In California, legislation mandates that data brokers must provide clear avenues for consumers to request the deletion of their personal data. However, locating these options poses significant challenges for users.
According to an investigation by The Markup and CalMatters, over 30 data brokers, which are companies that aggregate and sell personal information, effectively concealed their data deletion instructions from Google search results. This maneuver complicates the process for consumers seeking to remove their data, adding yet another hurdle to an already convoluted system.
The research revealed that numerous web pages containing deletion guidelines, as listed in an official state registry, utilized coding techniques to instruct search engines like Google and Bing to exclude these pages from their results. This practice ensures that consumers cannot easily find the information necessary to opt-out or delete their data.
California’s regulatory framework, under the Consumer Privacy Act, requires all data brokers to register with the state and provides Californians the right to request the deletion and non-sale of their information, as well as gaining access to it. Upon reviewing the websites of all 499 registered data brokers, the investigation found that 35 employed coding practices to obstruct their deletion pages from being indexed by search engines.
While these companies may adhere to the legal requirement of offering an opt-out page, the obfuscation of these options renders them nearly useless, according to Matthew Schwartz, a policy analyst at Consumer Reports who examines California’s data broker laws. “This appears to be a clever tactic designed to make it as difficult as possible for consumers to locate their deletion options,” Schwartz remarked.
After inquiries made by The Markup and CalMatters, seven data brokers indicated they would review their website code, and two had already made amendments independently prior to the inquiry. Eight of the nine contacted companies confirmed the removal of the obstructive code as of July 31.
While some firms argued that the use of code was an intentional strategy to mitigate spam, 24 companies did not respond to requests for clarification, though three acted promptly to remove the code after the investigation reached out to them.
Despite efforts to improve visibility, many companies included minimal links buried at the bottom of their homepages, necessitating extensive navigation to even locate their privacy-related instructions. This strategy leaves consumers facing significant barriers in their attempts to exercise their rights regarding personal data deletion.
For instance, ipapi, which provides location data based on IP addresses, offered a simple opt-out form allowing users to request that their personal data not be sold. However, this form was similarly obscured by coding that prevented search engines from indexing it. A representative from the company described the presence of such code as an oversight, indicating that changes have since been made to enhance its visibility.
