Last updated 2 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
When you file a change of address form with the U.S. Postal Service, you’re entering personal information into a vast commercial database that extends far beyond mail forwarding.
The National Change of Address system feeds data to businesses, government agencies, and data brokers, creating privacy implications most people never consider.
The NCOA database contains approximately 160 million permanent address change records at any given time. The USPS retains these records for 48 months, creating a four-year historical record of residential and commercial movement. This data is used for tracking, analysis, and commercial purposes that go beyond delivering your mail.
Understanding who can access your new address information and how it gets used helps you make informed decisions about privacy protection when moving.
How the NCOA Database Works
What Gets Recorded
The National Change of Address system, officially known as NCOALink®, serves as the official record for all permanent change-of-address requests filed across the country. This massive digital ledger updates continuously as Americans submit over 40 million address changes annually.
The stated purpose involves improving mail system efficiency by reducing undeliverable mail. Misaddressed and undeliverable mail cost the U.S. economy approximately $65 billion annually according to 2015 estimates. The NCOA system saves money for both the USPS and commercial entities using it by providing address correction before mail gets sent.
How Information Enters the System
You can submit address changes through two primary methods:
Online submission: The most common method requires visiting the official USPS website and completing online forms. To verify identity and combat fraud, this process requires a $1.25 fee paid with credit or debit cards whose billing addresses match either old or new addresses being submitted.
In-person or mail submission: The traditional method involves visiting Post Offices to obtain Mover’s Guide packets containing PS Form 3575, “Mail Forwarding Change of Address Order.” Completed forms can be handed to postal clerks or mailed.
Once submitted electronically or through manual data entry from paper forms, information gets added to the NCOA database. Mail forwarding typically becomes active within three business days to two weeks.
More Than Simple Address Swaps
The NCOA process functions as a sophisticated data standardization engine designed to perfect address records according to strict USPS specifications. This “data hygiene” process integrates with several other USPS address verification systems:
CASS (Coding Accuracy Support System): This foundational step standardizes addresses into official USPS format, corrects street name misspellings, and appends proper nine-digit ZIP+4 codes essential for automated mail sorting.
DPV (Delivery Point Validation): This system confirms standardized addresses represent actual, known USPS delivery points. It identifies invalid addresses and flags properties vacant for 90 days or more.
LACSLink and SuiteLink: These specialized systems handle complex address changes. LACSLink updates addresses changed for emergency 911 system implementation, while SuiteLink appends missing secondary address information like apartment or suite numbers.
Together, these systems transform raw mailing lists into highly accurate, standardized, and deliverable datasets representing the core value proposition for commercial mailers.
Commercial Access to Your Data
The USPS Licensing Business
The USPS operates a lucrative licensing system controlling NCOA database access. Companies wanting database access must pay substantial fees and adhere to strict usage agreements. License categories create tiered access systems with costs varying based on data depth and permitted uses.
The extremely high annual fee for Full Service Provider licenses—currently $360,400—creates significant barriers to entry. This structure establishes a data oligopoly, concentrating complete 48-month address history access among a few dozen large, well-capitalized companies.
Nearly any organization needing comprehensive address updates, from small nonprofits to large corporations, must transact with these Full Service Providers. Many licensed providers are major data brokerage industry players, meaning citizen address change information often gets processed by firms whose business models involve compiling, analyzing, and selling personal data profiles.
| License Type | Data Access Duration | Permitted Use | Annual License Fee (approx.) | Target User |
|---|---|---|---|---|
| Full Service Provider (FSP) | 48 months, updated weekly | Can process lists for third parties and internal use. | $360,400 | Large data service bureaus, mail service providers, data brokers. |
| Limited Service Provider (LSP) | 18 months, updated weekly | Can process lists for third parties and internal use. | $30,100 | Mid-sized mailers and service providers. |
| End User Mailer (EUM) | 18 months, updated monthly | Internal use only; cannot process for affiliates or third parties. | $15,050 | Large companies or organizations with significant in-house mailing operations. |
| Interface Developer | N/A | Develops software to interface with the NCOALink product. | $2,270 | Software development companies. |
Who Uses Your Address Changes
Bulk mailers: The primary intended customers include companies and organizations conducting mass mailings. The USPS requires mailing lists used for discounted First-Class Mail and USPS Marketing Mail be updated using approved “Move Update” methods like NCOALink within 95 days of mailing dates.
The process works simply: companies or nonprofits provide customer mailing lists to licensed NCOA service providers. Providers process lists against the NCOA database, standardizing addresses, correcting errors, and updating records for individuals or businesses filing address changes. Providers return “clean” and updated lists to original mailers.
Data brokers: Many companies holding comprehensive Full Service Provider licenses are data brokers. Companies like Melissa, Anchor Computer, and Peachtree Data are registered as data brokers in states with such regulations. Their core business involves aggregating, enhancing, and selling consumer data.
USPS licensing agreements explicitly prohibit using NCOA-derived data for creating or maintaining “new mover” lists for sale or rent. However, a 1996 Government Accountability Office report found USPS oversight was inadequate to detect or prevent this practice. The GAO’s legal interpretation stated creating new-mover lists from NCOA data was inconsistent with Privacy Act purpose limitations.
Government Agency Access
Internal Revenue Service
The IRS represents a major NCOA data user, but access is strictly for tax administration purposes. The primary goal involves reducing undeliverable mail and ensuring critical documents like statutory notices of deficiency reach correct taxpayers at their “last known addresses.”
The process operates through highly automated systems. The IRS receives weekly data feeds from the NCOA database and processes them using strict internal matching algorithms. The legal standard for updating addresses based on NCOA data is stringent.
Under Treasury Regulations, the IRS can only update addresses if taxpayer names and old mailing addresses in IRS records precisely “match” corresponding NCOA database information. The IRS’s internal definition of “match” is so strict that minor variations like “Robert” versus “Bob” would cause automatic updates to fail.
State Election Officials
State and local election offices represent another key government NCOA user. This usage is mandated by the National Voter Registration Act of 1993, which requires states to conduct regular list maintenance ensuring voter registration roll accuracy.
A 2022 U.S. Election Assistance Commission survey found nearly 68% of states use NCOA reports to identify registered voters who may have moved.
The process typically involves Secretary of State offices matching statewide voter files against the NCOA database. When voter records get flagged as potential moves, election offices usually mail confirmation notices to voters, providing opportunities to update registrations or confirm they haven’t moved.
Social Security Administration
The Social Security Administration maintains address records for tens of millions of Americans to send benefits and communications effectively. The SSA has robust internal systems including the Master Beneficiary Record and allows beneficiaries to update contact information directly through secure online portals, by phone, or by visiting field offices.
While available research doesn’t specify direct NCOA data-sharing agreements between the SSA and USPS, it’s standard practice for large federal agencies conducting mass mailings to use USPS address hygiene services ensuring deliverability and reducing costs.
Law Enforcement Access
Law enforcement and national security agencies don’t have “backdoor” or open-ended NCOA database access. Access is tightly controlled and must go through specific, formal channels.
Any local, state, or federal law enforcement agency seeking address change information must submit requests to the U.S. Postal Inspection Service, which serves as the law enforcement and security arm of the USPS.
The legal standard for release is clear: the USPIS must first confirm requested address information is necessary for active criminal investigations before disclosure. This gatekeeper role prevents fishing expeditions and ensures private address data access ties to legitimate law enforcement needs.
| Entity/User | Purpose of Access | Data Scope/Method | Governing Rule/Limitation |
|---|---|---|---|
| Commercial Mailers | Update mailing lists for delivery, qualify for postal discounts. | Submit lists to a licensed provider for processing against 18 or 48 months of data. | Must sign a Processing Acknowledgment Form (PAF) stating use is for mailing purposes only. |
| Data Brokers (as FSPs) | Provide address hygiene services to third-party mailers. | Direct license for the full 48-month NCOA database, updated weekly. | License agreement prohibits creating/selling “new mover” lists; historical oversight has been weak. |
| Internal Revenue Service (IRS) | Tax administration, ensuring delivery of official notices. | Receives weekly data feeds; uses strict internal matching algorithms. | Can only update an address if there is a precise “match” with NCOA data; must exercise “reasonable due diligence.” |
| State Election Officials | Voter list maintenance to keep rolls accurate. | Match statewide voter files against the NCOA database. | Governed by the National Voter Registration Act (NVRA); used to identify potential movers for confirmation. |
| Law Enforcement | Active criminal investigations. | Must make a formal request through the U.S. Postal Inspection Service (USPIS). | USPIS must confirm the information is needed for a criminal investigation before release. |
Privacy Risks and Security Concerns
Legal Framework and Historical Problems
Collection, use, and dissemination of Change of Address information by the USPS, a federal agency, are governed by the Privacy Act of 1974. This foundational law establishes key principles for government personal data handling, generally requiring individual consent before third-party record disclosure and including “purpose limitation” principles meaning data should only be used for collection purposes.
The USPS operates on the legal premise that sharing NCOA data with licensed mailers is consistent with original collection purposes—facilitating mail delivery. The Processing Acknowledgment Form, which every mailer must sign, serves as the legal instrument the USPS uses to document and enforce this purpose limitation.
Despite Privacy Act protections, multiple government audits have uncovered serious and systemic NCOA program security and oversight failures.
1996 GAO Report: An early Government Accountability Office investigation found USPS oversight was inadequate to prevent potential licensing agreement breaches and federal privacy law violations. The report highlighted significant weaknesses in USPS processes for auditing licensees, reviewing advertisements, and investigating consumer complaints.
2014 OIG Report: Nearly two decades later, a USPS Office of Inspector General report found many of the same problems persisted. The OIG concluded security controls were “not sufficient to protect the confidentiality and integrity of customer information.” The audit uncovered specific failures including improper hard copy address change form handling and outdated security software use. Most alarmingly, the OIG estimated that due to these lapses, 13.5 million NCOA customer records with potential value of $228 million were at risk.
Fraud and Security Vulnerabilities
Beyond internal security lapses, the address change submission process itself has been a significant risk source. For years, a major vulnerability was the paper-based COA form, which required no identity verification. This created opportunities for criminals to fraudulently submit address changes for victims, diverting mail including new credit cards, bank statements, and other sensitive documents to locations under criminal control.
In a positive development for consumer security, the USPS implemented a major change as of May 31, 2023. The agency now requires proof of identity for all change of address requests, whether submitted online or in-person at Post Offices.
While this represents critical improvement that should significantly reduce fraudulent submission risks, the legacy of less-secure systems and potential for new vulnerabilities remain valid concerns.
Limited Privacy Protection Options
The All-or-Nothing Trade-off
For average citizens, there is no official USPS form or process allowing you to file permanent Change of Address requests for mail forwarding while simultaneously opting out of having data included in the NCOALink product licensed to commercial entities. The system represents an all-or-nothing proposition.
The only way to prevent your new address from entering the commercial NCOA database is to not file permanent COA requests with the USPS at all. This approach requires manually and individually updating addresses with every entity sending you mail: banks, credit card companies, employers, insurance providers, subscription services, government agencies, friends, and family.
This proves incredibly burdensome, time-consuming, and error-prone, and it’s almost inevitable that some mail will be lost.
Some privacy-conscious individuals have suggested potential workarounds, such as filing temporary COA requests lasting up to one year that aren’t supposed to be included in the NCOA product, or forwarding mail to P.O. Boxes during transitions. However, these are imperfect solutions that don’t fully resolve underlying privacy trade-offs.
Special Protections for Vulnerable Individuals
The government recognizes that for some individuals, widespread new address dissemination isn’t just a privacy issue but a direct threat to physical safety. For survivors of domestic violence, stalking, sexual assault, and other crimes, maintaining confidential addresses is critical to safety plans.
To address this need, many states have established Address Confidentiality Programs. These programs provide eligible participants with legal substitute addresses, often P.O. Boxes managed by state agencies like the Secretary of State.
Survivors can use substitute addresses for all public and private records, and state and local agencies are legally required to accept them. All mail sent to substitute addresses is received by ACPs and then forwarded to survivors’ actual, confidential physical locations.
The existence of these state-run programs powerfully acknowledges that the default NCOA process, with its broad data sharing, isn’t safe for everyone. They function as essential but separate “privacy patches” on systems not designed with high-risk individual security as primary considerations.
Comparison with Private Couriers
It’s important to distinguish the USPS NCOA system from address change processes of private carriers like FedEx and UPS. These companies operate entirely outside the NCOA ecosystem.
When you request package redirections or delivery address changes with them, you interact solely with their internal, proprietary systems. Their handling of addresses and personal data is governed by corporate privacy policies, not the federal Privacy Act governing the USPS.
These policies, along with state-level privacy laws like the California Consumer Privacy Act, provide consumers with specific rights including the right to access data and opt-out of “sale or sharing” personal information for purposes like targeted advertising.
This offers different and in some ways more direct consumer control avenues than the opaque, all-or-nothing NCOA system. The USPS system is unique as a government-run utility deeply integrated into the commercial data brokerage world, forcing stark choices between convenience and privacy that don’t exist in the same way with private courier services.
| Feature | U.S. Postal Service (USPS) | FedEx | UPS |
|---|---|---|---|
| Primary System for Address Change | National Change of Address (NCOA) Database | Internal proprietary system (FedEx Delivery Manager®) | Internal proprietary system (UPS My Choice®) |
| Cost to Consumer | $1.25 for online identity verification for a permanent COA. | Generally free for basic changes; fees may apply for complex intercepts. | Generally free for basic changes; fees may apply for complex intercepts. |
| Data Shared With | Licensed data brokers, commercial mailers, government agencies. | Primarily internal; shared with service providers as per privacy policy. | Primarily internal; shared with service providers as per privacy policy. |
| Governing Privacy Framework | U.S. Privacy Act of 1974 | Corporate privacy policy, state laws (e.g., CCPA). | Corporate privacy policy, state laws (e.g., CCPA). |
| Consumer Opt-Out Rights | No option to opt-out of NCOA data sharing if filing a permanent COA. | Governed by privacy policy; may have rights under state laws. | Governed by privacy policy; provides specific opt-out for sale/sharing of personal info. |
Data Broker Integration
Who Really Controls Your Information
Many companies holding the most comprehensive Full Service Provider licenses are data brokers whose core business involves aggregating, enhancing, and selling consumer data. This creates a concerning dynamic where your address change information, submitted to a government agency for mail forwarding, ends up in the hands of companies whose primary mission is commercializing personal data.
The integration between the NCOA system and the data brokerage industry means your moving information becomes part of larger data profiles these companies maintain about individuals. While USPS licensing agreements prohibit creating standalone “new mover” lists for sale, the historical enforcement of this prohibition has been weak.
The 1996 GAO report found USPS oversight inadequate to detect or prevent prohibited practices. GAO’s legal interpretation stated creating new-mover lists from NCOA data was inconsistent with Privacy Act purpose limitations. However, USPS officials at the time disagreed, viewing the prohibition as “good business practice” rather than strict legal requirement.
Commercial Value of Moving Data
The commercial value of knowing when and where people move is substantial. Recent movers represent valuable marketing targets because they’re actively establishing relationships with new service providers—banks, insurance companies, utilities, and local businesses.
Marketing companies pay premium prices for lists of people who have recently moved because these individuals are more likely to respond to solicitations for services they need in their new locations. This creates strong financial incentives for companies to find ways to access and use moving information.
The NCOA system, by centralizing 160 million address change records and making them available to licensed companies, creates a valuable commercial asset that generates millions in revenue for the USPS while potentially exposing citizens to increased marketing and privacy risks.
Government Revenue vs. Privacy Protection
Financial Incentives
The NCOA licensing program generates substantial revenue for the USPS. With Full Service Provider licenses costing over $360,000 annually and dozens of companies holding various license types, the program brings in millions of dollars each year.
This creates a fundamental conflict of interest for the USPS. On one hand, the agency has responsibility under the Privacy Act to be a careful steward of citizens’ personal data. On the other hand, it has powerful financial incentives to maximize revenue from licensing this data.
Government audits have documented a history of lax oversight and enforcement of the program’s privacy rules. Aggressively enforcing rules—for example, by terminating lucrative licenses of non-compliant Full Service Providers—could jeopardize significant revenue streams.
This dynamic creates an environment where the revenue-generating aspect of the NCOA program may be prioritized over rigorous enforcement of privacy protections.
Regulatory Gaps
The regulatory framework governing the NCOA system has struggled to keep pace with the evolving data brokerage industry and changing privacy expectations. The Privacy Act of 1974 was written decades before the current digital data ecosystem existed.
Modern data brokers have sophisticated methods for combining data from multiple sources to create detailed profiles of individuals. The NCOA system feeds into this ecosystem in ways that may not have been anticipated when the Privacy Act was written.
The result is a system where the legal framework provides some protections on paper, but the operational reality involves sharing citizens’ personal information with an industry whose business model depends on exploiting that information for commercial purposes.
Practical Privacy Considerations
What This Means for You
When you file a change of address with the USPS, you should understand that your information becomes part of a commercial database accessed by data brokers, marketing companies, and various government agencies. This information stays in the system for four years and can be used in ways that go beyond simple mail forwarding.
If privacy is a significant concern, consider whether the convenience of USPS mail forwarding is worth the privacy trade-offs. For some people, manually updating addresses with individual organizations may be preferable to having their information in a commercial database.
Alternative Strategies
Temporary forwarding: Consider using temporary rather than permanent forwarding, which may not be included in the commercial NCOA database. However, this only works for shorter-term moves.
P.O. Box forwarding: Some people use P.O. Boxes as intermediate forwarding addresses, though this adds complexity and cost.
Manual updates: The most privacy-protective approach involves manually updating addresses with each organization that sends you mail. This is time-consuming but avoids commercial database inclusion entirely.
Selective forwarding: For people with significant privacy concerns, consider using USPS forwarding only for less sensitive mail while manually updating addresses with financial institutions, healthcare providers, and other organizations handling sensitive information.
Long-term Implications
The NCOA system reflects broader tensions between government efficiency, commercial interests, and individual privacy. As data becomes increasingly valuable and privacy concerns grow, these tensions are likely to intensify.
Understanding how the NCOA system works helps you make informed decisions about privacy protection when moving. While the system provides undeniable convenience and efficiency benefits, it also places personal information into commercial databases in ways that many people don’t realize or expect.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.