Data brokers are increasingly obscuring their opt-out pages, presenting significant barriers for consumers who seek to delete their personal data. A recent investigation by The Markup and CalMatters uncovered that over 30 of these companies, which gather and sell personal information, employ coding techniques to hide their opt-out instructions from search engines like Google.
Under California law, data brokers must allow consumers to request the deletion of their data. However, the research revealed that many of the pages containing these instructions are effectively invisible in search results due to coded directives that instruct search engines to exclude them. This situation further complicates the already challenging process for consumers trying to protect their privacy.
The findings stem from an extensive review of 499 data brokers registered with California’s Consumer Privacy Act (CCPA). Of these brokers, 35 were discovered to have pages that were not indexed by search engines due to the intentional coding designed to obscure them. While these companies may technically comply with legal requirements by offering deletion avenues, the lack of visibility renders these options nearly useless for consumers.
Matthew Schwartz, a policy analyst at Consumer Reports, expressed concern that the tactics used by these companies seem designed to thwart consumer access to their rights. After being contacted by investigators, some companies reviewed their practices, with several agreeing to remove the obstructive codes from their sites.
For instance, the opt-out page for IPAPI, a service that tracks the physical locations of internet users, contained similar exclusionary codes. After being informed of the issue, a representative confirmed the code would be removed to enhance visibility.
Other companies, like Telesign, have similarly hidden essential forms deep within complex privacy policies or beneath layers of website prompts, making them virtually inaccessible. In some unfortunate cases, pages that were listed as available for opt-out requests were found to be non-existent altogether.
The California CCPA, enacted in 2020, regulates companies whose revenue relies on selling consumer data or that handle significant amounts of data relating to California residents. Currently, the California Privacy Protection Agency, which oversees enforcement, has identified that such practices may constitute violations of consumer rights by creating overly complicated paths for opting out.
In response to these tactics, California legislators have introduced the Delete Act, aimed at simplifying the opt-out process for consumers. This legislation will implement the Delete Request and Opt-out Platform (DROP), enabling residents to submit a unified opt-out request to all data brokers. This initiative is expected to launch in the following year, enhancing consumer rights and streamlining the process of reclaiming personal data.
