By Jenna Jarrah
May 28, 2026
Listen To This Story
 |
Anyone who uses the internet knows how the quality of the user experience has deteriorated. Search engines produce results full of ads and incorrect answers. Every other post on Instagram, Facebook, X, and Pinterest is an ad. Artificial intelligence reads your emails, hallucinates, and tries to finish your sentences incorrectly nonstop. You have to slog through two-step verification just to order online at your favorite restaurant. Consumers have to create an account with a username and password to do just about anything now, and when they do, they are forced to choose between agreeing to have their online activity tracked or being shut out from using digital products and services at all.
The “enshitification” of the internet, as tech journalist and author Cory Doctorow puts it, shifted platforms away from user autonomy and choice to today’s digital landscape where, in order to maximize profits for shareholders, every one of those sites, services, and apps is designed to monitor, record, and monetize people’s online behavior with hidden technology and terms of services that nobody reads or understands.
Now, users and their data are products that generate significant revenue streams for Big Tech companies like Meta, Alphabet, ByteDance (the owners of TikTok), and Snap, Inc. Not only that, but the industry is spending hundreds of millions of dollars on lobbying efforts and campaign contributions across party lines to ensure that Americans are alone in the fight to safeguard their data privacy, and that the government remains on the sidelines.
The emergence of AI is putting even greater pressure on data privacy, because tech companies need more and more input to make their large language models (LLMs) more accurate and impressive — with data scraped from the internet and hoarded on servers without public knowledge.
And the Trump administration is siding with them. Citing national security concerns, it views AI supremacy as a key to maintaining economic and military dominance over China.
As a result, the collection and sale of consumers’ personal data, made possible in part by so-called data brokers, has now been supercharged and is expected to grow substantially in the coming years.
In 2025, the data brokerage industry was valued at $331.48 billion and it is projected to generate $363.4 billion by the end of 2026. By 2030, thanks to the exponential automation and digitization that goes hand-in-hand with the AI boom, that figure is expected to increase to $519.55 billion. That’s similar to the size of the projected EV battery and charging infrastructure industry in 2030.
California Leads the Way
All of this has been enabled by a lack of a comprehensive privacy law at the federal level, but some states have sought to fill that void.
Enacted in 2020, the California Consumer Privacy Act (CCPA) was the first comprehensive privacy law passed by a state in the US, followed by Virginia, Colorado, Utah, and Connecticut. Now, 20 states have individual privacy regulations providing varying degrees of protection.
While a step forward in privacy legislation, this patchwork of state regulations is ineffective because these laws put the onus for keeping data private on both consumers and businesses.
And that’s a problem.
“The intent with having the ‘both sides’ perspective is to empower people, and to give them rights and options in what they do, which is a great goal,” said Calli Schroeder, director of the AI and Human Rights Program at the Electronic Privacy Information Center (EPIC). “But there is only one side that’s benefiting from data collection, and that’s the company. The company gets huge value out of using people’s information, and they’re also the ones designing the system.”
This means that consumers must still fill out “delete request” forms, individually opt out of third-party tracking on every site or app that they use in states where universal opt-out is not available, or make the decision to not use a product or service if they don’t agree with a company’s notice-and-choice privacy policy.
With a dedicated Privacy Protection Agency (CPPA) and the Delete Request and Opt-out Platform (DROP) — the first-ever privacy tool of its kind in the country — California has clearly positioned itself as the gold standard for privacy laws in the US.
The CPPA, which was established to enforce California privacy laws, ensures consumers can exercise individual rights, while the DROP tool gives individuals more control over how their data is being used.
When American Honda Motor Co. made it difficult for Californians to exercise their privacy rights and shared consumers’ personal information with other companies without the proper safeguards to protect individual privacy, the CPPA issued a decision in 2025 that required the company to change its business practices and pay a $632,500 fine — the largest in the agency’s history at that time.
Part of the Delete Act, the DROP tool allows Californians to delete various types of personal data, like their name, address, phone numbers, online behavioral data, and sensitive data like geolocation, from over 500 registered data brokers with a single request.
On May 4, Connecticut followed California’s lead by passing Senate Bill 4, which created its own one-stop system for residents to delete their personal data from data brokers — the second state in the nation to do so.
With so many states passing or considering legislation to protect consumers’ data privacy, Big Tech set out to “change or block” any attempt to restrict data companies’ freedom to profit from gathering and exploiting user-generated information. One fruit of this effort was the drafting of a “model” industry-friendly data privacy bill that has been lobbied for in an overwhelming majority of states.
“California has a pretty strong law from a consumer protection standard, which got Big Tech very worried. California’s law was going to be replicated across the country and become a de facto national standard,” according to Matt Schwartz, senior policy analyst at the advocacy organization Consumer Reports. “So very quickly Big Tech created their own model of privacy bill, which facially resembles CCPA, but has a lot more loopholes and weaker protections in a lot of key areas.”
Big Tech’s investment in lobbying and campaign contributions paid off, and not just at the state level.
Last month, House Republicans introduced the “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” — or SECURE Data Act — to move forward with a fresh attempt to enact a federal privacy law.
However, critics of the legislation say that, in reality, it matches the standards set by states with the weakest laws while overriding the strongest protections in others.
“This bill would be a huge gift to Big Tech and would take away privacy protections from millions of Americans across the country,” said Caitriona Fitzgerald, deputy director and policy director of EPIC. “It would wipe out a huge range of privacy, security, online safety, and civil rights laws without providing any meaningful protections for Americans.”
More specifically, the SECURE Data Act would roll back data privacy protections that already exist in many states, such as those prohibiting the collection, use, and sale of sensitive data; the requirement for companies to honor universal opt-out mechanisms; and provisions allowing teens and children to opt out of the collection and sale of their own data.
The proposals outlined by the bill mirror Big Tech’s goal of putting in place weak data privacy legislation at the federal level, and the industry has invested heavily in getting lawmakers to do its bidding.
In 2025, it spent over $100 million lobbying Congress — the most the industry has ever doled out to influence government policy. Key to Big Tech’s lobbying agenda was the pushback against state-level AI regulation that culminated in an executive order President Donald Trump signed in December which stated that “a patchwork of 50 different regulatory regimes … makes compliance more challenging.”
The Battle Over Consumer Data
According to a 2023 poll by Pew Research Center, 81 percent of Americans are concerned about how companies use the data that is collected about them, and 77 percent have little to no trust in social-media CEOs to handle their data responsibly.
In addition, a more recent survey shows that 71 percent of Americans expressed concerns about data misuse by AI.
Individuals who want to safeguard their privacy have few choices, especially those not living in California or one of a handful of other states that offer some protections.
To fill the gap, a whole new industry is springing up that promises to protect internet users who want to pay to protect their privacy, but such security could cost hundreds of dollars annually.
“There is a growing segment of consumers who are adults who are aware that their data is everywhere online, and they are very concerned about privacy,” said Kristin Lewis, the chief product officer at Aura, an online safety company offering a service that protects people’s data from cybersecurity risks.
On the other side of this fight are data brokers who create and sell digital profiles of Americans by using their digital footprint, i.e., the trail of data they leave online with each click, search, purchase, or interaction on the internet.
By law, data brokers are required to provide an opt-out mechanism, which allows consumers to stop participation in data collection, marketing, or tracking in such cases.
However, for consumers, opting out is not so easy.
“As you can imagine, data brokers go out of their way to make that as challenging as possible for the consumer, because their whole business model is, how do we have as many profiles that are as rich [in information] as possible,” noted Lewis.
Even if a consumer decides to opt out and reject third-party tracking, the industry has a multitude of rules that allow profiles to be reinserted every 45 days, according to Harry Maugans, the CEO of Privacy Bee, another leading online safety company.
“It’s a very cat-and-mouse-game industry,” said Maugans. “Once brokers delete an individual’s data, more data is always coming back in. They can claim they got new data that has the ability to bring the consumer’s profile back into their system.”
And while there are some data brokers that comply with automated delete-requests from data privacy companies, the biggest brokers put up all kinds of hurdles.
“They lose emails, they throw flags, they throw up so many excuses and push back because their business model is selling data,” said Maugans. “So if you’re able to successfully delete data from these companies, they lose money.”
The battle being fought over data sheds a warning light on the increasing threat to Americans’ privacy. The growing influence of Big Tech, the laissez-faire approach of the Trump administration, and the booming profitability of the data brokerage industry have left individuals more vulnerable than ever.
As the industry — boosted by AI — plays an ever-larger role in the day-to-day lives of Americans, the balance of power has never been more tilted toward commercial exploitation of personal data.
Without a strong privacy law, these companies are left to govern such data as they wish. And with Big Tech’s track record of treating users’ information as a saleable asset, every click, search, and purchase will continue to feed a data machine that most Americans never truly agreed to fuel in the first place.
* This article was automatically syndicated and expanded from WhoWhatWhy.
Leave a Reply