Some of the largest data-collecting companies in the United States—including major AI vendors, data brokers, defense contractors, and dating apps—rely on deceptive methods to keep consumers from opting out of the sale and sharing of their personal information, according to a new study from the digital rights nonprofit Electronic Privacy Information Center.
Researchers at EPIC audited the opt-out processes of 38 major data companies and documented at least eight distinct categories of manipulative design: Opt-out forms that don't actually let users opt out of the sale of their data. Links that are buried in fine print and missing from homepages. Consumers routed through multiple separate forms to complete a single request. And requirements that users create accounts or pay for subscriptions before opting out at all, among others.
“Manipulative design has no place in opt-out requests,” EPIC says. “Companies must design opt-out processes with respect toward consumers’ rights, and if they do not, regulators at the state and federal level should step in to defend consumer rights to opt out.”
Major companies offering large language models, such as Google, Meta, and OpenAI, fail to clearly link their opt-out forms from their homepages or privacy policies, according to the report, and several require consumers to submit multiple separate forms to complete a single request. OpenAI's form, when a consumer finds it, does not offer a way to opt out of the sale or transfer of personal data. What it offers instead is an option to “remove personal information from ChatGPT responses,” which EPIC says is a filter on the chatbot's output, not the removal of any underlying data.
EPIC frames opt-out failures as a safety issue, pointing to, among others, the case of Vance Boelter, the man charged with murdering Minnesota state representative Melissa Hortman and her husband Mark in June 2025. Prosecutors say Boelter used people-search data brokers to locate his targets’ home address.
EPIC's researchers found that the people-search brokers they audited—Spokeo, Whitepages, and National Public Data—do not offer consumers a way to opt out of the sale or transfer of their data at all. Instead, the companies offer a process for removing individual listings by URL, one at a time, with no commitment to stop selling that same person's information in the future. Spokeo tells consumers directly that their information “may reappear on Spokeo in the future without notice” and instructs them to “regularly check” the site for new listings.
The EPIC report notes that abusive individuals have for decades used commercially available data and technology to locate, harass, and assault their targets, with women, women of color, and LGBTQ+ people bearing the brunt. The report cites a separate EPIC analysis from December 2025 on the use of data brokers against domestic violence survivors, and another on threats to public officials at every level of government. For people in those categories, the report argues, the opt-out is often the only mechanism available to remove a home address from circulation before someone shows up at the door.
“Many people may need to remove their information from Spokeo for safety reasons, such as domestic violence survivors or public officials and their families,” the report says.
The Whitepages opt-out process requires consumers to submit URLs for every listing of themselves on the site—but full reports are gated behind a paid Whitepages Premium subscription, meaning people may have to pay the broker to find the information they need in order to opt out of it. Four other companies, including Bumble, default users into data sharing through preselected toggles, researchers found. On Bumble, the “Do Not Sell” option is styled to look selected by default, when in fact it is the option a user must click to opt out.
EPIC's researchers were unable to locate an opt-out process at all on Meta, X, OpenAI, and Tinder without first logging in. And HireVue and the surveillance vendor DataTrust frame their opt-out instructions as available only to California residents, even though 20 other states have passed laws granting opt-out rights.
Palantir, the defense and intelligence contractor, provides a privacy form on its website but does not include an option to opt out of the sale or sharing of personal data—the same finding EPIC documented for TikTok, Amazon, and the gunfire-detection vendor SoundThinking. Palantir also does not clearly link the form from its homepage or its privacy policy, and the researchers were unable to locate any opt-out process on Palantir's site, Meta, X, OpenAI, or Tinder without logging in first.
Amazon disputed the finding. Adam Montgomery, a company spokesperson, says that Amazon does not sell customer personal information, and therefore customers are opted out by default. Opt-out options for data sharing are available through its “Your Ads Privacy Choices” and “Advertising Preferences” pages, and through privacy settings on most Amazon devices. Montgomery says Amazon does not use the word “share” in its opt-out options, but said the options cover the same uses defined by applicable law.
Shane Bauer, a spokesperson for OpenAI, says the company does not sell user data, though it does acknowledge sharing limited data with marketing partners for targeted and cross-context behavioral advertising. “We give people straightforward ways to control how their data is used directly in our apps, so those choices are easy to make right where people are using our services,” Bauer says. “Our Privacy Portal is another way for people to submit privacy requests, including individuals who don’t have an OpenAI account but still want to exercise their privacy rights. We think giving users multiple ways to exercise their rights is a good thing.”
A HireVue spokesperson disputes EPIC’s findings on scope, saying the company’s public privacy policy applies only to people who visit its marketing website, not to job applicants, whose data is processed through HireVue’s HR platform under consent controls configured by each employer. The company did not address EPIC’s finding that its public-facing policy directs opt-out instructions only to California residents.
Jerome Filip, a spokesperson for SoundThinking, says the company’s opt-out forms can be found at the bottom of its privacy policy page, along with a customer help phone number.
A Palantir spokesperson tells WIRED that the surveillance technology vendor had been erroneously included in the report alongside data brokers. “Palantir is not a data-collection or data mining company. We do not collect, sell, or buy personal data. We are a software company. We integrate our customers' existing data sets,” the company said. The spokesperson adds that Palantir's website offers standard cookie opt-out options and a privacy statement allowing individuals to exercise their privacy rights, and said the findings did not reflect the work of a data collection company.
Spokeo disputed the characterization of its opt-out process. A spokesperson says the company accepts opt-out requests from residents of any state through multiple channels, and that the URL-based method is preferred because it allows consumers to identify which specific listings contain their information. Once a listing is opted out, the spokesperson says, Spokeo does not sell that information and attempts to apply the request to any future data it receives about that consumer. Spokeo did not address EPIC's finding that its own opt-out page warns consumers their information may reappear on the site in the future without notice.
Google, Meta, Whitepages, National Public Data, Bumble, X, DataTrust, TikTok, did not respond to requests for comment. Tinder acknowledged the inquiry but did not immediately provide a statement.
“Consumers cannot effectively protect their own privacy by exercising opt-out rights,” EPIC says. Even a perfectly designed process—no buried links, no preselected toggles, no paywalls—would still require people to find and submit a request to every company that holds, sells, or transfers their data. The real remedy, EPIC concludes, is not better forms but less collection: rules that bar companies from gathering personal information they never needed in the first place.
Updated 9:45, 10:00, and 10:15 am ET, May 20, 2026: Added comment from Palantir and Spokeo, and updated attribution of SoundThinking and HireVue's statements, which were provided by intermediaries who clarified those details post-publication.
Source: Wired
.jpg)
