Nothing here is a breach

Commercial data extraction is not an intrusion. No door is forced, no password stolen, no figure in a hoodie. Every step in the chain is contracted, disclosed somewhere in a policy, and agreed to by a click nobody read. Collection runs continuously, on everyone, whether or not any single person is ever looked at. That is the ground truth of the model: the harm, where there is harm, comes from a standing arrangement working exactly as designed, not from it failing.

Whoever built the greenhouse also set a harvest schedule, and the picking is done by parties the plants inside will never meet.

What separates this from state surveillance

The surveillance model covers who watches in the name of security and under what law.

This is the layer of watching that answers to a balance sheet instead, and the differences change what defence can look like.

There is no warrant, because none is needed. There is no suspicion, because the target is not a suspect. A person here is inventory: valued as a member of a segment, priced, matched, and resold, rarely named and rarely of interest as an individual at all. The motive is revenue, and the collection scales because collection is cheap and the profile sells.

What a state cannot lawfully gather, it can often buy. Government agencies have bought from data brokers the location data they would otherwise need a warrant to collect, and the 2025 Databroker Files investigation traced the same commercial feeds to the movements of officials inside the EU’s own institutions. Procurement, not interception. The commercial harvest is the raw material; state surveillance is one of its customers.

The legal cover for most of this is consent. The consent is manufactured. Cookie banners are built to make refusal slower than acceptance, permission prompts bundle what an app needs with what its partners want, and the industry-standard mechanism for recording the whole thing has not held up in court. The Belgian Data Protection Authority ruled in February 2022 that IAB Europe’s Transparency and Consent Framework, the consent plumbing behind much of the European ad ecosystem, infringed the GDPR, and fined it €250,000. The Court of Justice of the EU confirmed in March 2024 that the framework’s consent string is personal data and that IAB Europe is a joint controller of it; the Brussels Market Court upheld the finding in May 2025.

What that sequence establishes is not the fine, which is small. It is that the consent a person appears to give across thousands of sites was, on the regulator’s reading, no valid legal basis at all. The banner is a formality, and behind it the data has already moved.

One impression, thousands of recipients

None of the individual signals looks alarming alone. A page view, an app opened, a rough location, a device holding the same identifier for months. Extraction turns these into something else by never stopping and by sharing widely. A single ad impression can broadcast what a person is reading, and roughly where they are, to hundreds or thousands of companies at once through real-time bidding; the Irish Council for Civil Liberties put the European figure at around 376 broadcasts per person per day in its 2022 analysis. Each recipient may keep, combine, and resell what it receives. The result is not a snapshot but a profile that accretes, recombines, and outlives the moment that fed it.

Where this leads

Naming the arrangement is the start; reducing a person’s exposure to it is separate work, and most of it is not individual. The practical response for a person lives in the citizen strategy; for an organisation that is itself a collector, in the company strategy. Those already carrying the most risk, with the least room to opt out, are covered in the precarious-status strategy.

The service was free because the service was never the product. The profile is, and the reader is the crop.

Last reviewed: 2026-07-17.