A six-month investigation into where data travels after users click "Accept All" on websites has uncovered a vast, deliberately fragmented global supply chain.
Within milliseconds of consent, a real-time bidding auction begins, transmitting data to dozens of third-party domains. Many of these entities are obscure, operating across jurisdictions with minimal data protection.
The system is designed for opacity, with data brokers aggregating behavioral profiles, location data, and inferred demographics. This information is then sold through complex arrangements, making accountability structurally impossible. Companies often maintain deliberate ignorance of downstream data use to avoid liability.
Geographic fragmentation is exploited, moving data from regulated environments like the EU to jurisdictions with weaker frameworks through contractual agreements. Attempts to exercise data access rights often yield meaningless responses or no response at all.
Cookie consent banners are described as "compliance theater," providing a veneer of user agency without genuine understanding. The information asymmetry is extreme, rendering informed consent a legal fiction. Wealthy, tech-savvy users can opt-out, while others become the product.
While regulations like GDPR have had some impact, data regulation remains territorial, while data flows are global. By the time investigations map data flows, the infrastructure has already evolved and companies have restructured or moved jurisdictions.
The reality is that data enters a supply chain spanning continents, operating in legal gray zones by design. Consent is technically valid but practically meaningless, and regulators are working with outdated tools against a system designed for opacity and profit.