Major AI companies and data brokers use deceptive designs to block opt-outs, EPIC report reveals

Data Brokers' and AI Firms' Opt-Out Forms Are Built to Fail, Report Finds

A new study finds AI companies, defense firms, and dating apps are among 38 data collectors allegedly using manipulative design to confuse users while collecting their data. Some of the largest data-collecting companies in the United States -- including major AI vendors, data brokers, defense contractors, and dating apps -- rely on deceptive methods to keep consumers from opting out of the sale and sharing of their personal information, according to a new study from the digital rights nonprofit Electronic Privacy Information Center. Researchers at EPIC audited the opt-out processes of 38 major data companies and documented at least eight distinct categories of manipulative design: Opt-out forms that don't actually let users opt out of the sale of their data. Links that are buried in fine print and missing from homepages. Consumers routed through multiple separate forms to complete a single request. And requirements that users create accounts or pay for subscriptions before opting out at all, among others. "Manipulative design has no place in opt-out requests," EPIC says. "Companies must design opt-out processes with respect toward consumers' rights, and if they do not, regulators at the state and federal level should step in to defend consumer rights to opt out." Major companies offering large language models, such as Google, Meta, and OpenAI, fail to clearly link their opt-out forms from their homepages or privacy policies, according to the report, and several require consumers to submit multiple separate forms to complete a single request. OpenAI's form, when a consumer finds it, does not offer a way to opt out of the sale or transfer of personal data. What it offers instead is an option to "remove personal information from ChatGPT responses," which EPIC says is a filter on the chatbot's output, not the removal of any underlying data. EPIC frames opt-out failures as a safety issue, pointing to, among others, the case of Vance Boelter, the man charged with murdering Minnesota state representative Melissa Hortman and her husband Mark in June 2025. Prosecutors say Boelter used people-search data brokers to locate his targets' home address. EPIC's researchers found that the people-search brokers they audited -- Spokeo, Whitepages, and National Public Data -- do not offer consumers a way to opt out of the sale or transfer of their data at all. Instead, the companies offer a process for removing individual listings by URL, one at a time, with no commitment to stop selling that same person's information in the future. Spokeo tells consumers directly that their information "may reappear on Spokeo in the future without notice" and instructs them to "regularly check" the site for new listings. The EPIC report notes that abusive individuals have for decades used commercially available data and technology to locate, harass, and assault their targets, with women, women of color, and LGBTQ+ people bearing the brunt. The report cites a separate EPIC analysis from December 2025 on the use of data brokers against domestic violence survivors, and another on threats to public officials at every level of government. For people in those categories, the report argues, the opt-out is often the only mechanism available to remove a home address from circulation before someone shows up at the door. "Many people may need to remove their information from Spokeo for safety reasons, such as domestic violence survivors or public officials and their families," the report says. The Whitepages opt-out process requires consumers to submit URLs for every listing of themselves on the site -- but full reports are gated behind a paid Whitepages Premium subscription, meaning people may have to pay the broker to find the information they need in order to opt out of it. Four other companies, including Bumble, default users into data sharing through preselected toggles, researchers found. On Bumble, the "Do Not Sell" option is styled to look selected by default, when in fact it is the option a user must click to opt out.

The Dark Patterns Keeping You From Opting Out of Data Sharing Are Darker Than Ever, Study Finds

A privacy nonprofit says online platforms are using â€~manipulative’ design tricks to make opting out of data sharing harder than it needs to be. “Good luck,†the Electronic Privacy Information Center tells internet users trying to keep their personal data from being shared across the web. The nonprofit research center published a new report on Wednesday analyzing what it calls “manipulative design patterns†in the opt-out processes of 38 major companies, including data brokers, social media platforms, dating apps, and AI firms. This comes despite privacy laws in 21 states that give consumers the right to opt out of the sale and sharing of their personal data and require companies to provide clear, easy-to-use opt-out mechanisms. “When opt-out processes use manipulative design patterns, they only give the illusion of choice instead of giving people real autonomy over their personal information,†said Epic Counsel and Co-Author of the report Caroline Kraczon in a press release. “Our research shows that too many companies use manipulative design to frustrate, confuse, and discourage consumers from trying to protect their personal data.†Kraczon goes on to say these design choices can have real-world consequences like doxxing, stalking, and targeted harassment. The report highlights the murder of Minnesota state legislator Melissa Hortman and her husband last year as an example. According to EPIC, the alleged killer used “people search†data brokers to research his targets. The group adds that these risks disproportionately affect women, women of color, and LGBTQ+ people. The new report outlines several misleading design tactics these companies use, ranging from confusing or misleading language in their opt-out processes to preselected checkboxes that take advantage of the “default effect," a cognitive bias where people are more likely to stick with the option that has already been selected for them. “Sometimes, companies even use confusing colors or designs alongside preselected toggles that may make it difficult for consumers to understand whether they are opted in or out, “ the report says. EPIC pointed to dating apps like Grindr and Bumble as examples of companies whose opt-out processes included preselected checkboxes or toggles. Meanwhile, more than a dozen of the platforms reviewed did not clearly link to their opt-out forms on either their homepage or in their privacy policy, including Meta, Google, and OpenAI, according to the report. “This failure further undermines consumers’ ability to easily access pages where they can submit opt-out requests to companies, and may raise questions about companies’ compliance with federal and state regulatory requirements,†the report says. Grindr, Bumble, Google, and OpenAI did not immediately respond to a request for comment. "As we say explicitly in our Privacy Policy, we don't sell any of your information to anyone and we never will," a Meta spokesperson told Gizmodo in an emailed statement. EPIC ultimately recommends several ways companies, policymakers, and regulators could make opting out easier. For companies, the group says they should evaluate their opt-out processes for manipulative design patterns and conduct ongoing audits to make sure they are not sharing information from users who have already opted out. The group also suggests that the Federal Trade Commission (FTC) could use its Section 5 authority, which bars unfair or deceptive business practices, to protect consumers from these tactics. State attorneys general could also evaluate whether companies are complying with state opt-out laws. EPIC also urges more states to adopt a data deletion program, similar to California’s, that would make it easier for consumers to request that data brokers delete their personal information with one request. Finally, the group says states should strengthen their privacy laws to include data minimization standards, which would limit companies to collecting and sharing only the data reasonably necessary to provide their services.

AI companies and data brokers even resort to fake forms to keep selling our data

Act surprised! A new privacy study has found that data brokers and AI companies deliberately deceive consumers who attempt to opt out of the sale of their personal data. An audit of the opt-out processes of dozens of major data companies found that they employ a variety of underhand practices - including fake forms ... Data brokers buy personal information about individuals from a wide range of sources, including app developers and websites, as well as scraping the internet for publicly available data. They then package this information up to sell to companies who will use it to spam us. Privacy researchers audited the opt-out processes of 38 major data-collecting companies, including data brokers, AI vendors and dating app developers. The study found that deceptive practices and even outright lies were common. Wired provided some examples. Opt-out forms that don't actually let users opt out of the sale of their data. Links that are buried in fine print and missing from homepages. Consumers routed through multiple separate forms to complete a single request. And requirements that users create accounts or pay for subscriptions before opting out at all, among others. Companies guilty of these types of tactics aren't just fly-by-night ones: they include Google, Meta, and OpenAI. Major companies offering large language models, such as Google, Meta, and OpenAI, fail to clearly link their opt-out forms from their homepages or privacy policies, according to the report, and several require consumers to submit multiple separate forms to complete a single request. OpenAI's form, when a consumer finds it, does not offer a way to opt out of the sale or transfer of personal data. What it offers instead is an option to "remove personal information from ChatGPT responses," which EPIC says is a filter on the chatbot's output, not the removal of any underlying data. OpenAI's response appeared to be both denying and confirming it sells user data within the same response. Shane Bauer, a spokesperson for OpenAI, says the company does not sell user data, though it does acknowledge sharing limited data with marketing partners for targeted and cross-context behavioral advertising. People search brokers were among the worst. The people-search brokers they audited -- Spokeo, Whitepages, and National Public Data -- do not offer consumers a way to opt out of the sale or transfer of their data at all. Instead, the companies offer a process for removing individual listings by URL, one at a time, with no commitment to stop selling that same person's information in the future. Data brokers are a form of business which quite simply shouldn't be allowed to exist. This latest study just underlines the need for federal privacy protection laws in the US with the reach and bite of Europe's GDPR.