The Surveillance Business Model
You are three weeks into buy-side due diligence on a mid-market technology target. The financials check out. The technology is promising. The team is solid. Your counsel has reviewed the standard representations and warranties. You are close to signing.
Then your privacy counsel comes back with a question nobody anticipated.
Did you know that the target’s employee productivity data keystroke logs, application usage patterns, meeting metadata, inferred engagement scores has been commercially available through a data broker for the past three years? The target company didn’t know. Their employment contracts didn’t authorize it. The employees whose data is circulating have no idea.
You are now inheriting potential GDPR violations, CCPA exposure, and employee litigation risk that nobody priced into the deal.
This is not a hypothetical. This is the surveillance capitalism business model operating exactly as designed and it is a liability you acquire along with the company.
The Business Model, Plainly Stated
Shoshana Zuboff, whose 2019 book gave surveillance capitalism its name, described the core mechanism precisely: the widespread collection and commodification of personal data by corporations, not as a side effect of their services, but as the primary economic logic. In 2025, she stated that AI is surveillance capitalism continuing to evolve and expand not a new phenomenon, but the same mechanism running faster and at greater scale.
The mechanism has three moves. First, behavioral data is extracted from users, employees, and customers — often without meaningful disclosure and almost never with genuine informed consent. Second, that data is processed, enriched, and packaged into profiles. Third, those profiles are sold to anyone willing to pay: advertisers, insurers, credit agencies, background check companies, political campaigns, and increasingly, AI training pipelines.
The business model structurally rewards maximum extraction. A company collecting more data has more to sell. A company collecting less is leaving revenue on the table. The incentive is not privacy protection. The incentive is the opposite of privacy protection. This is not a failure of corporate ethics it is a rational response to the economic structure. The problem is the structure.
For your organization, the practical question is not whether this is happening. It is: what data about your employees, your customers, and your acquisition targets is currently available for purchase, and what liability does that create?
What a Dossier Actually Contains
Data brokers compile profiles containing thousands of data points per individual. The sources include public records — property filings, court records, voter registration. They include social media activity, loyalty program purchase histories, website browsing behavior captured through cookies, and location data captured through mobile advertising IDs embedded in ordinary apps.
Mobile advertising IDs deserve specific attention because they represent a gap most organizations don’t account for. These device identifiers IDFA on iOS, GAID on Android allow brokers to track users across applications without knowing their name or email address. A broker can hold an extensive behavioral profile tied only to a device identifier. When an employee or customer submits a deletion request using traditional identifiers, the MAID-linked records don’t match and don’t get deleted. The profile persists.
The categories being sold are specific enough to be disturbing. Privacy Rights Clearinghouse documentation of broker inventories includes profiles tagged “economically anxious elders,” “frequent purchasers of pregnancy kits,” financial vulnerability indicators, health condition inferences, and political affiliation scores. These are not marketing segments in the abstract. They are detailed commercial profiles of real people, sold without those people’s knowledge.
The Work Number an Equifax subsidiary holds 535 million active and historical employment records sourced from 2.5 million contributing employers. Salary data. Healthcare information. Parental leave status. Employment history. Per Duke University’s Technology Policy Lab research, one Fortune 500 company reported sharing employee data with The Work Number weekly, including Social Security numbers, with no employee consent required and in some cases using unsecured transmission channels. The employer may not even know the data is being resold downstream. The employee almost certainly doesn’t.
The AI Training Acceleration
In January 2025, Meta updated its Terms of Service to expand the commercial license users grant when they post content. The updated terms explicitly reference developing technologies like artificial intelligence and machine learning. U.S. users have no opt-out mechanism. AI training using user data began May 27, 2025, for users who had not exercised the EU/UK opt-out that American users are not offered.
In April 2026, Meta announced the deployment of new tracking software — the Model Capability Initiative — on U.S. employees’ computers. Per Meta CTO Andrew Bosworth, the vision is one where AI agents primarily perform work tasks and human employees direct, review, and help them improve. To build those agents, the system captures keystrokes, mouse movements and clicks, occasional screenshots, and activity on work-related applications.
A German court ruled in May 2025 that Meta may use public Facebook and Instagram data for AI training, dismissing emergency legal challenges. The regulatory and legal frameworks have not kept pace with the deployment.
The implication for M&A due diligence is direct: if you are acquiring a company with significant social media presence, a large user base, or a workforce subject to productivity monitoring, you need to ask whether that content and behavioral data is currently being used to train AI models — internal or external — and whether the consent frameworks in place actually cover that use. In most cases, they do not.
What Happens When Nobody Looks
The Yahoo/Verizon transaction is the canonical case study for data liability in M&A, and it is worth reviewing in specific terms because the numbers are concrete.
Verizon agreed to acquire Yahoo for $4.5 billion in 2016. During due diligence, Yahoo’s concealment of two major data breaches affecting approximately three billion accounts was discovered. The outcome: sale price reduced by $350 million, Yahoo paid more than $100 million in SEC fines and class action settlements, and the reputational damage to both parties persisted for years.
More recent cases produce similar patterns. An undiscovered data breach in a hotel chain acquisition led to approximately $1.5 billion in fines and class action liability post-close. A cloud payment platform acquisition priced at more than $200 million resulted in post-close shutdown of the target after data security issues were discovered that due diligence had missed. An aircraft parts manufacturer saw its purchase price fall from $650 million to $420 million — a 35% reduction — after data security problems surfaced during the process.
These are not edge cases. Per multiple M&A privacy counsel assessments, data compliance problems are now a primary driver of purchase price adjustments, deal restructuring, and outright deal failure. The research is explicit: data assets found to be severely non-compliant can affect transaction structure, affect valuation, or become a deal breaker entirely.
The liability transfers with the acquisition. Post-close, the buyer inherits the target’s GDPR violations, their consent framework gaps, their undisclosed data sharing arrangements, and their unresolved regulatory exposure. GDPR maximum fines reach €20 million or 4% of global annual turnover. Those fines do not care that the acquiring company didn’t know about the violations before closing.
The Regulatory Floor Is Rising
California’s privacy regulator established a significant precedent in late 2025: when a data broker turns scattered public records into a searchable profile, that profile becomes subject to California privacy law. The argument that “it’s public data so privacy law doesn’t apply” is no longer available. Aggregation itself creates regulated personal information.
Beginning in 2026, California’s statewide DELETE Request and Opt-Out Platform ROP allows consumers to submit a single request that every registered data broker must honor. Violations carry fines of $200 per day for failing to register and $200 per day per consumer for deletion failures. The enforcement mechanism is operational.
The EU AI Act, as we examined in the previous piece of this series, introduces compliance obligations for high-risk AI systems beginning in August 2026. Training data provenance — whether data was properly licensed, whether consent covered AI training uses, whether cross-border transfer requirements were met will be a regulatory question with teeth, not merely a due diligence checkbox.
The regulatory floor is rising faster than most organizations’ compliance programs are keeping pace. The companies that will face the most significant exposure are the ones that treated data governance as a legal formality rather than a business function and the acquirers who didn’t look carefully enough to find out.
The Questions That Need Answers Before Close
Per my experience conducting OSINT-based due diligence for M&A engagements, the data governance questions that surface most often as post-close surprises are the ones that weren’t asked at all during the process, not the ones that got incomplete answers.
The questions that need to be asked before close, specifically:
What personal data does the target collect, from whom, and under what disclosed legal basis? This covers employees, customers, users, and contractors. Does the answer include behavioral telemetry, productivity monitoring data, or AI training data?
Which data brokers, analytics vendors, or AI training partners receive target data? Are the contracts with those third parties compliant with applicable privacy regulation, including data processing agreements and purpose limitation clauses?
Is user-generated content or employee behavioral data being used to train AI models internal or external? Do the consent mechanisms that were in place when that data was collected explicitly cover AI training uses? Almost certainly not, if the consent frameworks predate 2023.
Has the target experienced data breaches, privacy complaints, or regulatory inquiries? What was the remediation cost and what ongoing exposure remains?
Does the acquisition agreement include AI-specific representations and warranties, indemnification for pre-closing privacy violations, and escrow or holdback provisions for potential regulatory remediation costs?
These are not hypothetical risk management questions. They are the specific questions the Yahoo/Verizon transaction should have settled as standard practice for every acquisition that followed. In many organizations, they still aren’t being asked.
The Structural Problem
The surveillance business model doesn’t produce these outcomes because the companies operating it are malicious. It produces them because the incentive structure rewards maximum data extraction and penalizes restraint. A company that collects less data, shares less with third parties, and maintains tighter consent frameworks is leaving commercial value on the table relative to a competitor that does the opposite.
This is the mechanism Marx identified in a different context, operating in a different industry, with the same structural logic: the economic incentives built into the system produce outcomes that are rational for the individual actor and damaging in aggregate. The companies selling employee data to brokers without meaningful employee consent are not making an ethical choice. They are making an economically rational one inside a system that has not yet imposed sufficient costs on that behavior to change it.
The regulatory floor rising in California and Europe is an attempt to impose those costs. Whether it will move fast enough to matter, given the governance lag we examined in the previous piece, is an open question. What is not an open question is whether organizations running due diligence on acquisition targets can afford to treat data governance as a checkbox rather than a valuation driver.
The data is there. The profiles are being sold. The liability transfers at close.
The only question is whether you find it before or after you sign.
Next in The Familiar Fire: The Attacker’s Productivity Revolution — how AI industrialized phishing, automated credential theft, and handed nation-states an OSINT capability that makes the due diligence risks in this piece look manageable by comparison.