You are reading this on a device that knows your location, your browsing history, your purchase patterns, your political preferences, your health concerns, your relationship status, and approximately 2,000 other data points collected by companies you have never heard of.
This is not paranoia. It is the business model of the internet. Your attention is sold to advertisers. Your data is sold to brokers. Your behavior is sold to anyone willing to pay.
Understanding how this works — and what you can realistically control — is no longer optional. It is basic literacy for living online.
How your data is collected
First-party collection — data you give directly to services you use:
- Account registration (name, email, phone)
- Search queries (Google, Bing)
- Purchase history (Amazon, any e-commerce)
- Location (maps, weather, “find nearby”)
- Content you create (posts, photos, messages)
- Device information (model, OS, screen size)
Third-party tracking — data collected about you by entities other than the site you are visiting:
- Cookies — small files stored on your device tracking browsing across sites
- Tracking pixels — invisible images in emails and web pages reporting when and where you viewed content
- Fingerprinting — identifying you by device configuration (browser, fonts, screen resolution, plugins) without cookies
- Social media pixels — Facebook, Google, and TikTok trackers embedded on millions of websites, reporting your activity back to advertising platforms
Data brokers — companies that collect, aggregate, and sell personal data:
- Acxiom, Experian, Oracle Data Cloud, LexisNexis
- Sources: public records, purchase histories, loyalty programs, surveys, scraped web data
- Products: marketing lists, risk assessment profiles, people-search databases
- Estimated 4,000+ data broker companies operating globally
App permissions — mobile apps requesting access to contacts, location, camera, microphone, and health data — often beyond what the app’s function requires.
What they know about you
A typical digital profile includes:
- Full name, age, address history, phone numbers, email addresses
- Purchase history across retailers (linked by credit card and loyalty programs)
- Browsing and search history (health symptoms, political views, financial concerns)
- Location history (home, work, travel, medical visits)
- Social connections and communication patterns
- Employment history, education, estimated income
- Political affiliation (inferred from browsing, donations, location)
- Health interests (inferred from searches, pharmacy purchases, app usage)
- Predictive scores: creditworthiness, health risk, purchase propensity, political persuadability
This profile is not held by one company. It is fragmented across hundreds of databases, linked by email address, phone number, device ID, and name matching.
How it is used (and misused)
Advertising — the primary revenue model. Targeted ads based on your profile. The reason Facebook is free and Google is free.
Pricing — dynamic pricing based on your location, device, and browsing history. Airlines, hotels, and e-commerce sites show different prices to different users.
Insurance — health and auto insurers use data profiles for risk assessment and premium calculation. Your fitness tracker data may affect your health insurance.
Employment — background checks drawing on data broker profiles. Social media screening.
Political targeting — Cambridge Analytica was the famous case; micro-targeting based on psychological profiles derived from data is now standard in political campaigns globally.
Identity theft — data breaches expose profiles that enable fraud. 2024 saw breaches at AT&T (73 million records), Ticketmaster (560 million), and dozens of healthcare providers.
Stalking and harassment — people-search sites (Spokeo, BeenVerified, Whitepages) make personal information accessible to anyone willing to pay $20/month.
What you can actually do
Immediate (today)
Browser settings:
- Use Firefox or Brave (stronger default privacy than Chrome)
- Install uBlock Origin (blocks trackers and ads)
- Enable “Do Not Track” and Global Privacy Control signals
- Clear cookies regularly or use containers (Firefox Multi-Account Containers)
Search:
- Switch to DuckDuckGo or Startpage (no search history profiling)
- Use Google account settings to auto-delete activity after 3 months
Email:
- Use a unique email alias for each service (Firefox Relay, SimpleLogin, or Apple’s Hide My Email)
- This limits cross-service tracking via email matching
Phone:
- Review app permissions — disable location for apps that do not need it
- Use iOS App Tracking Transparency (deny tracking requests)
- Disable ad personalization in Google and Apple settings
Moderate effort (this week)
Password security:
- Use a password manager (Bitwarden, 1Password) — see our passkeys guide
- Enable two-factor authentication on all important accounts
- Unique password for every service (prevents breach cascade)
Data broker opt-out:
- Submit removal requests to major brokers: Acxiom, Experian, Oracle, Spokeo, BeenVerified
- Use DeleteMe or Privacy Duck (paid services that automate opt-outs)
- Repeat quarterly — brokers re-add data
Social media audit:
- Review privacy settings on Facebook, Instagram, TikTok, LinkedIn
- Limit profile visibility to friends/connections
- Disable facial recognition where offered
- Download your data (every platform offers this) to see what they have
Significant effort (ongoing)
VPN — encrypts traffic between your device and the internet. Useful on public Wi-Fi. Does not prevent tracking by logged-in services. Choose no-log VPN (Mullvad, ProtonVPN).
Encrypted messaging — Signal for sensitive communications. WhatsApp uses Signal’s protocol but metadata is collected by Meta.
Encrypted email — ProtonMail or Tutanota for email that cannot be scanned for advertising.
Minimize digital footprint — fewer accounts, fewer apps, fewer loyalty programs. Every account is a data collection point.
What legislation does (and doesn’t)
GDPR (EU, 2018) — requires consent for data collection, right to deletion, data portability. The global gold standard. Fines up to 4% of global revenue for violations.
CCPA/CPRA (California, 2020/2023) — right to know what data is collected, right to deletion, right to opt out of sale. Other U.S. states following (Virginia, Colorado, Connecticut, Texas).
What legislation doesn’t do:
- Apply uniformly globally (U.S. has no federal privacy law as of 2026)
- Stop first-party data collection (only regulates sharing and sale)
- Make opting out easy (dark patterns in privacy settings are common)
- Address data already collected and sold
- Regulate inferred data (profiles created from behavior, not direct input)
The honest reality
Perfect privacy online is not achievable while using mainstream services. Google, Apple, Meta, and Amazon are infrastructure — opting out entirely means opting out of significant portions of modern life.
The goal is not perfection. It is proportionality — reducing unnecessary exposure, understanding tradeoffs, and making informed choices about which services deserve your data.
Every privacy improvement is a step. Switching search engines takes five minutes. Installing uBlock Origin takes two. Reviewing app permissions takes fifteen. These compound.
The deeper question
Your data is valuable. Companies extract billions from it annually. You receive “free” services in exchange — services whose quality, safety, and societal impact are increasingly questioned.
The privacy conversation is ultimately about power: who controls information about you, who profits from it, and whether you have meaningful choice in the exchange.
Regulation is slowly shifting power back toward individuals. Technology (encryption, passkeys, decentralized alternatives) offers tools. But awareness — understanding that the product is you, and that every click generates data someone is selling — is the foundation everything else builds on.
You cannot opt out of the data economy entirely. You can stop pretending it is not happening.
That is the first step. The tools above are the second. Both are available now.
Lumen is edited by Leo Hartmann. Related: Passkeys · Deepfakes and Democracy