Six months ago, I clicked “Accept All” on a mid-tier European news site and decided to follow the data. Not metaphorically. I mean I actually tried to trace, step by step, where the information generated by that single click traveled, who received it, what they did with it, and who they sold it to next. I did this because I’d been writing about data privacy for years without ever really understanding the mechanical reality of what happens in the milliseconds after consent is given. I assumed it would be complicated. I didn’t expect it to be essentially untraceable.
What I found over six months of interviews with ad tech engineers, privacy researchers, former data broker employees, and one remarkably candid compliance officer at a major European publisher is something that resembles a global supply chain more than it resembles anything the word “privacy” can meaningfully describe. The infrastructure is vast, deliberately fragmented, and designed to make accountability structurally impossible. And the more I looked, the more I realized that the regulatory frameworks we celebrate as progress, from GDPR to the CCPA, were built to govern a version of the data economy that no longer exists.
The first 200 milliseconds
When you click “Accept All” on a cookie consent banner, a real-time bidding auction begins. This is well-documented. What is less well-documented is the sheer scale of participation in that auction and the volume of data that gets sprayed outward before any transaction is even completed.
I worked with a privacy researcher in Berlin who helped me set up a controlled browsing environment, essentially a clean machine with network traffic monitoring, to watch what happened after I accepted cookies on 47 European websites over the course of a week. On average, each “Accept All” click triggered data transmissions to between 40 and 70 third-party domains within 200 milliseconds. Some of those domains were recognizable: Google, Meta, Amazon ad services. Many were not. Names like Taboola, Criteo, Index Exchange, and dozens of smaller entities I had never heard of, registered in Delaware, Ireland, Singapore, and the Cayman Islands.
The researcher, who asked not to be named because they consult for companies in this space, put it bluntly: “The consent you give on a European website is treated as a license to distribute your behavioral profile globally. There is no technical mechanism that limits that distribution to the jurisdiction where consent was given.”
This is the first thing I want to be clear about. The system works exactly as designed. The fragmentation, the speed, the jurisdictional complexity: these are features, not bugs. The data economy was built to outrun regulation, and it has succeeded.
The broker layer nobody talks about
After the initial auction, your data enters what I’ve come to think of as the broker layer. This is the part of the supply chain that is genuinely opaque, even to people who work in adjacent parts of the industry.
Data brokers acquire behavioral profiles, location data, device fingerprints, and inferred demographic information from ad exchanges, app SDKs, loyalty card programs, and public records. They aggregate this information into profiles that can contain hundreds of data points per individual. Then they sell access to those profiles, sometimes through direct sales, sometimes through nested API arrangements where the buyer’s buyer’s buyer ends up with your information.
A Federal Trade Commission report from 2014 identified the broad contours of this industry, but the landscape has changed dramatically since then. What used to be a business of selling static lists has become a real-time infrastructure of behavioral prediction. Companies like Acxiom (now LiveRamp), Oracle Data Cloud (which Oracle shut down in 2024 after regulatory pressure), and dozens of smaller firms operate as the connective tissue between your casual browsing and systems that make decisions about what you see, what you’re offered, and increasingly, what opportunities are available to you.
I spoke with a former employee of a mid-size data broker based in the United States who described the internal culture as one of deliberate ignorance about downstream use. “We didn’t ask what clients were using the data for,” he told me. “The whole business model depended on not asking. If you ask, you create a paper trail. If you create a paper trail, you create liability.”
This is the dynamic that makes regulation so difficult. Each entity in the chain holds only a fragment of the picture. The publisher says they obtained consent. The ad exchange says they merely facilitated a transaction. The broker says they aggregated publicly available information. The end buyer says they purchased data from a licensed vendor. Everyone is compliant in isolation. The system as a whole is accountable to no one.
Where geography becomes a weapon
One of the more striking findings from my research is how deliberately the data supply chain exploits jurisdictional boundaries. Data generated in the EU, where GDPR provides theoretically robust protections, routinely ends up processed and stored in jurisdictions with minimal or no data protection frameworks. The mechanism is usually a chain of contractual agreements, each one technically legal, that moves data from a regulated environment to an unregulated one through a series of intermediaries.
A study by Cracked Labs, an Austrian research institute focused on digital rights, traced how data from European users ended up in databases accessible to entities in countries with no adequacy agreements under GDPR. The transfers happened through corporate subsidiaries, through data-sharing arrangements classified as “joint controllership,” and through the simple expedient of processing data in real-time across borders before any regulatory framework could meaningfully intervene.
I saw this firsthand when I tried to exercise my GDPR right to access the data held about me by several of the third-party domains I’d identified in my browsing experiment. Of the 47 entities I contacted, 12 responded within the legally mandated timeframe. Of those 12, seven provided responses that were essentially meaningless: generic descriptions of data categories with no specific information about what they actually held. Three told me they had no data about me, which was demonstrably false based on the network traffic I’d captured. Two provided genuinely detailed responses that revealed the scope of what they knew, including browsing patterns, approximate location history, and inferred interests and income bracket.
The remaining 35 entities either didn’t respond at all or sent boilerplate messages directing me to privacy policies that, in several cases, linked to dead pages.
I’m based in Singapore, which adds another layer of complexity. The Personal Data Protection Act here is functional but modest compared to GDPR, and enforcement tends to focus on egregious breaches rather than systemic data flows. For someone sitting where I sit, the question of which jurisdiction’s rules apply to my data at any given moment is genuinely unanswerable. And that unanswerable quality is precisely what makes the system work.
The consent fiction
Let me be direct about something. Cookie consent banners are a compliance theater that serves the interests of the data industry while providing a veneer of user agency. The average person clicking “Accept All” has no meaningful understanding of what they’re consenting to, and the system is designed to ensure they never will.
This is where the power analysis becomes important. The consent model assumes a transaction between equals: a user who understands what they’re giving up and a company that transparently describes what it’s taking. In reality, the information asymmetry is so extreme that the concept of informed consent becomes a legal fiction. You would need to read approximately 25,000 words of privacy policies to understand what a single “Accept All” click authorizes. You would then need expertise in ad tech, data brokerage, and international data transfer law to understand what those policies actually mean in practice.
The people who designed this system know this. I had a conversation with a former product manager at a major consent management platform (the companies that build the cookie banners themselves) who told me that the entire product design process was oriented around maximizing “Accept All” click rates. “We A/B tested everything,” she said. “Button color, placement, the number of steps required to reject cookies versus accept them. The client’s goal was always the same: get the highest possible consent rate. That’s what they were paying us for.”
This is a class issue, and I think it’s worth naming it as such. The people most affected by pervasive data collection are the people least equipped to navigate it. Wealthy, technically sophisticated users install ad blockers, use VPNs, and pay for services that don’t rely on advertising. Everyone else is the product. The data supply chain runs on the behavioral surplus generated by billions of people who have neither the time, the knowledge, nor the realistic option to refuse participation.
What regulators can and can’t do
I don’t want to suggest that regulation is meaningless. GDPR has created real consequences for some companies. The Irish Data Protection Commission’s fines against Meta, however criticized for their slowness, represent genuine enforcement. But the structural problem remains: data regulation is territorial, and data flows are not.
The EU’s Digital Markets Act, the proposed AI Act’s data governance provisions, and various national efforts represent meaningful attempts to extend regulatory reach. But every regulator I spoke with, off the record, acknowledged the same fundamental limitation. By the time a regulatory investigation maps a data flow, the infrastructure has already evolved. The companies involved have restructured, renamed, or simply moved to a different jurisdiction.
There is a parallel here to other global supply chains. We’ve seen how garment manufacturing, electronics production, and food systems all use geographic fragmentation to evade labor and environmental standards. The data supply chain operates on the same principle, just faster. The commodity being extracted is behavioral information rather than physical labor, but the structural logic is identical: distribute the process across enough jurisdictions that no single authority can see the whole picture, let alone govern it.
What I actually learned
Six months of this research changed how I think about digital life in ways I didn’t anticipate. I’m not writing from a position of purity here. I run a media company. We use analytics. We operate within the same ecosystem I’ve been describing, and I’m not going to pretend otherwise. But I now understand the distance between the story we tell ourselves about data privacy (that it’s a matter of individual choices and informed consent) and the material reality of how data actually moves through the world.
The material reality is this: your data, after you click “Accept All,” enters a supply chain that spans dozens of companies across multiple continents, operating in legal gray zones that exist by design rather than by accident. The consent you gave was technically valid and practically meaningless. The regulators tasked with protecting you are working with tools built for a slower, simpler version of this problem. And the companies profiting from the system have every incentive to keep it exactly as opaque as it currently is.
I don’t have a clean solution to offer. Anyone who does is probably selling something. But I do think clarity about the problem matters. The data economy isn’t broken. It’s working precisely as intended, extracting value from human behavior at a scale and speed that outpaces every institutional check we’ve built. Understanding that, really understanding it, at minimum changes the questions we ask. And maybe that’s where meaningful reform starts: with better questions, asked by people who’ve bothered to look at how the machine actually runs.
