Data Brokers’ and AI Firms’ Opt-Out Forms Are Built to Fail, Report Finds

Some of the largest data-collecting companies in the United States—including major AI vendors, data brokers, defense contractors, and dating apps—rely on deceptive methods to keep consumers from opting out of the sale and sharing of their personal information, according to a new study from the digital rights nonprofit Electronic Privacy Information Center.

Researchers at EPIC audited the opt-out processes of 38 major data companies and documented at least eight distinct categories of manipulative design: Opt-out forms that don’t actually let users opt out of the sale of their data. Links that are buried in fine print and missing from homepages. Consumers routed through multiple separate forms to complete a single request. And requirements that users create accounts or pay for subscriptions before opting out at all, among others.

“Manipulative design has no place in opt-out requests,” EPIC says. “Companies must design opt-out processes with respect toward consumers’ rights, and if they do not, regulators at the state and federal level should step in to defend consumer rights to opt out.”

Major companies offering large language models, such as Google, Meta, and OpenAI, fail to clearly link their opt-out forms from their homepages or privacy policies, according to the report, and several require consumers to submit multiple separate forms to complete a single request. OpenAI’s form, when a consumer finds it, does not offer a way to opt out of the sale or transfer of personal data. What it offers instead is an option to “remove personal information from ChatGPT responses,” which EPIC says is a filter on the chatbot’s output, not the removal of any underlying data.

EPIC frames opt-out failures as a safety issue, pointing to, among others, the case of Vance Boelter, the man charged with murdering Minnesota state representative Melissa Hortman and her husband Mark in June 2025. Prosecutors say Boelter used people-search data brokers to locate his targets’ home address.

EPIC’s researchers found that the people-search brokers they audited—Spokeo, Whitepages, and National Public Data—do not offer consumers a way to opt out of the sale or transfer of their data at all. Instead, the companies offer a process for removing individual listings by URL, one at a time, with no commitment to stop selling that same person’s information in the future. Spokeo tells consumers directly that their information “may reappear on Spokeo in the future without notice” and instructs them to “regularly check” the site for new listings.

The EPIC report notes that abusive individuals have for decades used commercially available data and technology to locate, harass, and assault their targets, with women, women of color, and LGBTQ+ people bearing the brunt. The report cites a separate EPIC analysis from December 2025 on the use of data brokers against domestic violence survivors, and another on threats to public officials at every level of government. For people in those categories, the report argues, the opt-out is often the only mechanism available to remove a home address from circulation before someone shows up at the door.

“Many people may need to remove their information from Spokeo for safety reasons, such as domestic violence survivors or public officials and their families,” the report says.

The Whitepages opt-out process requires consumers to submit URLs for every listing of themselves on the site—but full reports are gated behind a paid Whitepages Premium subscription, meaning people may have to pay the broker to find the information they need in order to opt out of it. Four other companies, including Bumble, default users into data sharing through preselected toggles, researchers found. On Bumble, the “Do Not Sell” option is styled to look selected by default, when in fact it is the option a user must click to opt out.