Imagine ordering a pizza online. You’re hungry, tired, and one click away from cheesy satisfaction. Except the app wants your location, your browsing history, your Spotify playlist, and your mother’s maiden name. All for “order optimization.”
Sound ridiculous? It’s not. It’s business as usual in the world of data brokers.
In today’s data economy, consumer data is currency, and data brokers are the stock market. But while consumers increasingly demand transparency and control, corporate privacy practices don’t always match those expectations. That disconnect is growing more visible, more urgent, and, thanks to new research from TrustArc, more quantifiable than ever.
Download the research report to get detailed insights from 600 global respondents on the state of data sharing, consent, and third-party risk.
This article explores the contrasting perspectives of consumers and companies when it comes to the collection, sharing, and sale of personal data. It dives deep into awareness, behaviors, business practices, and regulatory readiness, offering actionable insights for professionals who want to build privacy programs that inspire trust, not backlash.
The privacy awareness revolution (and its limits)
In TrustArc’s 2025 Privacy Pulse Survey of 300 consumers and 300 privacy professionals across North America and Europe, 75% of consumers reported being aware that data brokers can sell their personal data, often without explicit consent. That’s not a niche concern anymore; that’s mainstream awareness.
Yet awareness doesn’t always translate into action. Of those aware consumers, only 64% have taken steps to protect their data, while 11% remain unaware and inactive. Even more telling: people who are aware of data brokers are more than twice as likely to adjust their privacy settings and opt out of data sales compared to those who aren’t.
Top three consumer actions to protect data:
- Adjusting privacy settings (45%)
- Opting out of data sharing/sales (37%)
- Using browser extensions to block tracking (25%)
These are encouraging trends but not complete solutions. Many consumers still feel overwhelmed or powerless in the face of complex tracking systems and hidden sharing arrangements. In other words, “they know cookies aren’t just chocolate chip, but they still don’t know what they’re consenting to.”
Watch the full webinar on-demand to hear firsthand from TrustArc and Golfdale Consulting about these findings and how businesses can respond.
Corporate vetting: Good intentions, incomplete execution
On the flip side, most businesses aren’t asleep at the privacy wheel. According to the research, 64% of organizations have implemented vendor assessments throughout their supply chains. Not surprisingly, those with robust vendor vetting score significantly higher on the TrustArc Global Privacy Index (69%) than those who haven’t (28%).
But here’s the twist: fewer than half of companies conduct direct assessments or audits of their third-party vendors’ consent practices. In a digital landscape full of regulatory traps and reputational risks, this is like checking your parachute’s straps but not the ripcord.
Common business practices include:
- Requiring proof of consumer consent (69%)
- Including consent and compliance in contracts (63%)
- Relying on industry certifications (58%)
- Conducting due diligence (66%)
- Auditing third-party practices (45%)
The underlying issue? Many companies have formal privacy policies, but many aren’t applied consistently. 28% admit their policy isn’t regularly enforced, which raises a thorny question: If compliance is optional, is it really compliance?
If compliance is optional, is it really compliance?
Consent fatigue or consent failure?
Consumers want clarity, not fine print. According to the survey:
- 66% want to be notified when companies acquire their data from third parties.
- 91% support stricter regulations on data broker activities.
Yet companies still struggle with the basics: communicating clearly, confirming informed consent, and updating their policies to reflect real behavior—not just aspirational statements. Some professionals rely on third parties to inform consumers, but this creates a chain of accountability that’s only as strong as its weakest (or most opaque) link.
TrustArc’s experts recommend a different approach: make consent obvious.
Transparency isn’t just about disclosures. It’s about plain language, consistency, and building in frictionless user controls. As the FTC has clarified, “anonymous data” is essentially a myth when de-anonymization techniques are a few algorithms away.
Want to dig deeper into what professionals say they’re doing to manage consent?
Download the report for breakdowns of policies, communication tactics, and regulatory preparedness by region.
Regulation readiness: A tale of two continents
While the U.S. still lacks a comprehensive federal privacy law, state-level legislation is gaining ground. California, Colorado, Virginia, and Minnesota (yes, Minnesota) have passed privacy laws with teeth, including rights to challenge automated profiling decisions.
And companies are taking note:
- 64% of businesses said they are “mostly” or “completely” prepared for regulations like the CCPA.
- US professionals are more likely than European ones to have a formal policy on using data brokers and to actively inform consumers (71% vs. 63%).
Rewatch the webinar to hear how geography shapes regulatory risk and why U.S. companies may take more aggressive action, even without a national privacy law.
Trust: The new currency
If there’s one message privacy professionals should tattoo on their strategy decks, it’s this:
“A mature approach to privacy builds brand trust.”
Consumers may tolerate some inconvenience, but they won’t tolerate betrayal. When companies go beyond checkbox compliance (implementing clear consent frameworks, verifying vendor practices, and empowering users with privacy controls), they signal something bigger than policy alignment: they show respect.
And respect breeds trust.
Guidance for privacy pros: What to do now
Want to avoid the “Black Mirror” version of your privacy program? Here’s where to focus:
1. Make rights real
Don’t bury opt-outs under seven clicks. Match your onboarding experience with an equally easy offboarding process.
2. Simplify transparency
Create a privacy hub or Trust Center centralizing all notices, certifications, and data subject rights info.
3. Audit your assumptions
Review and reconcile your posted policies against actual data practices. If they’re not aligned, fix them. Fast.
4. Choose consent first
Especially when dealing with non-public PII, lead with opt-in mechanisms. Build consent flows that are clear, contextual, and confirmed.
5. Invest in communication
Whether it’s through interactive voice response systems (IVRs), chatbots, or privacy-forward messaging, reinforce your brand’s commitment to protecting data.
What this means for the future of privacy governance
The future of privacy is about more than regulation. It’s about reputation. As AI systems learn from consumer data, and biometric identifiers get folded into everyday transactions, companies that default to consent, minimize data collection, and disclose clearly will be the ones that stand out.
Privacy professionals aren’t just risk mitigators anymore. They’re brand stewards, culture shapers, and trust architects.
So the next time your marketing team wants to collect every click, ask them this: “Would you still do it if you had to explain it on a billboard?”
That’s the mindset shift the privacy movement needs.
