Optery CEO & Founder Lawrence Gentilello recently joined Katie Soper on the CyberVault podcast to break down some of the most pressing questions surrounding data brokers and personal data exposure today.
The conversation explored:
- The scale and complexity of the data broker ecosystem
- How exposed personal data creates both cyber and physical risk
- The surprising ways personal data is collected, shared, and sold
- Why regulations like GDPR and CCPA help, but don’t fully protect consumers
- Why manual opt-outs aren’t feasible and how automated defense changes the equation
- The biggest misconception about data broker removal services
- Why CISOs are now treating personal data removal as a proactive security control
- How AI, regulation, and consumer awareness are shaping the next few years of privacy and security
Below are some highlights from the episode.
The scale of the data broker ecosystem
Lawrence explained the fundamental challenge: data brokers are numerous, fast-moving, and fueled by enormous commercial incentives. There are far more brokers than there are companies attempting to remove personal data from them, which tilts the ecosystem heavily against individuals and organizations.
As he put it:
“It’s just a really, really tough battle, and part of it is if you look at the data removal companies, maybe there’s like 10 of us total… there’s thousands of data brokers… and if you look at the size of our kind of revenue base and the data broker revenue base, that’s a couple hundred billion dollars. And so we’re really kind of outgunned in terms of what’s out there.”
Data exposure creates both cyber and physical risk
The episode highlights how exposed personal data fuels far more than just spam or unwanted marketing. Attackers use data broker sites for cyber attacks like social engineering, account takeover, and fraud, but the same publicly available information also creates physical safety risks. As Lawrence said:
One of the big reasons people use us is not only to protect themselves in the cyber realm, but also in the physical realm by removing home addresses from the internet… if somebody is interested in confronting you physically, it’s a good thing to get your home address off the internet and not make it super easy to find you.”
Why privacy laws alone aren’t enough
The episode also touched on GDPR, CCPA, and the growing list of U.S. state privacy laws. Lawrence acknowledged the progress but emphasized a foundational limitation: the laws grant rights, but they don’t make exercising those rights realistic for most people.
“You say, okay, I’ve got all these rights, but I’m not doing anything about it because I don’t have time to go manually one by one and submit opt-out requests to a thousand data brokers and then keep track of which ones are hiding in the shadows.”
“The laws give rights, but by and large, they don’t give tools.”
Manually opting out of hundreds or thousands of data brokers is simply not feasible. That gap between rights and tools is where automated solutions become necessary.
From manual opt-outs to automated defense
Lawrence and Katie also discussed how attackers, and even legitimate marketers, are increasingly using AI-driven tooling. Meanwhile, individuals historically have had only manual methods for protecting themselves.
Lawrence contrasted the old reality with what automated solutions can now offer:
“Formerly, you could do stuff yourself by hand but it’s kind of like showing up to a gunfight with a stick. With something like Optery, you have a machine gun that you can defend yourself with, and you can automate the defense.”
This analogy captures how automation changes the balance of power and levels the playing field for consumers and organizations.
The misconception that all data removal products are the same
Katie asked Lawrence about widespread misconceptions in this space. He identified a big one: the idea that “data removal” products are interchangeable.
Based on Optery’s research, he said the differences in actual effectiveness are dramatic:
“One of the misconceptions… is that the products like data removal products are interchangeable. I talk to some people who say, ‘Oh, I use this,’ or ‘I use that,’ and we’ve done the analysis, we’ve done the research, we’ve seen the research, and the effectiveness of the products in our space is dramatically, dramatically different. There are some products in our space where they almost do nothing. You might as well be throwing your money away. And some of the products are very, very good.”
He encouraged listeners not to rely solely on marketing or influencer claims but to evaluate how thoroughly different services actually find and remove exposed data by trying them out.
Pro tip: Individuals can use Optery’s free scan to assess their data exposure and also to determine the effectiveness of other services.
Why CISOs now see personal data removal as a proactive control
Another major point was the shift happening inside security teams. More and more organizations are recognizing that personal data removal is a preventive security measure against social engineering.
Lawrence explained how the mindset has changed:
“CISOs are viewing removal of exposed personal data as a proactive, preventative measure against social engineering and attacks. So it’s no longer just kind of like penetration testing what’s happening within our walls; it’s what’s happening outside of our walls. That’s where attackers are formulating their attacks… and let’s reduce the amount of data that [attackers] have in their hands.”
This approach prevents attacks by disrupting reconnaissance efforts and denying attackers the PII needed to craft campaigns and hit their targets.
Listen to the full episode
For the complete discussion of these topics and more, you can listen to the full CyberVault episode with Katie Soper and Lawrence Gentilello on Spotify.