services. For people who don’t want to send individual requests to dozens of data brokers, paid services can handle the process at scale (see “Tools That Can Help” below).
  5. File a complaint. If a company ignores your request, EU residents can file a complaint with their national Data Protection Authority (DPA). In California, complaints go to the California Privacy Protection Agency (CPPA) or the state Attorney General’s office. Enforcement is real GDPR fines exceeded €7.1 billion cumulatively by early 2026, and Texas secured a $1.4 billion privacy settlement in 2025.

Tools That Can Help

If you want to reduce the amount of personal data floating around broker databases, these services handle opt-out requests on your behalf:

  • DeleteMe Scans data broker sites and submits removal requests for you. Provides regular reports showing what was found and removed.
  • Incogni Sends automated data removal requests to brokers and tracks progress. Works continuously, not just as a one-time clean-up.

These tools don’t replace your legal rights, but they save significant time when dealing with dozens of brokers. Free alternatives exist too California’s DROP platform lets residents opt out of all registered data brokers in the state through a single request.

Related Articles

Frequently Asked Questions

Is it legal for Facebook to sell my data?

Meta (Facebook’s parent company) says it does not sell user data directly. Instead, it sells targeted advertising advertisers pay to reach specific audiences based on data Facebook collects about you. Whether that counts as “selling” data is debated. Under CCPA’s broad definition, some privacy experts argue it qualifies. Under GDPR, Meta must have a lawful basis for processing EU users’ data, and EU regulators have issued significant fines against the company for violations.

What data can companies legally share with third parties?

It depends on the jurisdiction. In U.S. states without privacy laws, companies can share nearly any data disclosed in their privacy policy. In CCPA states, consumers can opt out of the sale or sharing of their personal information. Under GDPR, companies can only share data if they have a valid legal basis and they must disclose who receives it and why.

How do I stop companies from selling my data?

In the U.S., look for the “Do Not Sell or Share My Personal Information” link on company websites. Enable Global Privacy Control (GPC) in your browser to automatically signal your preference. In the EU, you can withdraw consent or object to data processing at any time. For data brokers specifically, California’s DROP platform and paid services like DeleteMe or Incogni can handle bulk opt-out requests.

Does GDPR stop companies from selling data?

GDPR does not ban the sale of personal data outright. Instead, it requires companies to have a lawful basis before processing (including selling) your data most commonly, your explicit consent. If a company sells data without proper authorization, it faces fines of up to €20 million or 4% of global annual revenue, whichever is higher. The regulation also gives individuals the right to object to data processing and to request deletion of their information.

The question of whether companies can sell your personal data doesn’t have a single yes-or-no answer it depends entirely on where you live and which laws apply. What’s clear is that the legal landscape is shifting fast. Twenty U.S. states now have privacy laws in place, GDPR enforcement is intensifying in Europe, and tools like California’s DROP platform are giving consumers new ways to push back. Staying informed about your rights is the most practical thing you can do right now.

This article is for educational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change frequently. For advice specific to your situation, consult a qualified attorney.

Sources & Further Reading

Leave a Comment