Right now, your personal information is for sale. Data brokers — companies whose entire business model is collecting, packaging, and selling personal data — hold detailed profiles on millions of South Africans. Your phone number, home address, email address, employment history, and in some cases your South African ID number are all available to anyone willing to pay, or often simply anyone willing to search.
Most people have never heard of data brokers, yet the average South African's personal information appears on between 50 and 190 different data broker sites. This is not a hypothetical threat — it is the infrastructure behind the spam calls, phishing emails, and identity theft attempts that plague millions of South Africans daily.
What Are Data Brokers and How Do They Operate in South Africa?
Data brokers are companies that collect personal information from multiple sources, aggregate it into detailed profiles, and sell or license that data to third parties. They are the middlemen of the personal data economy, and they operate largely invisibly.
In South Africa, data brokers collect information from several key sources:
- Public records: The Deeds Registry, CIPC company registrations, court records, and government gazettes are all scraped and indexed by automated systems.
- Telecom directories: Telkom's directory database, which feeds WhitePages SA and numerous directory listing sites, remains one of the largest sources of personal contact information.
- Social media scraping: Public Facebook profiles, LinkedIn data, Instagram accounts, and Twitter/X posts are harvested at scale. Even "friends only" content can leak through the contact-sharing permissions of apps like TrueCaller.
- Commercial transactions: Loyalty programmes, competition entries, online purchases, and warranty registrations all feed data into broker networks. That Pick n Pay Smart Shopper card or Clicks ClubCard generates data that can end up in aggregator databases.
- Data sharing between brokers: Brokers buy from and sell to each other, which is why removing your data from one site does not remove it from all of them.
"Data brokers know more about you than your bank does. They just do not have the same obligation to protect that information — which is exactly why POPIA matters."
Exactly What Information Data Brokers Sell
The depth of information available through data brokers is alarming. Depending on the source, a data broker profile on a South African individual can include:
- Full name and aliases — Including maiden names, nicknames, and variations of your name used across different platforms.
- Phone numbers — Current and historical mobile and landline numbers, often including the network operator.
- Physical addresses — Current and previous residential addresses, sometimes with property valuations from deed registry data.
- Email addresses — Personal and work email addresses, often sourced from data breaches and public profiles.
- South African ID number — The most dangerous data point. Your 13-digit ID number encodes your date of birth, gender, and citizenship status. In the wrong hands, it enables identity theft, fraudulent credit applications, and SIM swap fraud.
- Employment and education history — Scraped from LinkedIn and public CVs.
- Family relationships — Spouse, children, and associates, often inferred from social media connections and shared addresses.
- Financial indicators — Property ownership, vehicle registrations, and estimated income brackets.
Why This Matters: Identity Theft, Spam, and Doxxing
The data broker industry is not just a privacy nuisance — it is the root cause of several serious threats facing South Africans:
- Identity theft: South Africa has one of the highest rates of identity fraud in the world. The South African Banking Risk Information Centre (SABRIC) reported a 49% increase in digital banking fraud in 2024, much of it facilitated by personal data sourced from brokers and breaches.
- SIM swap fraud: Criminals use your personal data (name, ID number, address) to convince mobile operators to transfer your number to a new SIM, giving them access to your banking OTPs and two-factor authentication codes.
- Spam and robocalls: That daily barrage of insurance, timeshare, and "you have won" calls comes from marketing lists compiled and sold by data brokers.
- Doxxing and harassment: Anyone with a grudge can use data broker sites to find your home address, phone number, and family details. For journalists, activists, domestic violence survivors, and public figures, this is a genuine safety threat.
- Phishing attacks: The more personal data a scammer has about you, the more convincing their phishing emails and SMSes become. Data broker profiles give criminals the details they need to craft targeted, believable attacks.
"Every spam call you receive, every phishing SMS, every 'how did they get my number' moment — it almost always traces back to data brokers."
Your POPIA Rights Against Data Brokers
POPIA gives South Africans powerful tools to fight back against data brokers:
- Section 5: You have the right to know what personal information a responsible party holds about you and how it is being used.
- Section 11: You can object to the processing of your personal information, forcing the responsible party to stop unless they can demonstrate compelling legitimate grounds.
- Section 24: You can request deletion of personal information that is inaccurate, irrelevant, excessive, out of date, or obtained unlawfully — a description that covers most data broker holdings.
- Section 18: Responsible parties must notify you when collecting your personal information and tell you the purpose. Most data brokers have never done this, which means their entire collection may be unlawful under POPIA.
The 2025 amendments to POPIA enforcement guidelines have added teeth to these provisions, with the Information Regulator now able to impose fines of up to R10 million on non-compliant organisations. Data brokers who ignore your deletion requests are taking a significant legal and financial risk.
How OremAI Detects and Removes Your Data from Brokers
Fighting data brokers individually is like playing whack-a-mole. You remove your data from one site, and it reappears on three others. The only effective strategy is comprehensive, continuous monitoring and removal — which is exactly what OremAI provides.
OremAI's scan checks 19+ South African and international data broker sites for your personal information. Within minutes, you receive a detailed exposure report showing exactly which sites have your data, what information they hold, and how severe the risk is. From there, OremAI submits POPIA-compliant Section 24 deletion requests to every identified broker, tracks their 30-day compliance window, and follows up aggressively with non-compliant organisations.
Unlike international privacy services that treat South Africa as an afterthought, OremAI is built specifically for the South African data landscape. We know the local brokers, we understand POPIA, and we handle the entire process in a way that is legally sound under South African law.
Find out what data brokers know about you. Run your free OremAI scan today and take the first step toward shutting them down for good.