Uber, Meta Make it Hard for Users to Stop Data Sales, Study Says

OpenAI Inc., Tinder, Palantir Technologies Inc., and more than thirty other digital companies make it difficult for users to control what happens to their personal data, a privacy advocate’s report found.

The study, published Wednesday by the Electronic Privacy Information Center, found many online businesses created obstacles for consumers who want to exercise their privacy rights by using confusing language, requiring users to pay a fee, or failing to provide clear options to opt out of the selling or sharing of personal information. The report analyzed the opt-out processes of 38 data broker, social media, and tech companies including TikTok Inc., Amazon.com Inc., Meta Platforms Inc., and X.

Caroline Kraczon, counsel at EPIC, said researchers found several companies “that just didn’t have any kind of opt-out process at all.” She added, “It’s two researchers looking really hard to find it, and we couldn’t do it. If you think about a consumer trying to exercise their rights, it’s just going to be impossible. That’s pretty egregious.”

The analysis was based on standards set by state privacy laws and enforcement actions from the Federal Trade Commission, the privacy advocacy group said. EPIC urged both state and federal regulators to bring enforcement actions against online businesses with manipulative opt-out processes. State regulators including California’s privacy agency have already fined businesses including Ford Motor Co., Honda Honda Motor Co., and Todd Snyder Inc. over inadequate opt-out options in the last two years.

“This report provides a good opportunity even to submit complaints with state and federal level regulators,” Kraczon added. “That’s definitely something that we’re interested in doing.”

Unclear Opt Outs

About a dozen businesses including Meta, Uber Technologies Inc., and Google: Gemini required users to log in to an account or pay for a subscription before opting out of data sharing or sales, the study said.

Some brokers might require users to pay a fee to access data collected and sold without their consent—and the companies still wouldn’t guarantee they’d stop selling it, said Justin Sherman, scholar in residence at EPIC.

“At which point, some of them say outright, ‘Well, by the way, congrats on your submission, but we’re going to repopulate probably in a few weeks, so you need to check back again,’” he said.

“As if collecting and selling your data is the wind blowing back and forth,” Sherman added.

People search data broker Spokeo, for example, didn’t provide assurances that it would continue to honor users’ requests, stating that user data may reappear “without notice” as the broker receives new records from public sources, according to EPIC.

‘Privacy Theater’

A majority of online businesses used confusing language about consumers’ opt-out choices, the group said, making it hard to determine whether companies would actually stop selling or transferring user data. About half of the companies, including data brokers TransUnion, Epsilon, Whitepages, and National Public Data, also required users to submit multiple, separate forms to fully opt out, the report said.

Uber, Lyft Inc., Grindr, and Bumble, meanwhile, automatically opted consumers into the sale and transfer of their personal data, according to the study. Some also used color and design options the study said were confusing and made it difficult for users to figure out whether they opted in or out.

“I had hoped that we would find better practices—even in some of the large tech companies, which of course have enormous compliance teams,” Sherman said.

EPIC urged states to adopt a California-style deletion mechanism, dubbed DROP, that would make it easier for consumers to control when their data gets shared or pursue stricter data minimization requirements. California’s privacy agency has been pushing for consumers to use DROP to get data brokers to delete their data, with 300,000 Californians signed-up so far.

“This is all just another example of why notice and choice is just privacy theater,” Kraczon said. “We’re saying that we want to protect people’s privacy and giving people choices, but we’re really not.”