A new minority report from Congress’s Joint Economic Committee says a small club of data broker firms has saddled U.S. consumers with more than $20 billion in losses, and it all traces back to a handful of massive breaches and some very hard-to-find opt out tools.
The document pins the damage on a few giant leaks and argues that obscure, often hidden data deletion pages make it far tougher for people to stop their personal details from being bought, sold and eventually exploited. The findings draw directly from months of reporting that showed how some brokers quietly buried the very pages where consumers are supposed to be able to reclaim their privacy.
The committee’s staff put a price tag of roughly $20.8 billion on identity theft and related losses by analyzing four blockbuster breaches and applying standard assumptions about victim losses, according to the Joint Economic Committee. They focused on the 2017 Equifax breach, an Exactis leak in 2018, National Public Data’s exposure in 2023 and a TransUnion incident in 2025, then used a median loss per identity theft case to turn the headcount of affected people into a national bill.
The probe traces back to an August investigation by The Markup and CalMatters, which found dozens of data brokers quietly tucking their opt out and deletion pages behind “no index” code and other dark patterns that kept them out of search results. That reporting lit a fire under Sen. Maggie Hassan, who demanded answers from several firms, and it pushed the committee to send formal information requests, as later covered by The Markup.
When the committee came calling, Comscore, IQVIA, Telesign and 6sense reported that they had cleaned up at least some of their act by removing no index tags, adding clearer opt out links or publishing step by step user guides. Findem, by contrast, did not respond and did not remove the hidden code, according to the Joint Economic Committee. Staffers called the fixes a start but said that hard to discover tools and uneven handling of privacy requests still leave people wide open to scams and fraud.
California rolls out a one click fix
California is trying a more direct approach. On January 1, 2026, the state launched its Delete Request and Opt Out Platform, or DROP, a one stop portal that lets residents file a single deletion request with more than 500 registered data brokers, the state agency says. Under the program’s schedule, brokers must start processing those requests on August 1, 2026, and can be penalized if they fail to follow through, according to CalPrivacy.
Why the committee’s math matters
To arrive at that $20.8 billion bill, committee staff pulled public estimates of how many U.S. records were exposed in each of the four incidents, then layered on standard victimization rates and a typical out of pocket loss of about $200 per identity theft case, as explained by CalMatters. The result shows how just a few colossal leaks can translate into widespread financial and administrative pain for millions of people.
What lawmakers want next
The committee is now pushing for opt out tools that are straightforward, prominent and easy to use, along with tougher oversight of the data broker industry to reduce the pool of exposed personal data and cut off a major route for scams, as detailed by The Markup. State systems like DROP give Californians a concrete way to wipe out some of their digital footprint, but privacy advocates argue that only federal rules or much stronger enforcement will make those protections standard nationwide.
Practical steps for consumers
In the meantime, experts say consumers should stick to the basics: keep an eye on credit reports, turn on fraud alerts, freeze credit when it makes sense and use any state level opt out tools that are available. Californians now have DROP in their toolkit. For everyone else, the report is a reminder that patchwork protections often mean cleaning up the mess after the next big breach lands.
