Seven years in, and the average person’s belief of European data protection is clicking “accept all” on a cookie banner. It has meant that whenever I mention I work in the privacy space, people do not ask questions about how GDPR has resulted in billions in fines, stopped opaqueness on processing or held big technology companies to account, but about how GDPR has landed them with more paperwork.

Meanwhile, California has been doing something genuinely intriguing. Something that actually tackles a growing problem regarding the sale and reuse of personal data to third parties.

The Data Broker

You’ve probably never heard of a data broker. That’s sort of the point. Data brokers are companies that collect, aggregate, and sell your personal information, and crucially, they have no direct relationship with you. You didn’t sign up to their service. You are not their customer. You are the product, and you didn’t even know you were on the shelf.

Last September, RTÉ Prime-Time made that uncomfortably concrete. An undercover investigation found that minute-by-minute movement data from 64,000 phones in Ireland was available to purchase, handed over for free to journalists posing as a newly established data analytics firm. From that data, Prime-Time was able to identify the home addresses and daily routines of specific individuals by tracking devices that had passed through Leinster House, military bases, and high-security prisons before returning to residential addresses. The people whose data this was had no idea it existed, let alone that it was for sale.

When data brokers who were selling this data were asked about privacy concerns, they said no breach had occurred because phone owners were not directly identified, and that users had consented through the terms and conditions of installed apps. That is the data broker industry’s working defence. And it is precisely the problem California decided to do something about.

Enter California

In 2023, California passed the Delete Act (SB 362), building on the existing California Consumer Privacy Act to create something genuinely new: a centralised deletion mechanism. The Delete Request and Opt-Out Platform, known as DROP, went live on 1st January 2026.

To understand why DROP matters, you need to understand what people were dealing with before it. Data brokers are not a small industry, and we know from the Delete Act’s registration requirements that in California there are over 500 registered data brokers. Exercising your right to deletion under GDPR or the CCPA means identifying each broker individually, submitting separate requests, and hoping for a response. For most people, that friction is insurmountable and their right to restrict or object to data processing is in practice impossible to activate.

DROP removes that friction entirely. One authenticated request, directed at every registered broker simultaneously. 242,000 Californians submitted requests within the first two months, 18,000 in the first 48 hours. The demand was never the problem. People just needed a practical way to act. And for data brokers, the fines are harsh. From August 2026, brokers that fail to process those requests face fines of $200 per request, per day. For brokers holding data on millions of people, that exposure scales exponentially.

But DROP does something beyond giving individuals a delete button. By requiring brokers to register and respond to a centralised mechanism, it forces an industry that has operated in obscurity into the light. The opacity that the data broker and real-time bidding ecosystem depends on (more on that later) becomes harder to sustain when there is a public register of who is operating, and a legal obligation to act when someone asks them to stop.

What should the EU be doing about data brokers?

GDPR was supposed to be the gold standard. The idea that you have the right to access your data, to know how it is used, and to have it erased was correct. The problem is the practical reality of exercising those rights. As mentioned, the friction involved in objecting to processing for every individual data broker is substantial. You need to find the controller’s contact details, draft a formal request, wait a month, and then receive a response saying yes, we’ve stopped processing your data or that the broker doesn’t hold your personal data and start again. It is not exactly a streamlined experience.

The EDPB is not unaware of the problem. In November 2025, it published its first Data Brokers Market Study, which identified more than 40 data brokers active in Belgium alone. The study was candid: only a limited number of companies fully meet the technical definition of a data broker, but the broader ecosystem poses significant and largely unaddressed privacy risks.

The European Union is currently proposing reforms to the GDPR and other digital laws, in the form of a Digital Omnibus, which includes some genuinely good changes to ten-year-old data protection law. The proposal I want to highlight is the centralised reporting portal for NIS2, GDPR and DORA data breaches and incidents. That kind of consolidation is sensible. What I propose is extending this portal to include mandatory data broker registration and a pan-EU deletion platform modelled on California’s DROP.

The benefits are straightforward. Mandatory registration means, for the first time, there is a definitive answer to the question of who is operating in this market across the EU. A centralised deletion platform means that the rights people already have under GDPR become practically usable, not just theoretically available. And crucially, it begins to address the stereotype that GDPR is a framework that creates bureaucracy without delivering anything tangible to individuals. A single deletion request covering every registered broker is the kind of concrete, usable mechanism that changes how people experience data protection in practice. The infrastructure is already being built. This is a question of political will and ambition, not technical feasibility.

The stakes are not abstract

The data broker market and the real-time bidding (RTB) ecosystem are not separate problems. They are two parts of the same pipeline.

Real-time bidding is the invisible process that runs every time an advert loads on your phone. In the fraction of a second it takes for an app to serve you an ad, your device’s location, behaviour, and identifiers are broadcast to dozens of companies simultaneously. Data brokers tap into that flow, purchasing what the RTB market generates, repackaging it, aggregating it, and selling it on to third parties. The apps participating in this process will tell you that users consented through terms and conditions. Technically, they are right. In any meaningful sense, they are not.

What the Prime-Time investigation revealed was not an edge case. It was the system working as intended. And the consequences of that system become clearest when you look at what happens when a government agency decides to buy in.

404 Media reported that Customs and Border Protection purchased location data sourced directly from the online advertising ecosystem, pulled passively from ordinary apps including dating services, fitness trackers, and video games, and used it to track individuals’ movements over time. The people being tracked had no idea their data had travelled from an app on their phone to a federal agency. In many cases, neither did the app developers.

This is where the absence of a DROP equivalent in the EU becomes most acute. A pan-EU deletion platform modelled on California’s mechanism would not solve the RTB problem outright. But it would do two things that matter. It would give people a practical, usable way to exercise the rights they already nominally have. And it would force the brokers who sit at the end of that pipeline, aggregating and reselling what the RTB market produces, to register, to be identifiable, and to respond when someone asks them to stop. That is not a complete answer. But it is the beginning of one, and right now the EU does not have even that.

The Commission and the EDPB have the evidence base, the institutional infrastructure, and a legislative vehicle already in motion. The question is whether they will use it to give people something real or settle for another layer of process that looks like progress and works like a cookie banner.