NEW YORK (CNNMoney) — Every time you mindlessly give a sales clerk your zip code at checkout, you're giving data companies and retailers the ability to track everything from your body type to your bad habits.
That five-digit zip code is one of the key items data brokers use to link a wealth of public records to what you buy. They can figure out whether you're getting married (or divorced), selling your home, smoke cigarettes, sending a kid off to college or about to have one.
Such information is the cornerstone of a multi-billion dollar industry that enables retailers to target consumers with advertising and coupons. Yet, data privacy experts are concerned about the level at which consumers are being tracked without their knowledge -- and what would happen if that data got into the wrong hands.
Acxiom, one of the biggest data brokers in the business, claims to have a database that holds information -- including one's age, marital status, education level, political leanings, hobbies and income level -- on 190 million individuals. Major competitors, like Datalogix and CoreLogic, tout similarly vast databases.
In most cases, all that is needed to match the information these data brokers compile with what you buy is your full name — obtained when you swipe a credit card — and a zip code, according to data privacy experts. This allows them to figure out that you are the Sally Smith who lives in Butte, Mont., not the one who lives in Denver, for example.
"For the majority of the country, the zip code is going to be the piece of the puzzle that is going to enable a merchant to identify you," said Paul Stephens, director of policy and advocacy at the Privacy Rights Clearinghouse.
Once a retailer identifies you, it can track and analyze your spending behaviors and background in order to predict what you might buy next. In the data world, this is often called predictive analysis or predictive modeling.
Buying a bunch of maternity clothes? You must be expecting. Stocking up on diapers and baby food? The baby must have been born, which means you're a new parent now. Buying clothes in larger sizes? You could end up classified as an overweight or obese consumer. And so on.
Some retailers sell this information back to the data brokers which then sell it to other companies -- including retailers, banks, credit card issuers, airlines, hotels, auto manufacturers and even Facebook -- in a seemingly never-ending cycle.
"Some of these data brokers know us better than we know ourselves," said Pam Dixon, executive director of the World Privacy Forum.
Of course, you typically don't have to give your zip code to a cashier. Last month, the Massachusetts Supreme Court ruled that zip codes are "personal" information under state consumer privacy laws, after Melissa Tyler sued craft store Michaels for using her zip code to find her and send store mailings. She had thought the zip code was required to complete her credit card transaction, according to the suit.
Now retailers in the state can't ask for your zip code for marketing purposes -- joining California, which had a similar court case.
You often have the right to "opt out" of letting data brokers and other companies share certain information they've gathered about you, but few people do so, said Dixon.
The Federal Trade Commission is requiring the nine major data brokers to explain how they collect, store and use consumer data. Major data firms have noted that they don't reveal sensitive information, like Social Security or driver's license numbers. Still, the agency is concerned that brokers' databases could be hacked, creating identity theft risks.
Currently, data brokers are required by federal law to maintain the privacy of a consumer's data only if it is used for credit, employment, insurance or housing.
But there are some gray areas. Medical records and prescription purchases are off limits, but data brokers are allowed to track purchases of over-the-counter drugs and other related medical items, as well as web searches and medical surveys that consumers fill out online, said Dixon.
That has allowed Acxiom to create a "health interest" category, which highlights consumers with "interests related to" health conditions, such as arthritis and diabetes. In a letter to Congress, Acxiom officials noted that they do not collect data about sensitive health conditions, such as sexually transmitted diseases.
The National Retail Federation, an industry trade group, argues that the data collection allows retailers to better target their marketing campaigns, ultimately benefiting consumers.
Because "discounts are sent to a relatively small group, rather than to an entire neighborhood, the merchant saves money and can afford to give its likely customers bigger or more frequent reductions," Mallory Duncan, senior vice president and general counsel for the NRF, said in a statement.
Privacy advocates counter that consumers should at least be more aware how they are being tracked.
"There is nothing wrong with advertising," Dixon said. "The problem is when we don't know our information is being used."