You can enact all the laws you want, but what do you do when the government in charge just ignores them?

So if:

- you always denied those popups

- .. including any hidden legitimate interest sections that are being treated as a second, opt-out "consent" for things that really don't actually qualify as legitimate interest

- and the companies actually followed it

Then in theory the companies won't have that data. But doing 1 is tedious, companies exercise dark patterns to avoid you doing 2, and it's hard to audit if they've done 3, so most people are probably in those data sets.

Also, a government likely to buy this data for purposes like in the original article, is unlikely to be the type of government that goes around slapping companies for not complying with privacy regulation on that data.

“Would European-style privacy laws protect against this?” is the kind of question that sounds more clarifying than it actually is, because it collapses about five separate problems into one vague gesture at “Europe.”

The issue here isn’t simply “lack of privacy law.” It’s:

1. apps collecting precise location data in the first place,

2. adtech infrastructure broadcasting that data through RTB,

3. brokers aggregating and reselling it,

4. government agencies buying it to avoid the constraints that would apply if they tried to collect it directly, and

5. regulators failing to stop any of the above in a meaningful way.

European law is relevant to some of that, but not as a magic shield. GDPR and ePrivacy principles are obviously more restrictive on paper than the US free-for-all, especially around consent, purpose limitation, data minimization, and downstream reuse. But “on paper” is doing a lot of work there. Europe has had years of complaints about RTB specifically, and yet the adtech ecosystem did not exactly disappear. That should tell you something.

So the real answer is: yes, a stronger privacy regime can help, but no, this is not a problem that gets solved by vaguely importing “European-style privacy laws” as a concept. If the underlying business model still allows mass collection, opaque sharing, and resale of location data, then state access is a policy choice away. Governments don’t need to build a panopticon if the commercial sector already did it for them.

Also, the most important legal question here is not just whether private companies should be allowed to collect/sell this data. It’s whether the government should be allowed to buy commercially available data to do an end-run around constitutional and statutory limits. That is a distinct issue. You need rules for both the commercial market and state procurement, otherwise the state just shops where the Fourth Amendment doesn’t reach.

In other words, the contrast is not “Europe = protected, US = authoritarian.” The contrast is between systems that at least attempt to constrain collection and reuse, and systems that let surveillance markets mature first and ask questions later. Even in Europe, enforcement gaps, law-enforcement carveouts, and institutional incentives matter enormously.

So if the goal is to understand the story, the useful question isn’t “would Europe stop this?” It’s “what combination of collection limits, resale bans, procurement bans, audit requirements, and enforcement would actually make this impossible in practice?” Anything short of that is mostly aesthetics.