Dell Cameron Security May 20, 2026 5:00 AM Data Brokers’ and AI Firms’ Opt-Out Forms Are Built to Fail, Report Finds A new study finds AI companies, defense firms, and dating apps are among 38 data collectors allegedly using manipulative design to confuse users while collecting their data. Photo-Illustration: Jobanny Cabrera; Getty Images Save this story Save this story Some of the largest data-collecting companies in the United States—including major AI vendors , data brokers , defense contractors , and dating apps —rely on deceptive methods to keep consumers from opting out of the sale and sharing of their personal information, according to a new study from the digital rights nonprofit Electronic Privacy Information Center. Researchers at EPIC audited the opt-out processes of 38 major data companies and documented at least eight distinct categories of manipulative design: Opt-out forms that don't actually let users opt out of the sale of their data. Links that are buried in fine print and missing from homepages. Consumers routed through multiple separate forms to complete a single request. And requirements that users create accounts or pay for subscriptions before opting out at all, among others. “Manipulative design has no place in opt-out requests,” EPIC says. “Companies must design opt-out processes with respect toward consumers’ rights, and if they do not, regulators at the state and federal level should step in to defend consumer rights to opt out.” Major companies offering large language models, such as Google, Meta, and OpenAI, fail to clearly link their opt-out forms from their homepages or privacy policies, according to the report, and several require consumers to submit multiple separate forms to complete a single request. OpenAI's form, when a consumer finds it, does not offer a way to opt out of the sale or transfer of personal data. What it offers instead is an option to “remove personal information from ChatGPT responses,” which EPIC says is a filter on the chatbot's output, not the removal of any underlying data. EPIC frames opt-out failures as a safety issue, pointing to, among others, the case of Vance Boelter , the man charged with murdering Minnesota state representative Melissa Hortman and her husband Mark in June 2025. Prosecutors say Boelter used people-search data brokers to locate his targets’ home address. EPIC's researchers found that the people-search brokers they audited—Spokeo, Whitepages, and National Public Data—do not offer consumers a way to opt out of the sale or transfer of their data at all. Instead, the companies offer a process for removing individual listings by URL, one at a time, with no commitment to stop selling that same person's information in the future. Spokeo tells consumers directly that their information “may reappear on Spokeo in the future without notice” and instructs them to “regularly check” the site for new listings. The EPIC report notes that abusive individuals have for decades used commercially available data and technology to locate, harass, and assault their targets, with women, women of color, and LGBTQ+ people bearing the brunt. The report cites a separate EPIC analysis from December 2025 on the use of data brokers against domestic violence survivors, and another on threats to public officials at every level of government. For people in those categories, the report argues, the opt-out is often the only mechanism available to remove a home address from circulation before someone shows up at the door. “Many people may need to remove their information from Spokeo for safety reasons, such as domestic violence survivors or public officials and their families,” the report says. The Whitepages opt-out process requires consumers to submit URLs for every listing of themselves on the site—but full reports are gated behind a paid Whitepages Premium subscription, meaning people may have to pay the broker to find the information they need in order to opt out of it. Four other companies, including Bumble, default users into data sharing through preselected toggles, researchers found. On Bumble, the “Do Not Sell” option is styled to look selected by default, when in fact it is the option a user must click to opt out. EPIC's researchers were unable to locate an opt-out process at all on Meta, X, OpenAI, and Tinder without first logging in. And HireVue and the surveillance vendor DataTrust frame their opt-out instructions as available only to California residents, even though 20 other states have passed laws granting opt-out rights. Palantir, the defense and intelligence contractor, provides a privacy form on its website but does not include an option to opt out of the sale or sharing of personal data—the same finding EPIC documented for TikTok, Amazon, and the gunfire-detection vendor SoundThinking. Palantir also does not clearly link the form from its homepage or its privacy policy, and the researchers were unable to locate any opt-out process on Palantir's site, Meta, X, OpenAI, or Tinder without logging in first. Amazon disputed the finding. Adam Montgomery, a company spokesperson, says that Amazon does not sell customer personal information, and therefore customers are opted out by default. Opt-out options for data sharing are available through its “ Your Ads Privacy Choices ” and “ Advertising Preferences ” pages, and through privacy settings on most Amazon devices. Montgomery says Amazon does not use the word “share” in its opt-out options, but said the options cover the same uses defined by applicable law. Shane Bauer, a spokesperson for OpenAI, says the company does not sell user data, though it does acknowledge sharing limited data with marketing partners for targeted and cross-context behavioral advertising. “We give people straightforward ways to control how their data is used directly in our apps, so those choices are easy to make right where people are using our services,” Bauer says. “Our Privacy Portal is another way for people to submit privacy requests, including individuals who don’t have an OpenAI account but still want to exercise their privacy rights. We think giving users multiple ways to exercise their rights is a good thing.” Jackie Quintana, a HireVue spokesperson, disputes EPIC’s findings on scope, saying the company’s public privacy policy applies only to people who visit its marketing website, not to job applicants, whose data is processed through HireVue’s HR platform under consent controls configured by each employer. The company did not address EPIC’s finding that its public-facing policy directs opt-out instructions only to California residents. John Fisher, a spokesperson for SoundThinking, says the company’s opt-out forms can be found at the bottom of its privacy policy page , along with a customer help phone number. Google, Meta, Spokeo, Whitepages, National Public Data, Bumble, X, DataTrust, Palantir, TikTok, did not respond to requests for comment. Tinder acknowledged the inquiry but did not immediately provide a statement. “Consumers cannot effectively protect their own privacy by exercising opt-out rights,” EPIC says. Even a perfectly designed process—no buried links, no preselected toggles, no paywalls—would still require people to find and submit a request to every company that holds, sells, or transfers their data. The real remedy, EPIC concludes, is not better forms but less collection : rules that bar companies from gathering personal information they never needed in the first place. Comments Back to top You Might Also Like How to find us: Add WIRED.com to your preferred sources in Google These women are trying to optimize their vaginas Big Story: AI gig work is the new waiting tables —and it's soul-crushing This summer, the American water crisis becomes real Event: How to adapt, compete, and win in the next era of business Dell Cameron is an investigative reporter from Texas covering privacy and national security. He's the recipient of multiple Society of Professional Journalists awards and is co-recipient of an Edward R. Murrow Award for Investigative Reporting. Previously, he was a senior reporter at Gizmodo and a staff writer for the Daily ... Read More Senior Reporter, National Security Topics Google Amazon Meta OpenAI data brokers data privacy data privacy Read More OpenAI Enables Marketing Cookies by Default for Free ChatGPT Users ChatGPT’s new privacy policy states how the company uses cookies for tracking, to turn free users into paying subscribers. Reece Rogers 90,000 Screenshots of One Celebrity's Phone Were Exposed Online Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure. Matt Burgess OpenAI Rolls Out ‘Advanced’ Security Mode for At-Risk Accounts OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks. Lily Hay Newman Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web Companies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet. Andy Greenberg The Race Is on to Keep AI Agents From Running Wild With Your Credit Cards AI agents may soon be buying your stuff for you. The FIDO Alliance has teamed up with Google and Mastercard to try to ensure that shopping in the near future isn't a complete disaster. Lily Hay Newman Sniffies’ Users Worry About a ‘Straightification’ of the Gay Hookup App Tinder and Hinge parent company Match Group invested $100 million into the queer cruising app Sniffies. The move has left users feeling uneasy about what happens next. Jason Parham Your iPhone Gets Stolen. Then the Hacking Begins A bustling underground ecosystem is providing criminals with the tools to unlock iPhones—and wage phishing attack