The Opt-Out Maze Is Not a Bug. It Is the Business Model.
United States – February 28, 2026 – Congress says data-broker breaches cost Americans $20B-plus, and the opt-out maze sure looks intentional.
I have read enough government PDFs under fluorescent lights to recognize a slow-motion emergency. It smells like toner, stale coffee, and a phrase that should set off alarms in every town hall: consumers can opt out.
This week, the Joint Economic Committee minority tried to price the mess: more than $20 billion in consumer losses tied to identity theft stemming from just four major data-broker breaches. The report is blunt about the mechanics, too. Some brokers made it harder for people to find the very pages meant to let them say no.
A right you need a treasure map to use
The inquiry, led by Sen. Maggie Hassan, followed reporting that found data brokers using “no index” code to keep opt-out and deletion pages out of search results. Translation: the door existed, but somebody hid the sign. The map was printed in invisible ink.
The Committee minority says four firms engaged with staff and made changes that improved access to opt-out tools:
- Comscore
- IQVIA
- Telesign
- 6sense
One firm, Findem, did not respond and, per the report, had not removed the “no index” block from its opt-out page. Only 6sense told investigators it uses third-party auditors to assess both how visible opt-out options are and whether requests are actually being processed.
The number is big, and it is a floor
The $20 billion-plus estimate is not “all breaches everywhere.” It is built from four incidents the report identifies: Equifax (2017), Exactis (2018), National Public Data (2023), and TransUnion (2025), plus assumptions about how often identity theft follows and what typical financial loss looks like. In plain language, this is a floor, not a ceiling.
The Orwell check: when “opt-out” means “good luck”
We have invented a polite vocabulary for making rights difficult to use: “Privacy center.” “Manage your choices.” The report defines dark patterns as design choices that obscure privacy choices and make them difficult to access. That phrase is doing heroic work here, like calling a pickpocket a “pocket-transaction facilitator.”
Search engines are not a constitutional requirement. But discoverability matters. A right you cannot realistically locate mostly exists to calm regulators and exhaust consumers. If your deletion page requires a 9,000-word hike through a privacy notice, the intent is not compliance. It is attrition.
The Paine test, the liberty ledger, and the tradeoff
Run the Paine test: does this expand liberty or concentrate power? The data broker ecosystem concentrates it in firms that assemble dossiers at scale, buyers who can afford the feed, and criminals who only need a few leaked fields to turn a life into a fraud case. The liberty ledger is ugly: brokers get freedom to collect and resell sensitive personal information; ordinary people get breach notices, freezes, and a recurring subscription to proving you are yourself, with thin transparency about whether opt-outs actually work.
And the tradeoff we keep pretending is inevitable looks worse in the light. Everybody claims to be anti-fraud, yet the system makes it harder to remove the very data scammers use. The report also sits this inside the larger vacuum: the United States still lacks a comprehensive federal privacy statute, leaving a patchwork and uneven federal oversight, including a Consumer Financial Protection Bureau attempt to regulate certain data broker practices that was later rescinded.
So here is the question: if $20 billion from four breaches is what we can measure, what are we paying on the part we cannot?