Spokeo

Overview

Spokeo is a people-search engine founded in 2006 by Harrison Tang in Pasadena, California. The company aggregates publicly available and commercially sourced personal information on hundreds of millions of Americans, making it searchable through a consumer-facing website that allows anyone to look up individuals by name, email address, phone number, or physical address.

Spokeo's database contains over 12 billion records drawn from public records, social media profiles, marketing databases, real estate listings, court filings, and other sources. These records are assembled into profiles that can include a person's full name, age, date of birth, current and historical addresses, phone numbers, email addresses, social media accounts, estimated income, property details, court records, relatives, and associates.

The company's business model is straightforward: Spokeo collects personal information without the knowledge or consent of the individuals profiled, aggregates it into searchable dossiers, and sells access to those dossiers through subscription plans starting at approximately $14 per month. The company generates revenue by monetizing the personal information of hundreds of millions of people who have no relationship with and likely no awareness of the company.

Spokeo occupies a distinctive position in the data broker landscape. While larger data brokers like Acxiom and LexisNexis primarily serve institutional clients, Spokeo democratizes personal surveillance by making comprehensive people-search capabilities available to any individual willing to pay. This accessibility creates unique risks, the same profiles used by skip tracers and investigators are available to stalkers, abusive ex-partners, scammers, and anyone else who wants to locate or research a specific person.

The company has been the subject of landmark legal proceedings, including a 2012 FTC enforcement action for FCRA violations and a Supreme Court case (Spokeo, Inc. v. Robins) that reshaped the legal landscape for privacy litigation standing requirements.

Spokeo is privately held and does not disclose detailed financial information. The company employs approximately 200 people and operates entirely from its Pasadena headquarters. Despite its relatively small size compared to data giants like LexisNexis or Experian, Spokeo's consumer-facing model gives it outsized cultural significance, for many Americans, a Google search of their own name returns a Spokeo profile as one of the top results, serving as their introduction to the data broker industry.

The people-search sector has proliferated since Spokeo's founding, with competitors including BeenVerified, Intelius, PeopleFinder, WhitePages, and Radaris offering similar services. This ecosystem collectively makes comprehensive personal information available to anyone, creating an environment where anonymity and pseudonymity are increasingly difficult to maintain. Spokeo was among the earliest companies to demonstrate the commercial viability of consumer-facing people-search, establishing the template that dozens of competitors now follow.

Data Collection Practices

Spokeo's data collection is built on the aggregation of publicly available and commercially sourced information from diverse sources:

Public records form the foundation of Spokeo's profiles:

• Property records and deed transfers from county recorders
• Voter registration files from available jurisdictions
• Court records including civil, criminal, and bankruptcy filings
• Marriage, divorce, birth, and death records
• Business filings and professional licenses
• Sex offender registries
• Campaign contribution records

Social media scraping has been a core Spokeo collection method since the company's founding. Spokeo systematically collects data from social media platforms including:

• Facebook, Instagram, and Twitter/X profiles
• LinkedIn professional information
• YouTube channels and activity
• Pinterest, Flickr, and other platform profiles
• Blog posts and personal websites
• Forum posts and community contributions

This social media data is combined with public records to create profiles that bridge individuals' online and offline identities, connecting a social media username to a real name, address, phone number, and relatives.

Commercial data sources supplement public records with data purchased from marketing databases, data brokers, and data aggregators:

• Estimated income and net worth ranges
• Purchase behavior and consumer interests
• Household composition and lifestyle indicators
• Education history and employment information
• Vehicle ownership records

Phone and email databases are compiled from directory listings, data partnerships, online sources, and user-contributed data. Spokeo allows reverse lookups, starting from a phone number or email address to identify the person associated with it.

Derived and inferred data extends profiles beyond directly collected information:

• Estimated wealth indicators based on property values and address characteristics
• Neighborhood demographics and socioeconomic profiles
• Relationship mapping connecting relatives and associates
• Social media influence and activity scores
• Historical data showing previous addresses, phone numbers, and household changes over time

Data freshness and persistence: Spokeo's database is continuously updated as new data enters the system, but old data is retained indefinitely. This means that an individual's profile may simultaneously show their current address (presenting a real-time location risk) and their address history going back decades (revealing patterns of movement, life transitions, and past associations). The retention of historical data creates a permanent digital trail that individuals cannot erase.

The aggregation itself creates privacy harm beyond what any individual data source would produce. A voter registration record, a property deed, and a social media profile are each relatively innocuous alone. Combined into a single, searchable profile linked to a person's real identity, they become a surveillance tool.

Known Clients & Government Contracts

Spokeo's client base is distinctive among data brokers in that it primarily serves individuals rather than institutions:

Individual consumers are Spokeo's primary revenue source. People use the service to look up old friends, research online dates, investigate neighbors, check on relatives, and satisfy curiosity about others. While many uses are benign, the same access enables:

• Stalking and harassment (locating victims who have moved to escape abusers)
• Doxxing (publishing personal information to enable coordinated harassment)
• Scamming (using personal details to craft convincing social engineering attacks)
• Identity theft (assembling enough personal information to impersonate someone)

Skip tracing services use Spokeo and similar people-search engines to locate individuals who have moved or are difficult to find. This includes debt collectors, process servers, and bail enforcement agents.

Private investigators use Spokeo as a low-cost starting point for investigations, supplementing the information with more specialized databases.

Background check aggregators incorporate Spokeo's data into their own products, extending the reach of information originally collected by Spokeo into employment screening, tenant screening, and other consequential decision-making contexts.

Debt collectors use Spokeo to locate debtors and verify contact information, enabling collection efforts that individuals may have sought to avoid by changing their address or phone number.

Government use is minimal compared to larger data brokers. Spokeo's terms of service prohibit use for employment screening, tenant screening, credit decisions, and other FCRA-regulated purposes, though the FTC's 2012 enforcement action demonstrated that these prohibitions were not effectively enforced.

The democratized access model means Spokeo cannot effectively control how its data is used downstream. Unlike institutional data brokers that can vet clients and require permissible purpose certifications, Spokeo's self-service platform provides access to anyone with a credit card.

Law enforcement use: While Spokeo's terms of service discourage use for law enforcement purposes, individual officers have been documented using the service informally for investigative leads, particularly in departments that lack access to more comprehensive institutional databases like LexisNexis Accurint.

Marketing and lead generation: Spokeo and similar people-search sites are used by marketers, sales professionals, and lead generation companies to research prospective customers, build contact lists, and enrich customer relationship databases. This commercial use transforms a consumer-facing search tool into a data enrichment pipeline.

Journalism and research: Reporters, academic researchers, and genealogists use Spokeo for legitimate investigative and research purposes. While these uses may serve the public interest, they rely on the same underlying data collection and aggregation practices that enable more harmful applications.

Privacy Incidents & Litigation

FTC v. Spokeo, $800,000 Settlement (2012): The Federal Trade Commission charged Spokeo with violating the Fair Credit Reporting Act by marketing its people-search profiles to companies in the human resources industry for use in employment screening decisions without complying with FCRA requirements.

The FCRA imposes specific obligations on consumer reporting agencies, including ensuring data accuracy, providing dispute resolution mechanisms, and limiting data use to permissible purposes. The FTC found that Spokeo marketed its profiles as tools for evaluating job candidates while failing to ensure the accuracy of its data or comply with FCRA's consumer protection requirements.

Spokeo paid $800,000 to settle the charges and agreed to comply with FCRA requirements going forward. The settlement was notable as one of the first FTC enforcement actions against a people-search website.

Spokeo, Inc. v. Robins, Supreme Court (2016): Thomas Robins sued Spokeo under the FCRA, alleging that his Spokeo profile contained inaccurate information, wrong age, wrong marital status, wrong education level, and wrong employment information. Robins alleged these inaccuracies harmed his employment prospects.

The case reached the U.S. Supreme Court on the question of whether Robins had standing to sue, specifically, whether a statutory violation (publishing inaccurate information) constitutes a concrete injury sufficient for federal court jurisdiction even without proof of specific, tangible harm.

In a 6-2 decision, the Supreme Court vacated and remanded, holding that a plaintiff must show a "concrete" injury, not just a statutory violation. The ruling made it harder for individuals to bring privacy lawsuits by requiring them to demonstrate specific harm from data inaccuracies, a burden that can be difficult to meet when the harm is diffuse or difficult to attribute.

The Spokeo v. Robins decision had far-reaching implications for privacy litigation, raising the bar for standing in data broker and privacy cases across federal courts. Privacy advocates criticized the decision as making it nearly impossible to hold data brokers accountable through individual litigation.

Class-Action Lawsuits: Spokeo has faced multiple class-action lawsuits alleging FCRA violations, unfair business practices, and invasion of privacy. Common allegations include:

• Publishing inaccurate personal information that caused reputational harm
• Failing to follow reasonable procedures to ensure data accuracy
• Collecting and publishing personal data without consent
• Making it unreasonably difficult to remove or correct personal information

Opt-Out Difficulties: Consumer advocacy organizations have documented that removing one's information from Spokeo is a frustrating and often ineffective process:

• The opt-out requires locating one's specific profile URL on Spokeo's website
• Opt-out requests must be submitted for each individual profile (a person may have multiple profiles due to name variations or address changes)
• Removed profiles frequently reappear when new data enters Spokeo's system
• There is no mechanism to prevent future profiles from being created
• The opt-out process itself requires providing Spokeo with an email address, potentially adding data to the company's records

State Data Broker Registration: Spokeo has been subject to state data broker registration requirements, including in Vermont and California. These registrations provide some public visibility into the company's existence and practices but do not meaningfully constrain its data collection or sharing activities.

Accuracy Concerns: Independent testing of Spokeo's data has consistently revealed significant accuracy problems. Profiles frequently contain incorrect ages, wrong addresses, inaccurate employment information, and misidentified relatives. For a service that charges consumers money for personal information, the quality of the data product is remarkably poor, yet the inaccurate profiles can still cause harm when used to make decisions about the individuals they purport to describe.

Dark Pattern Subscription Practices: Consumer complaint forums and Better Business Bureau filings document persistent complaints about Spokeo's subscription model. Users who sign up for a single search report often find themselves enrolled in recurring monthly subscriptions. The cancellation process has been described as unnecessarily complex, and refund requests are frequently denied. These practices generate revenue from consumers who may not have intended to purchase an ongoing subscription.

Children's Data: Privacy advocates have raised concerns that Spokeo profiles sometimes include information about minors, particularly teenagers with social media accounts. While Spokeo's terms of service state that the service is not intended for use regarding minors, the automated aggregation process does not effectively filter out data about individuals under 18, potentially exposing children's personal information to anyone with a subscription.

Copycat and Ecosystem Effects: Spokeo's commercial success spawned dozens of imitator people-search sites, many of which scrape data from Spokeo itself and from the same underlying sources. This ecosystem effect means that even if an individual successfully opts out of Spokeo, their data remains available through BeenVerified, Intelius, PeopleFinder, WhitePages, Radaris, and dozens of other sites, each requiring a separate opt-out process. The National Network to End Domestic Violence estimates that a domestic violence survivor must complete opt-outs at more than 100 people-search sites to meaningfully reduce their exposure, a Sisyphean task that most individuals cannot sustain.

Threat Score Analysis

Spokeo receives a composite threat score of 58/100, reflecting its role as a democratized surveillance tool that makes comprehensive people-search available to anyone:

• Data Collection (72/100): Spokeo aggregates over 12 billion records from public records, social media, commercial databases, and other sources into searchable profiles on hundreds of millions of Americans. While the depth of individual profiles is less comprehensive than institutional data brokers like LexisNexis, the breadth of collection and the combination of public records with social media data creates profiles that bridge offline and online identities.

• Third-Party Sharing (70/100): Spokeo's self-service model makes personal information available to anyone willing to pay, without meaningful vetting or permissible purpose requirements. This democratized access creates risks distinct from institutional data sharing, the same data available to legitimate users is equally available to stalkers, scammers, and harassers.

• Breach History (40/100): Spokeo has not experienced a major publicly disclosed data breach. However, the company's business model is itself a form of continuous data exposure, the personal information it aggregates is made available to any paying customer, eliminating the need for a traditional breach to access the data.

• Government Contracts (20/100): Government use of Spokeo is minimal. The company's primary clients are individuals and small businesses rather than law enforcement or intelligence agencies, which have access to more comprehensive institutional data brokers.

• Transparency (45/100): Spokeo is more transparent than many data brokers in one respect: individuals can view their own profiles on the website (though this requires navigating the commercial site). The company provides an opt-out mechanism, however imperfect. But fundamental transparency about data sources, accuracy methodology, and downstream use remains lacking.

Weighted calculation: (72 * 0.25) + (70 * 0.25) + (40 * 0.20) + (20 * 0.15) + (45 * 0.15) = 18.0 + 17.5 + 8.0 + 3.0 + 6.75 = 53.25, adjusted to 58 due to the unique risks created by democratizing people-search capabilities and the documented use of people-search sites for stalking, harassment, and doxxing.

Transparency & Accountability

Spokeo occupies an unusual position in the data broker transparency spectrum. On one hand, the company is more visible than institutional data brokers, its consumer-facing website makes it clear what it does and what data it holds. On the other hand, the individuals whose data populates Spokeo's profiles had no say in the matter and face significant obstacles in controlling their information.

The opt-out mechanism is the primary accountability tool available to individuals. Spokeo provides a process for removing profiles, but the mechanism has well-documented shortcomings:

• Profiles frequently regenerate after removal as new data enters the system
• Multiple profiles for the same individual require separate opt-out requests
• The process requires individuals to know that Spokeo exists and holds their data
• Opt-out does not prevent data from being collected again from the same sources

The Spokeo v. Robins Supreme Court decision weakened the legal accountability framework for people-search companies by making it harder for individuals to demonstrate the "concrete" injury required for federal court standing. This precedent has been invoked by data brokers across the industry to defend against privacy lawsuits.

The FTC's 2012 enforcement action demonstrated that regulatory accountability can be effective but is limited in scope. The $800,000 fine was modest relative to Spokeo's revenues, and the consent order addressed specific FCRA marketing practices rather than the broader privacy implications of the people-search business model.

State privacy laws including the CCPA provide California residents with the right to opt out of the sale of personal information and request deletion. However, enforcement depends on individual consumers knowing to exercise these rights and navigating company-specific processes.

The fundamental accountability gap is structural. People-search engines like Spokeo exist because U.S. privacy law does not grant individuals comprehensive control over the collection and commercial use of their personal information. Unlike the EU's GDPR, which requires a legal basis for processing personal data and grants individuals the right to object, U.S. law generally permits the collection and sale of personal information unless a specific statute prohibits it.

Until this regulatory framework changes, people-search engines will continue to operate in a legal gray zone, collecting and selling personal information about hundreds of millions of people who never consented to the arrangement, while the harm falls disproportionately on vulnerable individuals who have the most to lose from being easily found.

The human cost of people-search engines is most visible in the cases that rarely make headlines. Domestic violence survivors who relocate to escape abusers can be found through a simple Spokeo search. Witnesses in criminal cases who fear retaliation have their addresses published online. Individuals who have been stalked or harassed discover that their stalker can track their movements through address history updates. These are not hypothetical scenarios, they are documented consequences of making comprehensive personal information commercially available to anyone.

Organizations like the National Network to End Domestic Violence and the Cyber Civil Rights Initiative have called for legislative reforms that would allow vulnerable individuals to suppress their information from people-search databases. Some states have enacted address confidentiality programs for domestic violence survivors, but these programs are limited in scope and do not prevent data brokers from publishing historical addresses or associated records that can be used to locate individuals.

The Spokeo v. Robins decision's impact on privacy litigation extends far beyond Spokeo itself. By raising the standing requirement for statutory privacy violations, the Supreme Court created a framework that data brokers across the industry use to defend against accountability. If the harm of having inaccurate personal information published online is not sufficiently "concrete" for federal court jurisdiction, then the legal system provides little meaningful recourse for the millions of Americans whose data is collected and sold without consent.