Residential proxy IPs come from real consumer devices — laptops, phones, smart TVs — whose owners opted in to share bandwidth, and the quality of that opt-in is the entire ethical question. As of July 2026, all four major providers publish sourcing policies, but the depth varies sharply: IPRoyal names its supply channel (Pawns.app) and that channel publishes real payout terms ($0.20/GB, $5 minimum cashout), Bright Data documents a consent screen and a 2-click opt-out but pays in app perks rather than cash, while Oxylabs and Decodo describe consent-and-reward models without naming apps or rates. Grey-market pools priced under $0.50/GB typically publish none of this — which is exactly why the documents are worth reading.
Key takeaways
- Every genuine residential IP traces back to a consumer device whose owner agreed, somehow, to share bandwidth; what separates providers is how informed that agreement was and whether it is documented.
- Two supply models dominate among the majors: SDKs embedded in partner apps (Bright Data's Bright SDK, Oxylabs' partner applications) and dedicated bandwidth-sharing apps (IPRoyal's Pawns.app); Decodo describes a peer-to-peer opt-in model without naming its apps.
- Only one channel publishes full payout terms: Pawns.app pays $0.20/GB with a $5 minimum cashout and a $3 welcome bonus. Bright Data compensates in kind (ad removal, virtual goods, app upgrades); Oxylabs and Decodo state that compensation exists but publish no rates.
- EWDCI membership splits the four: Oxylabs (founding member, inaugural EWDCI Certified group) and Decodo (co-founder, EWDCI Certified) appear on ethicalwebdata.com; Bright Data and IPRoyal are absent from the member list fetched July 17, 2026.
- Every sourcing claim in this market is vendor self-attestation — none of the four publishes an independent audit of its supply mix — so audit the artifacts instead: the end-user disclosure, the opt-out path, and the payout terms.
- Price is a usable screen: grey-market pools retail below $0.50/GB (Proxyway 2026), which is hard to reconcile with documented compensation costs, and free proxies are worse still — an NDSS 2024 study caught 16,923 of them manipulating content in transit.
How the four major providers source residential IPs
The table condenses each provider's own published sourcing documentation as fetched on July 17, 2026. Everything in it is a vendor claim unless tied to a third-party source, and "not shown" means the term did not appear on the pages we fetched — not that it does not exist.
| Oxylabs | Bright Data | Decodo | IPRoyal | |
|---|---|---|---|---|
| Sourcing model | Partner apps and SDK integrations plus ISP-sourced IPs; acquisition methods graded Tier A+ down to Tier C (vendor claim) | Bright SDK embedded in third-party partner apps | Peer-to-peer opt-in network; no partner apps named | Dedicated bandwidth-sharing app Pawns.app plus IP service provider partnerships |
| Consent mechanism | Explicit consent required; traffic sharing stated explicitly and repeatedly in app terms (vendor claim) | SDK activates only after a dedicated consent screen; disclosure required in host-app terms, with a 2-click opt-out (vendor claim) | Informed consent; peers keep full control over participation (vendor claim); opt-out-anytime wording not shown | Opt-in via Pawns.app; explicit consent and opt-out wording not shown on pages fetched |
| End-user compensation | Monetary reward system stated; rates unpublished | In-kind only: fewer or no ads, hints or extra lives, virtual goods, app upgrades | Money per GB of traffic contributed (vendor claim); rates unpublished | Pawns.app publishes $0.20/GB, $5 minimum cashout, $3 welcome bonus |
| Published sourcing policy | Yes: Residential Proxy Acquisition Handbook (PDF) plus KYC and safety page | Yes: Trust Center sourcing page plus Bright SDK documentation | Yes: dedicated ethical residential sourcing page | Yes: residential-proxy-sourcing page (the previous sourcing URL now returns 404) |
| EWDCI membership | Founding member; inaugural EWDCI Certified group | Not on the member list fetched July 17, 2026 | Co-founder; EWDCI Certified | Not on the member list fetched July 17, 2026 |
Sources: Oxylabs Residential Proxy Acquisition Handbook, Oxylabs KYC and safety, Bright Data Trust Center sourcing, Bright SDK for users, Decodo ethical sourcing policy, IPRoyal residential proxy sourcing, Pawns.app, EWDCI member list (as displayed/fetched July 17, 2026).
Engineer’s take (Hinata): When I audit a sourcing claim, I look for three artifacts, in order: the end-user-facing disclosure (the actual consent screen or app terms, not the buyer-facing marketing page), a documented opt-out path, and payout terms with numbers in them. Marketing adjectives — "ethical," "premium," "trusted" — are not evidence; a published $0.20/GB payout rate is. By that test, IPRoyal's Pawns.app channel is the most inspectable end to end, Bright Data documents the consent mechanics in the most detail, and Oxylabs and Decodo each ask you to take at least one link of the chain on trust.
The three sourcing models
There is no way to obtain genuine ISP-assigned home IP addresses at scale except through real people's devices — the property that makes a residential proxy valuable is precisely that a household, not a datacenter, owns the connection. Providers build that supply through three mechanisms.
SDKs embedded in partner apps
An app developer embeds the proxy provider's SDK in a free app and gets paid for participating devices; the end user accepts bandwidth sharing in exchange for something of value inside the app. Bright Data's implementation is the most thoroughly documented: per its Bright SDK pages and Trust Center, the SDK is enabled only after the user passes an explicit Bright Data consent screen, developers must disclose participation in their terms and privacy policy, and a 2-click opt-out must live in a native settings menu (all vendor claims). One platform detail worth noticing: on iOS the SDK runs only while the host app is open, whereas on Windows and smart TVs it can operate in the background — a difference that changes how much bandwidth a user actually donates. Oxylabs also sources through dedicated partner applications, requiring explicit consent with third-party traffic sharing "explicitly and repeatedly" stated in app terms per its acquisition handbook, though it names no partner apps and publishes no payout rates. We cover both companies' full offerings in our Bright Data review and Oxylabs review.
Dedicated bandwidth-sharing apps
Here the app's only function is bandwidth sharing, which makes consent structurally clearer — nobody installs a bandwidth-sharing app by accident. IPRoyal names Pawns.app as its direct partner, supplemented by what it calls established IP service provider partnerships, feeding a claimed 64M+ IP pool (vendor claim). Decodo's published model has the same shape — a peer-to-peer network where participants give informed consent and earn money per GB contributed (vendor claim) — but its sourcing page names no apps and publishes no rates; see our Decodo review for how that sits within an otherwise well-documented compliance posture.
The opaque grey-market model
At the bottom of the market sit resellers with no published supply chain at all. Proxyway's 2026 market research puts grey-market entry pricing under $0.50/GB, against $2.00-$7.35/GB at the documented providers. The industry's own vocabulary concedes what can hide behind an undocumented pool: Oxylabs' acquisition handbook grades sourcing methods from Tier A+ — financial reward, clear information, user awareness, explicit consent — down to Tier C, which it defines as malware. A pool that documents nothing gives you no way to know where on that scale its supply sits. Free proxy lists are the terminal case: the Free Proxies Unmasked study (NDSS MADWeb 2024), a 30-month analysis of 640,600+ free proxies, found only 34.5% ever active, 4,452 distinct vulnerabilities on proxy IPs (1,755 allowing remote code execution), and 16,923 proxies manipulating content in transit. We unpack that end of the spectrum in free vs paid proxies.
What informed consent should look like
Assembling the strongest published practices across the four providers gives a workable standard — no single vendor documents all five elements:
- Disclosure in the user's path, not the fine print. Bright Data's model puts a dedicated consent screen between the user and activation (vendor claim); consent buried in a EULA nobody scrolls is the pattern the industry is trying to leave behind.
- Disclosure repeated in the terms. Oxylabs' handbook requires third-party traffic sharing to be stated explicitly and repeatedly in partner-app terms (vendor claim) — the terms should confirm what the screen said, not replace it.
- A findable opt-out. Bright Data specifies a 2-click opt-out in a native settings menu (vendor claim). Decodo states peers keep full control over participation, but opt-out-anytime wording was not shown on the page we fetched, and IPRoyal's opt-out terms were not shown either — both gaps worth asking about before an enterprise purchase.
- Named consideration. The user should know what they get: cash at a stated rate (Pawns.app's $0.20/GB), or defined in-kind value (Bright Data's ad removal, virtual goods, or app upgrades).
- Platform honesty. Bright Data's disclosure that the SDK is foreground-only on iOS but background-capable on Windows and smart TVs is the level of specificity that separates documentation from marketing.
What end users get paid
Compensation is where sourcing claims become checkable, because payment terms have numbers in them. Here is everything the four supply chains publish, as displayed on July 17, 2026:
| Supply channel | Documented compensation terms |
|---|---|
| Pawns.app (IPRoyal) | $0.20/GB shared; $5 minimum cashout via PayPal, Bitcoin, ACH, Venmo, Visa or other gift cards; $3 welcome bonus; "up to $140/month" cited on country guide pages, with a disclaimer that only the most active users may earn up to $500/month |
| Bright SDK (Bright Data) | In-kind only: fewer or no ads, a hint or an extra life, virtual goods, or an upgraded app version; users who opt out may lose the value received — for example, ads return (vendor docs) |
| Oxylabs partner apps | A monetary reward system is stated in the acquisition handbook; per-user payout rates and partner app names are unverified (not shown on the pages fetched 2026-07-17) |
| Decodo peer network | Participants "earn money calculated per GB" contributed (vendor claim); rates unverified (not shown on the page fetched 2026-07-17) |
Pawns.app's $0.20/GB matters beyond IPRoyal's own pool — which we assess fully in our IPRoyal review — because it is the only public data point for what compensated residential supply costs. Set it against grey-market retail pricing under $0.50/GB and the arithmetic gets uncomfortable: if a no-name pool paid its users anything like the one documented rate, it would have at most $0.30/GB left to fund infrastructure, compliance, and profit. The simpler explanation, in my judgment, is that it does not pay them.
Red flags checklist
Working signals that a pool's supply chain deserves skepticism, each anchored to something documented above:
- No published sourcing policy. All four majors maintain one — Oxylabs a full acquisition handbook, Bright Data a Trust Center section, Decodo a dedicated policy page, IPRoyal a sourcing page. In 2026, absence is a choice, not an oversight.
- No end-user opt-out. The best-documented programs specify one (Bright Data's 2-click native-settings opt-out, vendor claim). A network whose participants cannot leave is not describing volunteers.
- Prices too cheap to fund compensation. Grey-market entry pricing runs under $0.50/GB per Proxyway's 2026 research, while the one published payout rate is $0.20/GB. Sustained retail prices near documented supply cost imply the supply is not being paid for.
- No KYC of buyers. Vetting is a compliance feature, not friction: Oxylabs requires a KYC form from every customer, Bright Data limits residential access to companies passing human-reviewed KYC, Decodo runs automated fraud checks with ID escalation, and IPRoyal runs KYC through iDenfy. A provider that asks you nothing has a compliance function that likely asked its suppliers nothing either.
- "Free" residential proxies. The NDSS 2024 study's numbers — 16,923 content-manipulating proxies, 1,755 remote-code-execution vulnerabilities across the free-proxy population — plus Proxyway's guide on free-proxy risks make the mechanism plain: when you pay nothing, your traffic is the product.
Why this matters to buyers
Buying residential bandwidth means inheriting a supply chain: your requests exit through devices you never vetted, selected by a vendor you did. That creates three exposures. Reputationally, if a pool's supply turns out to be non-consenting, the story names the buyers as well as the seller. Legally, the participating device owners are people, and the GDPR/CCPA commitments on Bright Data's and Decodo's pages exist because bandwidth-sharing relationships process participants' data — an exposure that flows up the chain to enterprises whose traffic rides on it. (This is general information, not legal advice; for the buyer-side legal picture, see is web scraping legal.) Operationally, a supply base recruited without real consent is easier to lose — to an app-store policy change or a legal challenge — than one built on documented contracts, and pool stability is exactly what you are paying a premium for. Sourcing documentation therefore belongs on the same evaluation sheet as price and pool size; our guide on how to choose a proxy provider shows where to slot it.
Our methodology
This is a document-based comparison, not a field test. Every provider-specific claim comes from the provider's own published sourcing, SDK, and compliance pages fetched on July 17, 2026, and is labeled a vendor claim where it is one; market figures come from Proxyway's 2026 research and the NDSS MADWeb 2024 study, both dated. Where a document did not show a term — payout rates, opt-out wording — we say unverified rather than assume. ProxyFacts has not yet run first-hand benchmarks; every figure above comes from the cited provider pages and dated third-party research. ProxyFacts earns a commission if you subscribe to some services linked from this site; this article deliberately contains no affiliate call-to-action blocks, and commissions never change what the cited documents say.
Verdict
Frequently asked questions
Is it legal for my traffic to exit through a stranger's home connection? Where the device owner opted in under the provider's published terms, participation is a contractual arrangement between provider, app partner, and user. The buyer's own exposure attaches mainly to what is done through the connection — data-protection and computer-misuse rules apply regardless of whether the exit IP is residential, as our web scraping legality guide explains.
Why does Bright Data pay in app perks instead of cash? Because its supply arrives through app developers who embed the Bright SDK, compensation flows through the app: the vendor lists fewer or no ads, hints or extra lives, virtual goods, or an upgraded app version, and notes that opting out may take that value away — ads return, for example. Cash payouts belong to the dedicated-app model, where Pawns.app publishes $0.20/GB.
Does EWDCI membership prove a pool is clean? No — it is a verifiable signal, not an audit. The member list on ethicalwebdata.com is independently checkable (Oxylabs and Decodo appear; Bright Data and IPRoyal do not, as fetched July 17, 2026), but none of the four publishes an independent audit of its actual supply mix, so weigh membership alongside the artifacts you can inspect yourself: the consent screen, the opt-out path, and the payout terms.
For how sourcing fits into the full buying decision — pool sizes, pricing, performance claims, and KYC — read our best residential proxies guide.