Data Privacy Under Siege: Companies Use Deceptive Tactics to Block Opt-Outs Some of the largest data-collecting companies in the United States—including major AI vendors, data brokers, defense contractors, and dating apps—rely on deceptive methods to keep consumers from opting out of the sale and sharing of their personal information, according to a new study from the digital rights nonprofit **Electronic Privacy Information Center**. ### Manipulative Design Patterns Researchers at **EPIC** audited the opt-out processes of 38 major data companies and documented at least eight distinct categories of manipulative design: * Opt-out forms that don't actually let users opt out of the sale of their data. * Links that are buried in fine print and missing from homepages. * Consumers routed through multiple separate forms to complete a single request. * Requirements that users create accounts or pay for subscriptions before opting out at all, among others. “Manipulative design has no place in opt-out requests,” **EPIC** says. “Companies must design opt-out processes with respect toward consumers’ rights, and if they do not, regulators at the state and federal level should step in to defend consumer rights to opt out.” ### Specific Examples of Obfuscation Major companies offering large language models, such as **Google**, **Meta**, and **OpenAI**, fail to clearly link their opt-out forms from their homepages or privacy policies, according to the report, and several require consumers to submit multiple separate forms to complete a single request. **OpenAI's** form, when a consumer finds it, does not offer a way to opt out of the sale or transfer of personal data. What it offers instead is an option to “remove personal information from **ChatGPT** responses,” which **EPIC** says is a filter on the chatbot's output, not the removal of any underlying data. ### Real-World Consequences **EPIC** frames opt-out failures as a safety issue, pointing to, among others, the case of Vance Boelter, the man charged with murdering Minnesota state representative Melissa Hortman and her husband Mark in June 2025. Prosecutors say Boelter used people-search data brokers to locate his targets’ home address. **EPIC's** researchers found that the people-search brokers they audited—**Spokeo**, **Whitepages**, and **National Public Data**—do not offer consumers a way to opt out of the sale or transfer of their data at all. Instead, the companies offer a process for removing individual listings by URL, one at a time, with no commitment to stop selling that same person's information in the future. **Spokeo** tells consumers directly that their information “may reappear on **Spokeo** in the future without notice” and instructs them to “regularly check” the site for new listings. The **EPIC** report notes that abusive individuals have for decades used commercially available data and technology to locate, harass, and assault their targets, with women, women of color, and LGBTQ+ people bearing the brunt. The report cites a separate **EPIC** analysis from December 2025 on the use of data brokers against domestic violence survivors, and another on threats to public officials at every level of government. For people in those categories, the report argues, the opt-out is often the only mechanism available to remove a home address from circulation before someone shows up at the door. “Many people may need to remove their information from **Spokeo** for safety reasons, such as domestic violence survivors or public officials and their families,” the report says. The **Whitepages** opt-out process requires consumers to submit URLs for every listing of themselves on the site—but full reports are gated behind a paid **Whitepages Premium** subscription, meaning people may have to pay the broker to find the information they need in order to opt out of it. Four other companies, including **Bumble**, default users into data sharing through preselected toggles, researchers found. On **Bumble**, the “Do Not Sell” option is styled to look selected by default, when in fact it is the option a user must click to opt out. ### Lack of Transparency and Conflicting Claims **EPIC's** researchers were unable to locate an opt-out process at all on **Meta**, **X**, **OpenAI**, and **Tinder** without first logging in. And **HireVue** and the surveillance vendor **DataTrust** frame their opt-out instructions as available only to California residents, even though 20 other states have passed laws granting opt-out rights. **Palantir**, the defense and intelligence contractor, provides a privacy form on its website but does not include an option to opt out of the sale or sharing of personal data—the same finding **EPIC** documented for **TikTok**, **Amazon**, and the gunfire-detection vendor **SoundThinking**. **Palantir** also does not clearly link the form from its homepage or its privacy policy, and the researchers were unable to locate any opt-out process on **Palantir's** site, **Meta**, **X**, **OpenAI**, or **Tinder** without logging in first. **Amazon** disputed the finding. Adam Montgomery, a company spokesperson, says that **Amazon** does not sell customer personal information, and therefore customers are opted out by default. Opt-out options for data sharing are available through its “Your Ads Privacy Choices” and “Advertising Preferences” pages, and through privacy settings on most **Amazon** devices. Montgomery says **Amazon** does not use the word “share” in its opt-out options, but said the options cover the same uses defined by applicable law. Shane Bauer, a spokesperson for **OpenAI**, says the company does not sell user data, though it does acknowledge sharing limited data with marketing partners for targeted and cross-context behavioral advertising. “We give people straightforward ways to control how their data is used directly in our apps, so those choices are easy to make right where people are using our services,” Bauer says. “Our Privacy Portal is another way for people to submit privacy requests, including individuals who don’t have an **OpenAI** account but still want to exercise their privacy rights. We think giving users multiple ways to exercise their rights is a good thing.” A **HireVue** spokesperson disputes **EPIC’s** findings on scope, saying the company’s public privacy policy applies only to people who visit its marketing website, not to job applicants, whose data is processed through **HireVue’s** HR platform under consent controls configured by each employer. The company did not address **EPIC’s** finding that its public-facing policy directs opt-out instructions only to California residents. Jerome Filip, a spokesperson for **SoundThinking**, says the company’s opt-out forms can be found at the bottom of its privacy policy page, along with a customer help phone number. A **Palantir** spokesperson tells WIRED that the surveillance technology vendor had been erroneously included in the report alongside data brokers. “**Palantir** is not a data-collection or data mining company. We do not collect, sell, or buy personal data. We are a software company. We integrate our customers' existing data sets,” the company said. The spokesperson adds that **Palantir's** website offers standard cookie opt-out options and a privacy statement allowing individuals to exercise their rights.