$21 billion. That’s what just four data broker breaches have cost American consumers in identity theft losses, according to a report released last week by the U.S. Congressional Joint Economic Committee.
Hundreds of millions of people exposed. Sensitive financial data harvested, sold, and leaked by companies most people have never heard of. And the proposed solution? Easier opt-out buttons.
This is not a technology failure. It is a design failure. The entire Web2 data model is built on centralized aggregation, where companies collect, store, and monetize your personal information in massive honeypots that are irresistible targets for hackers and criminal syndicates.
The real fix is not better opt-out pages. It is a fundamentally different architecture, one where users control their own data and privacy is built in at the protocol level.
That architecture exists today. And COTI is building it.
What Congress Found
The Joint Economic Committee report, led by Senator Maggie Hassan, examined four major data broker breaches over the past decade:
Equifax (2017): 147 million people exposed
Exactis (2018): 230 million people exposed
National Public Data (2023): 270 million people exposed
TransUnion (2025): 4.4 million people exposed
The committee estimated that roughly 30% of breach victims experience identity theft, with a median financial loss of around $200 per victim. That adds up to $20.9 billion in total consumer losses from just these four incidents alone.
These are not edge cases. These are the largest data aggregators in the world, and they failed to protect the most basic personal information of hundreds of millions of people.
The Web2 Data Model is Broken
Data brokers operate on a simple premise: collect as much personal data as possible, then sell it. Names, addresses, financial records, browsing habits, and health information are all gathered, packaged, and traded between companies that most consumers never interact with directly.
This model creates massive centralized databases that become high-value targets. When one of these honeypots is breached, the damage is catastrophic and irreversible. You can change a password. You cannot change your Social Security number, your date of birth, or your financial history.
The Congressional report highlights that even after these breaches, the proposed remedies are limited to making opt-out mechanisms easier to find. That is the equivalent of putting a better lock on a house that has already burned down. The fundamental problem remains: centralized data aggregation creates systemic risk, and users have no meaningful control over how their information is collected, stored, or sold.
There is currently no comprehensive federal law in the United States that adequately regulates the data broker industry. Without structural change, these breaches will continue.
The Web3 Alternative: User-Controlled Privacy
Web3 offers a fundamentally different approach. Instead of handing your data to centralized intermediaries and hoping they protect it, decentralized systems allow users to control what they share, with whom, and under what conditions.
This is not a theoretical concept. Decentralized identity, confidential computing, and programmable privacy are live today and solving the exact problems that Congress is now scrambling to address.
With on-chain privacy, there is no centralized database to breach. There is no honeypot of personal information waiting to be stolen. Users prove what needs to be proven, such as eligibility, identity, or creditworthiness, without exposing the underlying data. The attack surface shrinks dramatically because the data simply is not aggregated in one place.
This is the shift from “collect everything, protect nothing” to “reveal only what is necessary.”
Where COTI Fits In
COTI is the programmable privacy layer for Web3, powered by high-performance Garbled Circuits that enable fast, low-cost, and flexible confidential computation on-chain.
What makes COTI’s approach directly relevant to the data broker problem is that it provides selective, programmable privacy. This is not about hiding everything. It is about giving users and applications precise control over what data is revealed, to whom, and when.
Consider the use cases that the data broker industry currently serves, poorly, and how on-chain privacy solves them:
Identity Verification: Instead of storing copies of your ID with every service provider, decentralized identity systems built on COTI can allow users to prove who they are without exposing the underlying personal data. No copies means no copies to steal.
Financial Data: Institutions need to verify creditworthiness, transaction history, and compliance status. COTI’s Garbled Circuits enable this verification to happen on encrypted data, so sensitive financial records never need to be exposed in plaintext on a public ledger or stored in a centralized database.
Healthcare and Supply Chain: COTI is already working with partners like StaTwig to enable privacy-preserving processing of sensitive health supply chain data, such as temperature monitoring for vaccines, without ever decrypting the raw data into plaintext.
Regulated Asset Workflows: Through partnerships like Zoniqx, COTI is enabling privacy-preserving tokenization of real-world assets, ensuring that sensitive financial data tied to bonds, real estate, and private credit can move on-chain without being exposed.
In each of these cases, the underlying principle is the same: sensitive data is processed and verified without being collected, stored, or exposed by a centralized third party. This is the exact opposite of how data brokers operate today.
Privacy is Infrastructure, Not a Feature
The $21 billion price tag from this Congressional report is just the measurable cost of four breaches. The real cost, in lost trust, surveillance risk, and eroded personal sovereignty, is far higher.
Opt-out buttons and regulatory patches treat symptoms. They do not change the underlying architecture that makes breaches inevitable. As long as massive volumes of personal data are stored in centralized systems, those systems will be targeted, and they will fail.
The path forward requires building systems where privacy is not optional but foundational. Where users own and control their data by default. Where verification happens without exposure.
That is exactly what COTI is building. Privacy that is programmable, scalable, and compliant. Not as an afterthought, but as core infrastructure for the next generation of applications in DeFi, identity, payments, governance, and beyond.
The $21 billion question is not whether we need on-chain privacy. It is how fast we can build it.
About COTI:
COTI is the programmable privacy layer for Web3. Powered by high-performance Garbled Circuits (GC), COTI enables encrypted computation on public blockchains — delivering fast, low-cost, and compliant privacy for DeFi, payments, identity, governance, and AI applications.
For COTI updates and to join the conversation, be sure to check out our channels:
Website: https://coti.io/
COTI Earn: https://earn.coti.io/earn
X: https://twitter.com/COTInetwork
YouTube: https://www.youtube.com/channel/UCl-2YzhaPnouvBtotKuM4DA
Telegram: https://t.me/COTInetwork
Discord: https://discord.gg/9tq6CP6XrT
GitHub: https://github.com/coti-io