How 38 Major Tech Companies Make It Hard to Opt Out of Data Collection
What EPIC Found
The Electronic Privacy Information Center (EPIC) has released a study documenting eight specific ways that 38 major technology companies—including AI firms, data brokers, dating apps, and defense contractors—make it difficult or impossible for people to stop the collection and sale of their personal data.
The study examined actual user experience. Researchers tried to use the opt-out forms these companies provide and found that while many forms appear to offer privacy controls, they often don't actually work as advertised. Companies claim to comply with privacy laws while their systems are designed in ways that discourage people from successfully opting out.
Specific Manipulation Tactics
The researchers identified eight distinct patterns companies use to make opting out harder than it should be.
Some companies require you to create a full account or pay for a subscription before you can even submit an opt-out request. Others provide what looks like a privacy control but don't actually offer an option to stop the sale or sharing of your data. Some forms lack clear confirmation that your request went through, leaving you uncertain whether you've actually opted out.
OpenAI provides a visible example. The company has what appears to be a privacy control interface, but EPIC found it does not let users stop the sale or transfer of their personal data. This same pattern appears across multiple AI companies in the study.
People-search services—companies like Spokeo, Whitepages, and National Public Data—offer an even starker case. According to EPIC, these services don't provide consumers any way to opt out of data sales at all.
The Safety Dimension
EPIC frames these broken opt-out mechanisms as a safety issue, not just a privacy one. The organization highlighted the case of Vance Boelter, who used people-search data brokers to find targets for violence. When someone can easily purchase your address, phone number, and associated contacts for a few dollars, the consequences go beyond mere inconvenience.
People-search brokers combine public records, social media information, and commercially purchased data into detailed profiles. When these companies don't offer working opt-out options, those profiles remain for sale to anyone willing to pay.
A Pattern Across Industries
The study spans AI companies, traditional data brokers, dating apps, and defense contractors. All of them used similar tactics to discourage opt-outs. This consistency suggests the companies didn't arrive at these designs by accident. It looks more like a deliberate strategy to minimize actual opt-outs while maintaining the appearance of legal compliance.
Defense contractors in the study are particularly noteworthy. These companies process information from government sources, business partnerships, and individual interactions. Their data practices have implications not just for personal privacy but for national security outcomes.
Why Regulations Haven't Fixed This
California's Consumer Privacy Act, the European Union's General Data Protection Regulation, and similar privacy laws around the world all require that companies provide working opt-out mechanisms. Yet EPIC's research shows how technical design can undermine what the law intends.
Here is where the problem becomes clearer: regulators typically test whether companies have the right policies in place. They examine documentation and stated procedures. But they don't always test what actually happens when a real person tries to use an opt-out form. This gap creates space for companies to maintain forms that look compliant on paper while being deliberately hard to navigate in practice.
We saw a similar dynamic after the European Union passed its data protection rules around website cookies in 2015. Companies initially responded with consent buttons that were technically legal but practically useless—accept-all buttons in large text, refuse options buried in menus. The current landscape around data opt-outs appears to be following the same path.
Technical Obstacles Add Up
The researchers documented multiple friction points layered into opt-out processes. You might need to create an account first, meaning you have to hand over more personal information before you can request removal of personal information. Some companies put opt-out functionality behind a paywall. Others make the process so complicated across multiple steps that you end up uncertain whether your request actually went through.
These barriers exploit a basic imbalance. Companies have detailed information about you and machines to process it. You have to figure out an unfamiliar interface with little feedback about whether anything actually happened. The system is designed to favor keeping your data.
What Happens Next
EPIC's catalog of specific techniques gives regulators and technology teams a concrete checklist. Enforcement agencies can now use these findings as concrete criteria for what makes an opt-out mechanism actually work. Companies that want genuine privacy protection can use the study as a guide to what not to do.
More broadly, this points to a shift in how privacy gets built into products. Rather than treating opt-out forms as a legal box to check at the last minute, technology teams should design them with the same care and attention to usability that they give to features customers actually want to use. That means simple flows, clear confirmation of what happened, and no artificial barriers.
The methodological approach matters here too. Rather than auditing what companies claim about their privacy controls, EPIC examined actual user experience. This captures the difference between what policies say and what actually happens when people try to exercise their rights. Regulators are likely to adopt this kind of practical testing as a standard tool going forward.
As data protection enforcement expands globally and strengthens, expect to see more audits like this one. Companies that have built opt-out mechanisms that genuinely work will find themselves in a stronger position as enforcement tightens and people become more aware of their rights.
