Site Rankings

This is Experian's U.S. Consumer Data Privacy Policy (last updated April 8, 2026), covering the data-broker and marketing arms of the credit bureau, including Experian Marketing Solutions, Experian Health, and Experian Information Solutions (all registered data brokers under Texas law). The defining feature is that selling personal information is the core business and the default: Experian states it has 'disclosed and sold' personal information in the past 12 months, and the categories sold include not just names, addresses, and Social Security numbers but sensitive data such as financial account credentials, precise geolocation, and racial or ethnic origin, religious or philosophical beliefs, citizenship/immigration status, and union membership, disclosed to dozens of industry categories including marketing companies, data compilers, and political organizations. Notably, this policy does NOT cover Experian's core credit-reporting data, which is carved out under the FCRA and GLBA exemptions, so the rights here do not touch your credit file. To its credit, Experian has built sophisticated rights machinery: consumers in all states (not just those with privacy laws) can use its portal to access, delete, correct, port, and opt out of sale/sharing; it honors the Global Privacy Control; it commits not to reidentify deidentified data; it does not sell biometric data or data of minors under 16; and it publishes annual request metrics showing high compliance and roughly 2-3 day response times (including 2,537 opt-out-of-sale requests in 2024). But the rights are opt-out, not opt-in, and the underlying practice, brokering sensitive identifiers and demographic profiles for marketing and decisioning, is among the most privacy-invasive models in the market.

Data Axle (operating data-axle.com / infogroup.com) is an explicit data broker — registered as such under Texas law, with the required statutory disclaimer at the top of the policy. The business model is collecting Personal Information from data suppliers, public sources, surveys, subscriptions, business partners, and consumer-facing companies, then selling it (and derived 'Data Segments' / consumer-attribute groupings) to a wide range of customers across financial services, insurance, government, retail, marketing, etc. Data is appended across online/offline channels using cookies, tags, and device identifiers to enable cross-channel marketing. Consent is broadly framed: 'By agreeing to this privacy policy, you hereby consent to Data Axle using your personal information for commercial purposes now, and at all times in the future, regardless of when or how Data Axle acquired your personal information, unless and until you opt out…' The transparency layer is reasonably mature — published 2024 metrics showing 41,069 Do Not Sell requests fulfilled (0 denied), 37,141 deletion requests fulfilled (0 denied), and EU/UK/Swiss DPF certifications. AI tools used to process PI are internally hosted and explicitly not used to train third-party AI models — a positive. Despite a candid policy and operational compliance footprint, the underlying activity (mass aggregation and sale of consumer PI without direct consumer relationships) is fundamentally privacy-adverse and warrants a low score regardless of policy quality.

Spokeo's business model is people-search: aggregating publicly available consumer data (phone directories, property records, court records including arrest/warrants/sex-offender data, social profiles, vital statistics) and selling access to it via subscription. The privacy policy is candid about this: removal of Public Information from Spokeo listings is possible but does NOT remove it from the third-party public sources, does not apply to GLBA-regulated data sold to qualified businesses/government agencies, does not cover Spokeo's other products, and court records cannot be opted out of without a court Order of Expunction or Sealing. Search queries can be disclosed to the subject of the search, overriding general confidentiality claims. Standard ad-tech sharing with Microsoft/Meta/Google/Quora/Pinterest/X is acknowledged. Do Not Track is explicitly not honored. The CCPA metrics disclosure (49/49 KTKs, 8/8 deletions with §1798.145 carve-outs in 2024) is unusually transparent and a credit. Despite candid disclosures and a broad state-law rights catalog, the underlying product is selling personal information about individuals who did not give Spokeo their data — a fundamentally privacy-adverse category that warrants a low score regardless of the policy quality. The score reflects the inherent privacy harm of data-broker people-search rather than any defect in the policy itself.

Kelley Blue Book operates under the Cox Automotive privacy notice, which also covers Autotrader and tracks you well beyond kbb.com: Cox collects your activity on partner auto-dealer and manufacturer websites, including where you hover and click and what you type into their forms, using cookies, pixels, SDKs, session replay, and device fingerprinting. Collection is sweeping: identifiers, driver's license, demographic data including ethnicity, sexual orientation and religious beliefs, financial and credit information, biometric selfies, precise geolocation, and inferences bought from data brokers. Cox admits that in the past year it sold or shared identifiers, protected-class characteristics, commercial information, internet activity, geolocation, and inference profiles with ad networks, and it uses sensitive personal information, including precise geolocation and racial/ethnic origin sourced from data brokers, for marketing and targeted advertising. Retention is indefinite for key categories on the rationale that car purchases are infrequent. On the plus side, it honors Global Privacy Control, offers the full suite of state privacy rights with appeal, and excludes under-18s. Do Not Track is not supported.

People Inc. - the publishing family operated by Dotdash Meredith, spanning People, Allrecipes, Investopedia, Verywell, Better Homes & Gardens, Food & Wine, Travel + Leisure and dozens more - runs a single, advertising-maximal privacy policy across all of its brands. It collects an unusually broad and sensitive set of data: demographic details down to income, race, marital status and household size; health- and fitness-related information; and behavioral analytics that include 'mouse movements, scrolling, clicks, and keystroke activity.' It then feeds this into a full programmatic-advertising stack - ad exchanges, identity resolution providers, data management platforms and clean rooms - and uses LiveRamp as a joint controller to convert your hashed email into a cross-device identifier shared with advertising companies. Most pointedly, its U.S. state notice states it may have 'sold' and 'shared' identifiers, geolocation, internet activity and sensitive data, and flatly warns: 'NOTICE: We may sell your sensitive personal data.' It also reserves the right to train its AI and machine-learning models on your information. The counterweight is a genuinely comprehensive rights-and-opt-out apparatus: it honors Global Privacy Control, offers Your Privacy Choices plus DAA/NAI/Nielsen/LiveRamp and Nevada opt-outs, grants full US-state and GDPR rights including limiting sensitive data, participates in the IAB Europe TCF, and carves mobile phone numbers out of marketing sharing. But a policy whose own notice says it may sell your sensitive personal data lands near the bottom.