Privacy advice tends to be framed as if you’re starting from a clean slate: install this VPN, switch to that browser, lock down those settings, and your data will be protected. The framing is wrong. By the time anyone is sophisticated enough to care, the major data brokers already have a comprehensive file on them. Privacy hygiene from this point on is damage limitation, not data prevention.
Data brokers have your file already
Companies like Acxiom, Experian, LexisNexis, Epsilon, and dozens of less-known firms have spent decades aggregating data from public records, retail loyalty programs, social media activity, magazine subscriptions, charitable donations, voter registrations, and credit applications. The composite file on a typical American adult includes: full name and address history, household members, estimated income, political leanings, religious affiliation, charity giving patterns, vehicle ownership, real estate ownership, marital status, children’s ages, health conditions inferred from purchasing behavior, and travel patterns. This information was assembled before most users thought to opt out of anything.
Breaches have made the rest public
What data brokers don’t have, breaches have leaked. Equifax (2017): 147 million Social Security numbers. Yahoo (2013): 3 billion accounts. Marriott (2018): 500 million records including passport numbers. The cumulative effect is that for most Americans, there’s essentially no private personally identifiable information that hasn’t appeared in some breach corpus. The ratio of breached records to U.S. population is now well above 1:1. Treating your SSN, email addresses, phone numbers, and basic demographic data as secrets is no longer realistic โ they aren’t.
Privacy “controls” mostly aren’t
Platform privacy settings are designed to feel meaningful while preserving the underlying data flow. Turning off ad personalization on most platforms doesn’t stop data collection โ it just changes how the company displays it back to you. Opting out of data broker lists requires submitting requests to each broker individually, and brokers reappear on the list later with new shells. Some controls are real (turning off location history actually limits collection), but the average privacy-settings tour gives users a sense of agency that exceeds what’s actually been changed.
What you can still meaningfully protect
The realistic protections available to most users address the future, not the past: a password manager so individual breaches don’t cascade, two-factor authentication on important accounts, freezing your credit at all three bureaus (which prevents new accounts from being opened in your name and is the single highest-leverage privacy step most people can take), a credit monitoring service or free equivalent, and a deliberate choice about what new data you generate going forward. Email aliases and a separate phone number for accounts can also reduce future exposure.
The takeaway
The privacy fight worth having is the one over what you generate from now on, what’s done with that data, and how compromised the existing record can be used against you. The fight to keep your historical data private is over โ it’s been over for years. Accepting that lets you focus on the protections that actually still work, instead of the symbolic ones that mostly don’t.
Leave a Reply