Optery CEO Lawrence Gentilello recently sat down with data privacy expert Debbie Reynolds on “The Data Diva” Talks Privacy Podcast for a wide-ranging conversation. They discussed the massive scale and granularity of data collection by data brokers, the growing privacy rights divide in the U.S., the power of the data broker lobby to water down privacy legislation, privacy and physical safety, what sets Optery apart, the rise of AI-native data brokers, gaps in privacy law, fighting tech with tech, ransomware gangs using data brokers, and more.
Special thanks to Debbie Reynolds for hosting such a thoughtful and important conversation.
Below are some highlights:
- From Ad Tech to Identity Fraud: Lawrence’s Journey to Optery
- Data Brokers and the Massive Scale and Granularity of Data Collection
- The Growing Privacy Rights Divide in the U.S.
- The Power of the Data Broker Lobby
- Privacy And Physical Safety
- What Sets Optery Apart from Other Services
- The Rise of AI-Native Data Brokers
- Gaps in Privacy Law and the Problem of Invisibility
- Fighting Tech with Tech
- The Black Basta Chat Leak: Proof Ransomware Gangs Use Data Brokers
- Lawrence’s Three Wishes for Privacy and Cyber Safety
From Ad Tech to Identity Fraud: Lawrence’s Journey to Optery
Debbie opened the interview by asking Lawrence to share his background and how he came to found Optery.
Lawrence Gentilello:
“So my journey to Optery came from really two angles. And the first angle is that I entered the data space in 2011 when I joined a company called BlueKai. And BlueKai was one of the early leaders of data companies that would partner with companies like Expedia, Kayak, Cars.com, Hotels.com, eBay.com and would capture intent data, purchase intent data on cookies, and then would sell that cookie data into the ad tech ecosystem.
The biggest customer was Google. Another big customer might be Yahoo or AOL. And so it was a data broker, and it was a data broker that focused on more personalized advertising.
It was from a pretty innocent perspective of, oh, we have more targeted ads. It was a lot of it around retargeting — you look at a pair of shoes on Nordstrom, and then you go look at a football blog and you see the pair of shoes. And that was really what BlueKai did and what brought me into the space.
From there, I left and went to Accenture and I led Accenture’s Data Management Platforms practice within Accenture Interactive for about three and a half years.
What I saw was that data was being increasingly weaponized against people and used in very harmful ways, far beyond what I had originally envisioned.
So I felt like when I left Accenture that there was a real need for a piece of software that would encode the rights that were being provided to just everyday people into technology.
Also, it was right around 2019 when I started thinking about this… I was the victim of identity theft.
An attacker — I don’t really know — but I believe profiled me and actually created a fake ID, California driver’s license, with my home address on it and my name on it. And also a fake ID in my wife’s name.
Two individuals walked into a Verizon store with two false identifications. They knew our phone numbers. They knew our home addresses. And they got some free cell phones out of it.
I Googled myself, and it was like my cell phone number was literally in the Google search results.
I started to get it removed and I just felt like there were some solutions — I didn’t feel like they were very good.
Coming from a technology background, I felt like there was this huge opportunity to provide a piece of software to people and companies — and really to outdo what I saw as existing solutions on the market that were just not very good.
Now Optery started in 2020, and we consider ourselves a privacy and cybersecurity company. We’re working all day long with customers that care about this stuff — and companies that are protecting their employees, their own customers, government officials — and that’s how I got here.”
Data Brokers and the Massive Scale and Granularity of Data Collection
Lawrence and Debbie then discussed the endless and unbelievable amount of data that is collected on people.
Debbie Reynolds:
“I think people just don’t realize how much data is out there about them. And they can’t imagine how someone could possibly use it against them.”
Lawrence:
“Yeah. The analogy I like to use is, when you leave the city and go out into the country, you look up at the night sky — and it’s vast. That’s what it’s like with data brokers. It’s just endless.
“We just released an open-source data broker directory. If you go to optery.com and click on ‘Resources,’ then ‘Data Broker Directory,’ you’ll find about 615 data brokers we’ve profiled — including links to opt-out pages, self-service options, and opt-out guides.
That’s a big number, but it still just scratches the surface. Our approach is still pretty U.S.-centric, but we’re preparing to expand internationally.
For comparison, the California Data Broker Registry lists about 550 companies. That’s good progress — a few years ago it was only around 400. Some of the legal action taken by state attorneys general is helping to push more disclosure. But there are still many companies that aren’t disclosing themselves properly.”
In addition to the ever-growing number of data brokers, Debbie offered a chilling example of how granular data collection has become.
Debbie:
“I was at a conference, and someone in the insurance industry said they know how much water is in the wheel well of people’s cars. Lord knows what they’re doing with that kind of data, but it shows the level of granularity we’re talking about.”
The Growing Privacy Rights Divide in the U.S.
The conversation turned to disparities in privacy rights across states.
Lawrence:
“One of the things that we’re seeing and noticing a lot of is the… I call it the privacy divide.
There’s different states that have privacy laws that are active — like in California we have one, Texas has one, Oregon has one — but most of the states don’t.
If you’re a citizen of a certain state, you don’t have rights to privacy. So maybe early on, data brokers were getting so few opt-out requests, they were just sort of like honoring them. And now the awareness among the public and companies like Optery and others — our businesses are growing very rapidly — and so the volume and the scale of opt-out requests that we’re starting to send to data brokers is getting larger.
Some — not all — but some data brokers are starting to say, ‘Hey look, if you’re in North Dakota, sorry, there’s no legal requirement for us to stop selling your information. But hey, okay, you’re in Colorado, Utah, Virginia — we’ll stop selling your information.’
There’s a growing privacy divide in the United States — of haves and have-nots — in terms of who has rights to privacy and who doesn’t. And it’s really up to the citizenry — the people in those states — to demand their lawmakers get something passed.”
The Power of the Data Broker Lobby
Lawrence explained how the data broker industry resists regulation.
Lawrence:
“One thing that’s happening — that I think is very concerning — is that it’s really unknown to the public how powerful the data broker lobby is.
There’s billions and billions of dollars being earned by data companies. And they’re not dumb. They’re very smart, and they have a lot of money.
So when they see privacy laws getting passed, or they see companies like ours, they’ll do whatever they can to maintain the status quo.
They put forth tremendous effort and resources to water down privacy laws, to block them, to cast doubt and aspersions on privacy companies.
There are different privacy laws in the United States, and some of them have specific legal provisions for what’s known as an authorized agent. That’s what Optery is — we’re an authorized agent.
There’s a lot of talk these days about agentic AI — agents that go out and do things on your behalf. That’s become the buzzword du jour.
That’s what we are. We’re an authorized agent. We have an agent relationship with our customers, and then we go out and get their information removed.
One of the things that you’ll see — when data brokers are high-fiving and cheersing themselves — is that they’ve managed to water down a privacy law so that it doesn’t include provisions for an authorized agent.
They’ll cast aspersions and say there are problems with authorized agents.
When a data broker successfully waters down a privacy law so that it doesn’t have a provision allowing a company to assist people who don’t have time, or just don’t have the savvy — it’s a big win for the data broker industry, and a big loss for consumers.”
Privacy And Physical Safety
Debbie and Lawrence then discussed how personal data exposure leads to real-world physical threats.
Debbie:
“We saw, as a result of the United Healthcare CEO murder that happened, a lot more businesses started being concerned about the safety of people.
Executives already are very much targets of cyber — like ransomware and different things like that. Unfortunately, that situation highlighted the safety issues.
One of the laws I’m sure you’re familiar with is Daniel’s Law out of New Jersey. A lot of the data brokers filed suit and they lost — because they were saying, ‘Hey, we have a First Amendment right to sell people’s data.’ And they were like, ‘No you don’t.’
We’re seeing more states try to implement more of Daniel’s Law. And some of the arguments I’ve heard from some of the data broker lobbying groups were just ridiculous. Like, ‘I need to sell the data of a police officer or a judge so they can get a car loan.’ It’s like… well, if you’re dead, you can’t get a loan.
So I think talking more about safety is a very important thing to do.”
Lawrence:
“Yes, a big reason this problem is important to people is physical security. If someone is stalking or trying to commit violence, and your home address is just readily out there — that can lead to people confronting you physically.
A lot of people use our product because they don’t want their home address out there. Or maybe they’re a victim of domestic violence. Or, even, we have corporate business customers who are planning to do a layoff — and maybe the last time they did that, they had disgruntled employees show up at executives’ homes.
So they’ll preemptively take steps to remove home addresses — because they’re worried about physical security. An adversary could be someone in Asia at a pig butchering farm profiling people globally, or it could be someone not too physically far from you with a grudge.”
What Sets Optery Apart from Other Services
Debbie asked Lawrence what makes Optery different from other data removal companies.
Lawrence:
“Consumer Reports not too long ago did a blind study of six or seven services. After several months, Optery was ranked the number one most effective product. The biggest name in the space — kind of the big market leader — performed about half as well in the blind Consumer Reports study as Optery did.
Especially when we go to business customers, a lot of them think, ‘Oh, this is a commodity product — they all work the same.’ And we say, ‘No, no, no. They don’t all work the same.’ Do a blind test. Test it out. Take a few of your employees. Run it for a few months. Then make a decision.”
We’ve won the PCMag Editor’s Choice Award — 2022, 2023, 2024, 2025 — as the most outstanding product in the market.
What sets us apart is we have a really powerful search engine. We have patented technology and proprietary, kind of trade secret technology, where we do deep crawl scan scrapes of hundreds of data broker sites.
On average, we find around 100 exposed profiles for our average person that signs up for a free account. So Optery has a freemium model. We search these hundreds of sites. On average, we find about 100 exposed profiles.
We were the first to send people reports that say, ‘Hey look — here’s 100 screenshots of you on BeenVerified, Instant Checkmate, Spy Dialer, Cell Revealer, Social Catfish… and the list goes on.’
That was key — we actually show people. One of our mottos is: it’s hard to remove something if you can’t find it.
A lot of companies say they remove you — but they don’t. One of the things that sets Optery apart that our business customers really like is we actually send before-and-after screenshots.”
We take screenshots to find you — we send you a report with 100 screenshots of where you were found. Then we send you an after: ‘Here’s where you were, and now, if you search that page, this is what comes up.’”
That’s really helpful to justify things internally — if a cybersecurity decision maker has to justify a budget to the CEO, the board, or the CFO. It’s real evidence that we’re reducing our surface area of attack.
The visibility we give is one of the things that sets us apart.
Two is monthly scanning and removals. Every month, we go out and do monthly scans and removals.
Three is the breadth of coverage. I think today we cover like 615 or so data brokers. Some others maybe cover like 200. So breadth definitely matters.
Also, pay close attention to how coverage is being counted. Most companies in our space cover some brokers natively and by default, and then have something called ‘custom removals’ or ‘customer requests’ — where you have to submit it manually.
Some competitors juice their numbers — they’ll say they cover 1,000 brokers, but only 100 are covered by automation. The other 900 require manual submission.
Breadth of coverage, visibility, and enterprise features — like reporting that says, ‘We’ve removed 2,000 emails or 2,000 phone numbers’ — those are a few things that differentiate Optery.”
The Rise of AI-Native Data Brokers
Debbie asked what trends Lawrence was seeing in the broader data broker ecosystem.
Lawrence:
“I think one of the most interesting trends that we’re seeing right now is the emergence of AI-native data brokers.
So you have these different categories of data brokers — people search sites, which most people are pretty familiar with now: Whitepages, Spokeo, Instant Checkmate, BeenVerified, etc. The industry started with brokers like these.
Two is the prospecting databases — like the catalogs that have been around for a while: ZoomInfo, RocketReach, Qubit, Apollo — basically, SDRs and BDRs that are sending out cold email campaigns and trying to get meetings with a lot of technology buyers. Those have been around for a while, and that’s kind of what we’ve been working on for a while.”
But just in the last year, there’s been a tremendous amount of capital that’s gone into AI.
There are a lot of different AI companies doing all kinds of things — human robots and everything you can imagine. But one of the things they’re doing is AI-native prospecting — AI SDRs.
So I don’t need to hire 10 sales development representatives. I can just use this company to auto-generate emails and send them out to prospects — and not only send them, but also respond to them.
Historically, you’d have companies that would send out emails, and if the prospect responded, a human would write back and try to set up a meeting.
But now that’s all happening with bots — bots are sending the emails, responding to the emails, setting up the meetings, following up — just all automatically.
There are a lot of companies doing this right now that we would refer to as AI-native prospecting companies.
And actually, they’re getting a little bit of a free pass temporarily — because most people are focused on, ‘Hey, get my home address out of Google,’ or ‘Hey, opt me out of ZoomInfo or RocketReach.’ They’re not yet familiar with these new names.
So there’s a bunch of new names — like Instantly, maybe Warmly, AISDR, Artisan, Copilot.
We’ve profiled around 30 to 50 of them, and they’re all getting a lot of venture capital.
And throughout the coming months, most of them — they’re not disclosing themselves in these data broker registries.
They’re selling access to people. They’re selling data. But they’re kind of like — when the California data broker registry first came out, there were about 200 data brokers who disclosed themselves. Over time, that’s gone up to 500 or so.
I think a lot of them are kind of in denial that they actually have to be accountable to these laws.
And right now, there are just so many data brokers — you can only target a few at a time.
So there might be just a trickle of lawsuits or action that’s happening out of California or out of Texas — even though the violations are massive.
So it’s definitely very concerning. But I think over time, they’ll increasingly be aware, ‘Okay, we have to comply with these laws.’
You’ll start to see them covered by companies like ours — and we’ll help people with privacy and data control.”
Gaps in Privacy Law and the Problem of Invisibility
Debbie brought up the structural problems with current privacy regulations.
Debbie:
“Vermont was the first state to have a data broker registry. But even then, the average person — even me — couldn’t point to who these companies were or why they had our data. Most privacy laws assume there’s a business relationship — that you willingly gave your data to a company. But data brokers don’t work like that. They scrape data, combine data sets, and sell it. People are only becoming aware when they get breach notices from companies they’ve never heard of.”
Lawrence:
“Exactly. Most people don’t have time to read every privacy policy. You just want to use the app — to unlock your car, check your gas. You click through the terms. But in doing that, you’re giving away geolocation and vehicle data — which then gets sold.
That’s why we need centralized registries — to make it visible who’s collecting your data, especially when you have no direct relationship with the company.”
Fighting Tech with Tech
As the data broker ecosystem evolves, Lawrence emphasized that the only way to keep up — and push back — is through sophisticated technology.
Lawrence:
“Data brokers are constantly changing things up on us. We’re adjusting our technology to handle those differences.
So I think you have to fight tech with tech.
And I think that’s one of the things data brokers are trying to do by watering down these privacy laws — by prohibiting consumers from fighting tech with tech.
They basically know: you’re not going to be able to… if you as a human are just using your two hands and your two eyes, you’re not going to be able to beat us.
So tech with tech — whether that’s through things like the Delete Act, or the DROP system that’s being worked on here in California, or registries, or authorized agents like us — it kind of starts to even the playing field a little bit where you’re not fighting this big, multi-tentacled, powerful beast alone.”
The Black Basta Chat Leak: Proof Ransomware Gangs Use Data Brokers
Lawrence and Debbie also discussed the revelations from the recently leaked Black Basta chat logs.
Debbie:
“You were telling me about a ransomware gang using data broker information to profile targets. Can you share more about that?”
Lawrence:
“Just a week or two ago, there was a Russian ransomware gang that goes by the name of Black Basta. They’ve been operating for at least a few years — targeting critical infrastructure, hospitals, insurance companies — and they’ve been quite successful.
There was an internal conflict in the gang. Someone within the gang decided to leak their private chat logs for about a year — from 9/9/2023 to 9/24/2024.
Security researchers are all over it — parsing the data, searching through it. One of the things they found was 380 separate links to ZoomInfo.
There’s very clear evidence that ransomware gangs are utilizing data brokers. I don’t want to single out ZoomInfo — though they are the biggest publicly traded company in this space — but RocketReach was found in the logs too, and probably others.
What we now know categorically is that ransomware gangs are using data brokers like ZoomInfo and RocketReach to profile and research their targets before attacking.
These are data brokers we remove people from. A lot of people ask, ‘Does it really matter? Will ransomware gangs really use data brokers?’
This news that came out a couple of weeks ago is proof that they do. It does matter. The question is: do you want to leave yourself exposed and say, ‘Hey, my company’s wide open, come profile us’? Or are you going to do something about it?”
Debbie:
“And they also use this kind of information for phishing, right? If someone contacts you and knows something about you that seems private — something you never told anyone — it creates trust. And that’s how people get tricked into clicking or sharing information.”
Lawrence:
“Definitely. They were creating fake websites and tricking people to provide their logins — to what would appear to be the real website.”
Lawrence’s Three Wishes for Privacy and Cyber Safety
To close out the conversation, Debbie asked Lawrence what his top privacy or security policy wishes would be — if he could reshape the world however he wanted.
Lawrence:
“One would be a consistent set of privacy laws — even just within our country. Europe has a consistent set of laws across countries — GDPR. That makes things easier for companies, for people, and for privacy companies.
So one would be a consistent set of laws in the United States across states. Or even better — at the federal level.
Two would be provisions in every law for authorized agents. It’s really critical that people who aren’t tech-savvy, or who don’t have time on their hands — maybe they work jobs where they’re not sitting in front of a computer all day — have the right to a service provider.
The analogy I like to use is: the IRS makes it free for anybody in the U.S. to file taxes. You can file your taxes for free, yourself. But it’s complex. People are busy. They don’t have time to keep up with all the laws.
So they use service providers — maybe automated ones like TurboTax or TaxSlayer, or maybe an accountant.
What the data broker lobby is doing is akin to prohibiting people from using tax assistance to file their taxes. I think it’s really key to give people access to companies and services like ours.
The last one would be enforcement. There’s very, very little enforcement happening right now.
Just this week, we discovered a data broker that we’ve been sending opt-out requests to — for tens of thousands of our customers. And they’ve been removing the information from the publicly accessible places, but still selling the data via API to their API customers.
We’re starting to document that and we need to send it to the relevant government officials and enforcement bodies.
But the enforcement is just so, so weak. So I think those would be the three things I would wish for.”
Listen to the full podcast episode here:
To learn more about Debbie’s work and impact on the privacy world, check out our Privacy Protectors Spotlight here: Privacy Protectors Spotlight: Debbie Reynolds, The Data Diva – Optery