Prediction Markets Have Become a $60B Data Auction, and Nobody Regulates It

In the first quarter of 2026, two platforms most Americans had never heard of five years ago processed more than $59 billion in trades. Kalshi cleared $33 billion; Polymarket handled $26.17 billion, Seeking Alpha reported in May. The two firms now control north of 85 percent of all U.S.-accessible prediction-market volume, according to a USA Today comparison published this month. Both are regulated by the Commodity Futures Trading Commission. Neither is regulated as a data broker. And that gap is the story.

The traditional data-broker ecosystem runs on an auction layer most consumers never see. When a webpage loads, a real-time bidding (RTB) auction fires in milliseconds: hundreds of demand-side platforms bid for the right to show a specific ad to a specific user, using data gathered by thousands of brokers, trackers, and intermediaries. The winning bidder gets the impression. Every party in the chain gets a copy of the bid request, a packet that routinely includes device identifiers, IP address, coarse and precise location, browsing context, and inferred demographic segments. The Interactive Advertising Bureau's Tech Lab released a new framework in April 2026 called the Agentic RTB Framework, or ARTF, designed to replace static auctions with AI-driven agents that negotiate in real time according to Forbes. The upgrade makes the auction layer smarter. It does not make it more legible to the people whose data is being priced.

Prediction markets invert this architecture in one sense and replicate it in another. Instead of a hidden auction where personal data is the inventory, the market itself is the auction layer and the asset being priced is collective expectation about future events. The trades are public. The order books are visible. But the data flow, who learns what, from whom, and at whose expense, is almost entirely unexamined through the lens of privacy law.

Consider what a prediction market actually ingests. Polymarket and Kalshi do not merely offer binary contracts on elections or sports outcomes. Their contract catalogues now include granular propositions about regulatory decisions, corporate earnings, climate events, public-health milestones, and geopolitical incidents. Every trade placed on these contracts is a data point: a timestamped signal about what someone, somewhere, believes will happen. Aggregated across millions of users, that signal becomes a predictive dataset with demonstrable commercial value. The Motley Fool identified in May a publicly traded sports-data company that has quietly become "the hidden data provider powering these rapid-fire betting markets." The data-broker supply chain is already forming around the edges of the platforms themselves.

The regulatory problem is jurisdictional before it is substantive. The CFTC oversees prediction markets as derivatives exchanges. Its mandate covers market manipulation, customer protection, and systemic risk. It does not cover the downstream use of trade data as a surveillance commodity. The Federal Trade Commission, meanwhile, has spent four years litigating against the data broker Kochava over the sale of non-anonymized geolocation data linked to mobile advertising IDs. In May 2026, the FTC announced a proposed settlement that imposes restrictions on Kochava's sale of sensitive location data. The consent order is significant: it requires Kochava to delete certain historic location datasets and to obtain affirmative express consent before collecting or using precise geolocation data in the future. But the order applies to one company, in one sector, under one agency's theory of harm. It says nothing about a platform that takes real-money positions on whether a pipeline will be approved, aggregates those positions into a probability, and sells the feed to hedge funds.

The data flow, end to end, looks like this. A user opens an account, completes know-your-customer verification, deposits funds, and begins trading. Every action, deposits, withdrawals, order placement, position size, time-on-platform, contract selection, is logged, timestamped, and associated with a verified identity. The platform itself sees the full portrait. Data partners, analytics vendors, and institutional subscribers see a processed slice. The public sees the order book and the probability. At no point in this pipeline is the user's personal data being sold to an ad exchange in the RTB sense of the term. But the aggregate output of millions of users' behaviour is being monetised as a predictive product, and the user whose risk assessment and research contributed to that signal receives no compensation and exercises no meaningful consent over the downstream use.

The question of consent is the one the existing legal frameworks are least equipped to answer. In the RTB ecosystem, consent is a fiction dressed in a consent-management-platform popup: the user clicks "accept all" because the alternative is a thirty-step opt-out process that resets when cookies are cleared. The European Data Protection Board has repeatedly found that RTB, as currently architected, violates the GDPR's requirements for lawful processing and data minimisation. The Irish Data Protection Commission's 2023 decision against Meta, which forced the company to shift to a consent-based legal basis for behavioural advertising in the EU, was a direct consequence of RTB's structural noncompliance. Yet prediction markets operate outside this entire conversation. Their terms of service govern account behaviour and trading rules. They do not govern what happens to the data exhaust.

State-level data-broker laws are beginning to close parts of the gap, but unevenly. California's Delete Act, which took effect in 2024, established a single portal through which consumers can request deletion of their personal information from all registered data brokers. Oregon, Texas, and Delaware have passed their own broker-registration statutes. As JD Supra reported on June 10, "data brokers are facing heightened scrutiny at the state level" with several states expanding registration requirements and enforcement mechanisms. None of these laws, however, defines a prediction-market trade log as a brokered dataset, and none requires a platform regulated primarily by the CFTC to register as a data broker in any state.

Instead of static auctions where the highest bid wins, you have intelligent agents negotiating in real time based on sophisticated value assessments., Vasu Raj Jain, Forbes Technology Council, describing the IAB Tech Lab's Agentic RTB Framework, April 2026

The ARTF framework Jain describes is relevant here not because prediction markets use RTB protocol, they do not, but because the architectural logic is converging. Both systems now feature automated agents assessing value, placing bids, and extracting signal from the behaviour of other participants. Both systems generate data exhaust that is more valuable than the transaction itself. Both systems operate under the assumption that the only parties whose interests need protecting are the trading counterparties. In RTB, the consumer whose data is being auctioned is not a counterparty at all; they are inventory. In prediction markets, the trader whose risk assessment is being aggregated and resold is a customer of the exchange but not a beneficiary of the data product.

The international dimension sharpens the urgency. More than ten governments have now directly banned or restricted Polymarket or Kalshi, with seven acting in 2026 alone, CCN reported on June 4. The publicly cited justifications range from gambling-law violations to concerns about election integrity. No jurisdiction has cited privacy or data-brokerage as the primary rationale. But the bans themselves reveal something structural: governments are treating prediction markets as a threat precisely because the data they produce is powerful. When a market shows an 80 percent probability of a cabinet resignation or a regulatory veto, that number has political consequences. The fact that it was produced by a for-profit platform monetising its users' trading activity is a detail that privacy law has not yet learned to ask about.

The Yahoo Finance report from February 2026, originally published by TheStreet, characterised prediction markets as "the largest untapped collateral pool in DeFi." The article noted that Polymarket and Kalshi reached valuations of $9 billion and $11 billion respectively at the end of 2025, "yet 0% of that collateral has been deployed in decentralised finance lending protocols." The piece was about capital efficiency. But the same observation, reframed, describes the privacy problem: tens of billions of dollars in collateral sit inside platforms that monetise the data generated by that collateral's movement, and none of the existing privacy frameworks treat that data flow as a regulated activity. The data is valuable enough to collateralise loans; it is valuable enough to warrant privacy protections. The law simply has not caught up.

The SECURE Data Act and the Federal Vacuum

Congress has spent the first half of 2026 debating the SECURE Data Act, the latest attempt to create a comprehensive federal privacy standard. The bill, analysed by JD Supra on June 18, would preempt state privacy laws and establish a single national framework for data collection, processing, and sale. For businesses, the appeal is simplicity: one set of rules instead of a patchwork. For privacy advocates, the risk is that a federal floor becomes a ceiling and that sector-specific loopholes proliferate. The current draft addresses data brokers explicitly, requiring registration and granting consumers access and deletion rights. But the definition of "data broker" in the bill is keyed to the sale of personal information to third parties. A prediction market that sells an aggregated probability feed derived from user trades may not fall within that definition at all, depending on whether the feed is deemed to contain "personal information" after aggregation.

This is not a drafting oversight; it is a category problem. Privacy law in the United States is organised around the concept of personally identifiable information. The Kochava case turned on the FTC's ability to demonstrate that the location data Kochava sold could be linked to specific individuals, to the reproductive health clinic they visited, the place of worship they attended, the shelter where they slept. The FTC's complaint alleged that Kochava's data allowed purchasers to identify a mobile device that visited a women's reproductive health clinic and trace that same device to a single-family home. That theory works when the data is granular and traceable. It breaks down when the data product is an aggregate probability derived from millions of individual assessments. The individual is present in the denominator but invisible in the output. The harm, if there is one, is structural rather than identifiably personal.

Whose Body, Whose Business

The question this ecosystem poses is not whether prediction markets are useful, they demonstrably are, and their forecasting accuracy has been documented in venues from academic journals to the Pentagon's own cancelled Policy Analysis Market programme. The question is whether the data they generate belongs to the platform, the trader, or the public. At present, the answer under the terms of service of both major platforms is unambiguous: it belongs to the platform. Kalshi's privacy policy reserves broad rights to use and share aggregated, de-identified, or anonymised data. Polymarket, which operates on a blockchain-based architecture, makes trade data publicly visible by design. Neither arrangement gives the trader a property interest in the predictive signal their own behaviour helped create.

For civil-liberties researchers, the comparison that keeps surfacing is not to financial exchanges but to the ad-tech RTB system circa 2015. That was the moment when the auction layer had scaled to tens of billions of daily transactions but remained functionally invisible to regulators and consumers alike. The investigative work done by the Norwegian Consumer Council, Privacy International, and the Irish Council for Civil Liberties in the years that followed, the technical reports demonstrating how bid-request data flowed to hundreds of third parties, the complaints filed with every European data protection authority, the coordinated strategy that eventually forced regulatory action, took nearly a decade to produce results. The prediction-market data ecosystem is younger, smaller, and less obviously invasive. But the architecture is being built right now, and the absence of regulatory attention means it is being built without privacy by design.

One structural difference deserves emphasis: in the RTB system, the person whose data is being auctioned is not a willing participant in the market. They are the product. In prediction markets, the trader is a willing participant, they chose to open an account, they chose to deposit funds, they chose to place a trade. That makes the consent question harder, not easier. Voluntary participation in a financial market does not constitute informed consent to the downstream monetisation of trade data. A person who buys a contract on a Federal Reserve rate decision is making a financial wager. They are not consenting to have their risk appetite, their political priors, and their attention patterns packaged as a data product for institutional buyers. The two things are legally and ethically distinct, and no disclosure currently in force makes that distinction legible to the user.

The Kentucky lawsuit filed on June 18, 2026, against Kalshi and Polymarket, Cointelegraph reported, is the eighteenth state-level action against prediction markets. The complaints focus on gambling law and securities regulation. Kentucky's attorney general argues that the platforms are offering unlicensed gaming products to state residents. The privacy dimension is entirely absent from the pleadings. That absence is itself a policy failure. Regulators are litigating the product while ignoring the data architecture that makes the product profitable.

What readers can verify for themselves is straightforward. Both Polymarket and Kalshi publish their privacy policies online. Both make their order books visible. Both are registered with the CFTC. Neither is registered as a data broker in California, Oregon, Texas, or Delaware. The FTC's Kochava consent order is public on the Commission's website. The SECURE Data Act's text is available on Congress.gov and its data-broker provisions can be read in Section 12. The gap between what the platforms disclose about their data practices and what privacy law requires of data brokers is measurable and specific. It is not a matter of interpretation. It is a matter of jurisdiction, and jurisdiction is something Congress, not the platforms, decides.

The auction layer is proliferating. The bids are getting smarter. The data is getting more valuable. The law is still debating whether a prediction market is a gambling product or a financial instrument. While that debate drags on, the data flows quietly through a regulatory no-man's-land, and every trade placed is another data point in a dataset whose owner never had to ask.