“Good luck,” the Electronic Privacy Information Center tells internet users trying to keep their personal data from being shared across the web.
The nonprofit research center published a new report on Wednesday analyzing what it calls “manipulative design patterns” in the opt-out processes of 38 major companies, including data brokers, social media platforms, dating apps, and AI firms.
This comes despite privacy laws in 21 states that give consumers the right to opt out of the sale and sharing of their personal data and require companies to provide clear, easy-to-use opt-out mechanisms.
“When opt-out processes use manipulative design patterns, they only give the illusion of choice instead of giving people real autonomy over their personal information,” said Epic Counsel and Co-Author of the report Caroline Kraczon in a press release. “Our research shows that too many companies use manipulative design to frustrate, confuse, and discourage consumers from trying to protect their personal data.”
Kraczon goes on to say these design choices can have real-world consequences like doxxing, stalking, and targeted harassment.
The report highlights the murder of Minnesota state legislator Melissa Hortman and her husband last year as an example. According to EPIC, the alleged killer used “people search” data brokers to research his targets.
The group adds that these risks disproportionately affect women, women of color, and LGBTQ+ people.
The new report outlines several misleading design tactics these companies use, ranging from confusing or misleading language in their opt-out processes to preselected checkboxes that take advantage of the “default effect,” a cognitive bias where people are more likely to stick with the option that has already been selected for them.
“Sometimes, companies even use confusing colors or designs alongside preselected toggles that may make it difficult for consumers to understand whether they are opted in or out, “ the report says.
EPIC pointed to dating apps like Grindr and Bumble as examples of companies whose opt-out processes included preselected checkboxes or toggles.
Meanwhile, more than a dozen of the platforms reviewed did not clearly link to their opt-out forms on either their homepage or in their privacy policy, including Meta, Google, and OpenAI, according to the report.
“This failure further undermines consumers’ ability to easily access pages where they can submit opt-out requests to companies, and may raise questions about companies’ compliance with federal and state regulatory requirements,” the report says.
Grindr, Bumble, Google, and OpenAI did not immediately respond to a request for comment.
“As we say explicitly in our Privacy Policy, we don’t sell any of your information to anyone and we never will,” a Meta spokesperson told Gizmodo in an emailed statement.
EPIC ultimately recommends several ways companies, policymakers, and regulators could make opting out easier.
For companies, the group says they should evaluate their opt-out processes for manipulative design patterns and conduct ongoing audits to make sure they are not sharing information from users who have already opted out.
The group also suggests that the Federal Trade Commission (FTC) could use its Section 5 authority, which bars unfair or deceptive business practices, to protect consumers from these tactics.
State attorneys general could also evaluate whether companies are complying with state opt-out laws. EPIC also urges more states to adopt a data deletion program, similar to California’s, that would make it easier for consumers to request that data brokers delete their personal information with one request.
Finally, the group says states should strengthen their privacy laws to include data minimization standards, which would limit companies to collecting and sharing only the data reasonably necessary to provide their services.
