‍Introduction

Brokering Safety identifies a failure of privacy law: the tendency to allocate responsibility to individuals through opt-out and deletion rights, even as informational harm is generated by distributed systems capable of reconstructing, predicting, and targeting individuals over time.[1] The Article’s central contribution is its refusal to explain this failure in terms of individual shortcomings. Privacy self-management does not fail because people exercise their rights poorly. It fails, the Article shows, because the law has assigned them a task that the architecture of the data broker ecosystem made impossible. By grounding its critique in system design, Brokering Safety reframes the problem at the right level of analysis and points toward a corresponding solution: redistribution of responsibility from individuals to the institutional actors who generate exposure at scale.

This comment builds on a mechanism in the Brokering Safety analysis. The Article organizes its critique around the concept of obscurity (the difficulty of locating and using personal information about someone) and argues that broker systems undermine this condition systematically.[2] That framing is more productive than the input-centric model that grounds privacy harm in the disclosure of particular data points. Obscurity, as Brokering Safety deploys it, is a systemic concept. That leaves room to identify the mechanism by which the broker ecosystem destroys obscurity even after records are nominally removed.

That mechanism is inference: the capacity of distributed systems to generate reliable, actionable knowledge about individuals by aggregating and recombining incomplete, loosely related data.[3] This mechanism strengthens the centralized obscurity proposal by clarifying that the inadequacy of existing regimes reflects a category error: regulating transactions in data rather than the production of knowledge.

I.  The Critique of Privacy Self-Management Succeeds Because It Is Grounded in System Design

Brokering Safety, rather than explaining exposure as a product of inattention, bounded rationality, or notice fatigue (common in critiques of consent regimes), treats privacy self-management as a governance structure that cannot succeed given the institutional and technical features of the data broker ecosystem.[4] Its failure lies in the mismatch between the regulatory task and the actor assigned to perform it.[5]

Prevailing privacy doctrine draws heavily on individual-rights frameworks that treat individuals as the right point of control.[6] When privacy protections fail, doctrine tends to respond with adjustments that leave the underlying allocation of responsibility untouched.[7]Brokering Safety positions victims of brokered abuse as actors confronting a system that is not governable through individualized choice. In doing so, the article avoids attributing harm to individual failures and targets the allocation of responsibility itself.

This reframing exposes a broader feature of privacy law: the orientation toward discrete informational inputs rather than their aggregation or outputs. Privacy law is organized around the regulation of particular data points (names, addresses, phone numbers, identifiers). Rights are triggered by collection or disclosure of particular items of data, and compliance is measured by whether those items were properly noticed, consented to, or deleted.[8] This orientation reflects a transactional model in which the appropriate remedy is to give individuals control over those transactions.[9] The model works tolerably well when the relationship between a specific disclosure and a specific harm is linear and traceable. It fails when harm is produced, beyond any particular transaction, by the integrative capacity of a distributed system that continuously reassembles information from public records, commercial sources, and inferred associations.[10]

The problem is not that victims fail to identify every broker, comply with every procedure, or monitor every resurfacing of their data. The problem is that the law has designed privacy protection as a personal management task in an environment where management is impossible.[11] The broker ecosystem makes this impossibility visible. Opt-out mechanisms operate at the level of discrete entities and discrete datasets, while the conditions of harm are produced at the level of the system as a whole. Responsibility is distributed downward, while the entities that generate exposure at scale remain largely unburdened by ongoing obligations.[12]Brokering Safety reverses this distribution on grounds of institutional design.

II.  Obscurity AND Inference

Brokering Safety frames the harm in terms of the destruction of obscurity (the erosion of conditions under which personal information is practically difficult to find and use).[13] That framing works better than an exposure-based model because obscurity is a systemic concept. It asks not whether any particular datum has been released but whether a person can be located and targeted. A victim’s address may be outdated, her phone number disconnected, or her workplace changed. But the broker ecosystem remains effective regardless because it relies on aggregation, linkage, and inference from fragmentary and loosely related data.[14] The system’s integrative capacity destroys obscurity.

The obscurity framework, on this reading, points toward the mechanism that generates harm. Brokering Safety describes the broker ecosystem as enabling abusers to reconstruct a target’s personal history, locate their current whereabouts, or predict their movements, and notes that machine learning models enable brokers to infer new data points from existing datasets.[15]

While the condition at stake is obscurity, the mechanism that undermines it is inference. Inference gives distributed systems the capacity to generate sufficiently reliable, actionable knowledge about an individual to support targeting, surveillance, or manipulation, even in the absence of comprehensive or accurate data. This capacity destroys obscurity.

Exposure also reduces obscurity, but it is neither necessary nor always sufficient. Exposure is not necessary because inferences can be generated without continuous access to accurate, current personal data. Even after a victim’s direct identifiers have been removed from databases she knows about, associations with family members, prior residences, employment records, and device-location signals may allow an abuser to reconstruct her probable location. Nor is exposure always sufficient: the existence of personal information in a database does not itself produce harm. And a phone number buried in an archival record poses a different risk than a continuously refreshed profile that integrates contact information, social connections, and location signals. The latter is dangerous because it makes a person legible to strangers with minimal effort.

To be clear, inferences are also not the exclusive pathway to harm. An exposure, such as an abuser finding a current address on a broker site, can be sufficient in some circumstances. But exposure-based harms are at least legible to existing privacy law, even if it addresses them inadequately. Inference-based harms are not. Inference produces harm without any new disclosure by the targeted individual. A stalker need not know a victim’s current address if a system can reconstruct her probable location from device-location signals, images, or social media data posted by others. The harm, in other words, is produced by the system’s capacity to reconstruct.

Individual control is doubly inadequate in this environment. Individuals cannot observe or anticipate every inference drawn from their data, and they also cannot neutralize the inferential capacity of a system by managing their own records.[16] Inferential capacity is derived from population-level patterns: regularities in data from many people, not from any single person’s records.[17] So even a comprehensive deletion of one person’s records leaves the underlying predictive capacity. Asking individuals to manage their own privacy in this environment misidentifies the source of risk.

Privacy law’s focus on controlling inputs rather than outputs breaks down here. Opt-out and deletion rights presume that privacy harm can be mitigated by removing discrete items of personal information from circulation. Opt-out is treated as harm prevention and deletion as harm remediation. Both rest on the assumption that controlling the presence or absence of specific data points meaningfully constrains the downstream uses of information about an individual.[18] That assumption does not hold. Opt-out mechanisms ask whether a broker continues to sell a particular profile but leaves open whether the broker or others in its supply chain can still reconstruct the person to whom that profile refers. Deletion similarly operates on records, but harm is produced through inference. As long as brokers can recombine adjacent data, draw probabilistic inferences, or acquire functionally equivalent information from parallel sources, compliance with deletion rights fails to operate as a substantive protection.

This happens because opt-out and deletion rights regulate transactions in data, not the production of knowledge. They assume a linear flow from collection to disclosure to harm and intervene at discrete points along that path. But the broker ecosystem is recursive: Information removed from one node reappears through another and information in people’s profiles regenerates through correlation even when it is not replicated.[19] Even if the law protects inferences, which it often does not, deletion would have to be continuously reasserted against a constantly replenished data supply, with victims required to monitor across time and across actors.

III.  Making Inference Explicit Adds to the Proposal

The centralized obscurity proposal in Brokering Safety already accounts for inference in its design, even without naming it as such.[20] The proposal’s ongoing obligation structure (requiring brokers to monitor for reappearance rather than process one-time deletion requests) reflects a recognition that inference regenerates unless actively constrained. The cascading notification requirement reflects a recognition that inferential capacity is distributed across a supply chain and does not remain localized in individual databases. The deidentification standard (requiring that data be irreversibly unlinkable and incapable of reidentification through direct or indirect methods) is best understood as a response to inference beyond disclosures. It asks whether the system retains the capacity to reconstruct.[21] Making the inference mechanism explicit sharpens the diagnostic logic and the standard of care.

On the diagnostic side, inference being the mechanism explains why existing regimes have a category error, not an enforcement failure. The problem is not that deletion requests are too infrequent, penalties too low, or compliance rates insufficient (although each of those may also be true). The problem is that deletion of records does not disrupt inferential capacity. A broker system that complies with deletion obligations can still generate reliable knowledge about a victim by drawing on adjacent data: family records, cohabitation patterns, employment data, transaction histories, and location signals derived from devices and applications. The proposal’s ongoing obligation design does not just escalate ordinary data deletion rights; it is the appropriate response to a different type of harm that arises from knowledge capacity.

On the prescriptive side, the inference frame supports extending the Article’s proposed standard of care. The Article’s proposal already requires brokers to identify and suppress indirect data through clustering techniques and to notify supply-chain participants when a dataset contains records about a registered victim.[22] These requirements make sense as responses to inference: They target the records that directly identify a victim as well as the associational and behavioral data that would enable reconstruction. So the inference frame clarifies the threshold they must meet. The standard asks whether the system’s integrative capacity has been constrained beyond the presence or absence of identifiers.

Inferences need not be accurate to be harmful. And they can be harmful in two ways. First, erroneous inferences can generate actionable leads for an abuser willing to investigate each one. A broker system that associates a victim with an incorrect address, a former partner’s workplace, or an outdated phone number still narrows the search. The abuser who receives five candidate addresses, one of which is correct, faces a lower practical barrier than the abuser who has none.

Second, erroneous inferences can inflict independent harm precisely because they are wrong. A system that incorrectly infers a person’s abortion history, HIV status, or substance-abuse treatment from behavioral and transactional data generates a representation that can be weaponized by an abuser (or by anyone else) regardless of its falsehood.[23] In contexts where reproductive decisions carry legal or social exposure or where health status carries stigma, for example, the false inference, far from uninformative noise, is a new source of vulnerability.[24]

Whether erroneous inferences reduce obscurity as Brokering Safety defines it depends on how the concept is specified. In Hartzog and Selinger’s formulation, obscurity is a function of findability (i.e., how hard it is to locate and access information about someone).[25] On that reading, a wrong inference about a victim’s location does not reduce her obscurity in the technical sense; it produces a false signal. And a wrong inference about her abortion history does not make her easier to find at all. But Brokering Safety deploys obscurity in a more operational register, oriented toward whether a person can be targeted rather than whether she can be accurately described. Under that framing, erroneous inferences that generate investigative leads could be seen as reducing obscurity, even through trial and error, while erroneous inferences that generate vulnerability operate through a different harm pathway than obscurity. This suggests that the standard of care should extend, at minimum, to inaccurate inferences of the first type, and that regulatory frameworks will need to account for inferential harms that fall outside the obscurity paradigm in different ways.

The concern about abusers who are intimately familiar with their victims (and who can therefore exploit contextually limited data) is ultimately a concern about individualized inference.[26] A sophisticated abuser requires less information to achieve reliable reconstruction than general-population re-identification analyses would predict because the adversary already knows the victim’s social network, prior residences, and behavioral patterns. Deidentification standards calibrated to general-population baselines will be insufficient in that context. The Article’s proposal (requiring deidentification that is robust against the most dedicated and sophisticated abusers) is the right answer to the threat that individualized inference poses.

The inference frame also situates brokered abuse within a broader class of informational harms that share the same structure: harm generated by the capacity to reconstruct and act upon individuals and groups. Systems that produce deepfakes, predictive risk scores, or behavioral profiling operate on a similar logic.[27] In each case, these systems produce representations that can be used to target a person, regardless of whether those representations reflect the individual’s direct disclosures or verified facts. A deepfake does not require exposure of new personal information; it requires enough material to plausibly reconstruct a person’s appearance or voice from existing sources. The broker ecosystem and the synthetic media ecosystem both generate inferential capacity about individuals through channels that carry no meaningful accountability for the harm produced.[28]

Privacy governance adequate to these harms requires constraining inferential capacity at the institutional level. This means, as Brokering Safety illustrates, imposing ongoing duties of restraint on inference-producing systems, requiring review and challenge mechanisms for inferential outputs, and limiting the uses of reconstructed representations.[29]

Conclusion

Brokering Safety destabilizes assumptions that make an unworkable regime appear adequate. With a critique grounded in institutional design, it exposes the misalignment between where privacy law places responsibility and where the conditions of harm are actually produced. Its centralized obscurity proposal targets that misalignment: it shifts ongoing obligations to the entities that generate inferential capacity at scale, rather than asking individuals to contest the outputs of a system they cannot observe.

The inferential mechanism explains why opt-out and deletion rights are insufficient. It grounds the Article’s ongoing obligation design in an account of why harm regenerates. And it situates brokered abuse within a broader class of privacy problems (those generated by synthetic media, predictive systems, and probabilistic profiling) that share the same structure: harm produced by reconstructive and predictive capacity.

What is true of data brokers is also true elsewhere. Effective privacy governance requires shifting attention from whether data has been removed to whether systems retain the power to reconstruct, target, and act upon individuals and groups despite formal compliance. Brokering Safety advances this shift.

‍ ‍

Copyright © 2026 Ignacio Cofone, Professor of Law and Regulation of AI, University of Oxford, Faculty of Law and Institute for Ethics in AI.

[1] Chinmayi Sharma, Thomas E. Kadri & Sam Adler, Brokering Safety, 114 Calif. L. Rev. 479 (2026).

[2] See generally Neil M. Richards & Woodrow Hartzog, The Pathologies of Digital Consent, 96 Wash. U. L. Rev. 1461 (2019) (arguing that consent-based frameworks systematically fail to constrain data practices); Stacy-Ann Elvy, Paying for Privacy and the Personal Data Economy, 117 Colum. L. Rev. 1369 (2017) (examining the commodification of personal data and its consequences for consumer autonomy); Ari Waldman’s Privacy’s Rights Trap, 117 Nw. U. L. Rev. Online 88.

[3] Sharma, Kadri & Adler, supra note 1, at 481, 493–98.

[4] Sharma, Kadri & Adler, supra note 1, at 493; Daniel J. Solove, Privacy Self-Management and the Consent Dilemma, 126 Harv. L. Rev. 1880 (2013); Daniel J. Solove, Murky Consent: An Approach to the Fictions of Consent in Privacy Law, 104 B.U. L. Rev. 593 (2024).

[5] Richards & Hartzog, supra note 2; Solove, supra note 4.

[6]See generally Daniel J. Solove, The Limitations of Privacy Rights, 98 Notre Dame L. Rev. 975 (2023).

[7] Thomas E. Kadri, Brokered Abuse, 3 J. Free Speech L. 137 (2023); Sharma, Kadri & Adler, supra note 1, at 490–93.

[8]See Solove, supra note 6; Woodrow Hartzog, What Is Privacy? That’s the Wrong Question, 88 U. Chi. L. Rev. 1677, 1683 (2021).

[9] Ignacio Cofone, The Privacy Fallacy: Harm and Power in the Information Economy 11–19 (2023).

[10] Sharma, Kadri & Adler, supra note 1, at 490–93.

[11] Solove, supra note 6; Cofone, supra note 9, at 46–58.  

[12] Ari Ezra Waldman, Privacy Law’s False Promise, 97 Wash. U. L. Rev. 773 (2020) (showing that formal compliance with data-point-level obligations fails to deliver substantive protection); Neil M. Richards & Woodrow Hartzog, Taking Trust Seriously in Privacy Law, 19 Stan. Tech. L. Rev. 431 (2016); Sharma, Kadri & Adler, supra note 1, at 104, 135.

[13] Sharma, Kadri & Adler, supra note 1, at 490; see also Woodrow Hartzog & Evan Selinger, Surveillance as Loss of Obscurity, 72 Wash. & Lee L. Rev. 1343 (2015).

[14]See Alicia Solow-Niederman, Information Privacy and the Inference Economy, 117 Nw. U. L. Rev. 357 (2022); Danielle Keats Citron & Daniel J. Solove, Privacy Harms, 102 B.U. L. Rev. 793 (2022).

[15] Sharma, Kadri & Adler, supra note 1, at 490–92.

[16]See Cofone, supra note 9, at 89–97.

[17]See Salomé Viljoen, A Relational Theory of Data Governance, 131 Yale L.J. 573 (2021).

[18] Waldman, supra note 12 (documenting how corporate compliance practices hollow out privacy law’s substantive protections); Elvy, supra note 2 (documenting how data economies operate beyond the reach of individual transactional controls).

[19] Sharma, Kadri & Adler, supra note 1, at 490, 493–94.

[20] Sharma, Kadri & Adler, supra note 1, at 499–502.

[21] Sharma, Kadri & Adler, supra note 1, at 501–02, 524.

[22] Sharma, Kadri & Adler, supra note 1, at 515–18, 520–24.

[23]See Solow-Niederman, supra note 14, at 361–62, 388–95; Daniel J. Solove, Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data, 118 Nw. U. L. Rev. 1085, 1099–1106 (2024).

[24]See generally Jolynn Dellinger & Stephanie Pell, Bodies of Evidence: The Criminalization of Abortion and Surveillance of Women in a Post-Dobbs World, 19 Duke J. Const. L. & Pub. Pol’y 1 (2024).

[25] Woodrow Hartzog & Frederic Stutzman, The Case for Online Obscurity, 101 Calif. L. Rev. 1, 5, 13–17 (2013).

[26] Sharma, Kadri & Adler, supra note 1, at 524; Kadri, supra note 7.

[27]See Robert Chesney & Danielle Keats Citron, Deep Fakes: A Looming Challenge for Privacy, Democracy, and National Security, 107 Calif. L. Rev. 1753 (2019); Michael P. Goodyear, Dignity and Deepfakes, 57 Ariz. St. L.J. 931 (2025); Margot E. Kaminski, Binary Governance: Lessons from the GDPR’s Approach to Algorithmic Accountability, 92 S. Cal. L. Rev. 1529 (2019).

[28] Chesney & Citron, supra note 27; Solow-Niederman, supra note 14; Sharma, Kadri & Adler, supra note 1, at 481, 490.

[29]See generally Kaminski, supra note 27 (proposing accountability mechanisms for algorithmic systems that operate beyond individual data transactions); Viljoen, supra note 17 (arguing that data governance must account for population-level dynamics rather than individual control over discrete records).