Contact The Editor
Articles By This Author
Companies aren't trying very hard to give you control over your personal data. They may not even be complying with the law.
That's the conclusion from a Consumer Reports analysis released Tuesday. The nonprofit organization put to the test Americans' legal rights in about a dozen states to order websites not to sell or share personal information that the sites have collected.
Those opt-out demands limit companies from targeting you with sneaker ads or setting car insurance rates from what they learn about your habits. But Consumer Reports found companies that do not appear to be complying with your opt-outs.
The findings have limitations. But they suggest two shortcomings with data privacy rights:
• You're right to worry whether companies like 23andMe are deleting your personal information when you demand it. Compliance with data protection laws isn't assured.
• Privacy laws are meaningless if they're not enforced - and government watchdogs have generally not done so. It's as though people regularly blow past your neighborhood's speed limit, and the police aren't doing anything.
I'll explain Consumer Reports' analysis and suggest what might give us real privacy protections. Corporations helped shape state privacy laws to their liking, and we're now experiencing the fallout.
• How CR found companies apparently are not following the law
Consumer Reports conducted a clever experiment to test companies' compliance with privacy opt-out demands.
First, researchers used software to make it appear as though their computers were in California or Colorado.
Those states were chosen because their privacy laws make it clear that people can use a web browser or another helper to automatically order websites not to sell or share their personal information. Otherwise you might need to complete many privacy out-out forms.
(Even if your state doesn't have a broad privacy law, some national companies say they honor data privacy requests from all Americans.)
Then, testers mimicked shopping on about 40 relatively well-known websites. They pored over Ford car models and put American Eagle clothing items into digital shopping carts.
You're familiar with what typically happens next: Ads for those SUVs or jeans follow you around the internet. Ads targeted to products that you've browsed online can be the most visible manifestations of companies selling or sharing your data.
The Consumer Reports testers shouldn't have seen such targeted ads. They used a privacy helper, a browser add-on from Optery, to opt out of data sharing, as you're entitled to do under California and Colorado law.
It didn't work. Testers believed they still saw highly targeted ads for at least a dozen of the 40 websites.
They took that as a sign that companies including American Eagle, Macy's, Ford, Uniqlo and telehealth provider Hims & Hers didn't consistently comply with legally enforceable opt-out demands.
"It is highly suggestive that the business has either sold or shared their personal data for targeted advertising in contravention of the law," Consumer Reports concluded. Some previous research and privacy advocates have said the same thing.
Macy's said it didn't have enough details to comment on the Consumer Reports analysis, but it said the company is committed to complying with state laws. Ford said people can use opt-out demands as outlined in relevant state laws. Hims & Hers said it vets its compliance with privacy laws and that people can opt out of its targeted advertising.
American Eagle and Uniqlo didn't reply to requests for comment.
The analysis had limitations. Testers couldn't prove that targeted ads were the result of websites passing on information such as which T-shirts they browsed. It was probable but not definite.
Researchers also said that not seeing targeted ads wasn't necessarily proof that the websites had complied with their opt-out demands.
• Progress and flaws in your privacy rights
The findings suggest that a wave of state privacy protections passed since 2018 has promise but also flaws that may need adjustments. One underlying problem: After fierce corporate lobbying, laws made it difficult to exercise your privacy rights and were difficult to enforce.
In most states, attorneys general must investigate and sue companies if they believe they're not complying with their obligation to stop selling your data. But there haven't been many enforcement actions yet.
State laws are "a good start, but they need to be enforced appropriately in order to really live up to their potential," said Matt Schwartz, a Consumer Reports policy analyst and a report co-author.
There may be more attempts at making laws stick.
California's privacy regulator last month reached a settlement with Honda for making it too difficult to opt out of data sharing or sales. The Texas attorney general also recently sued Allstate and General Motors over alleged violations of state privacy law in selling information about people's driving habits without their consent.
GM declined to comment. Allstate referred to its court filing, which said people consent to the use of their data.
It's also worth discussing potential blueprints for stronger future privacy laws.
One model might be a long-standing Illinois privacy law, which bans collecting face scans and other "biometric" data without consent. State residents, not just the attorney general, can sue over claimed violations. The law was partly credited for Facebook's 2021 decision to turn off facial identification.
Consumer advocates also want more provisions like Maryland's 2024 privacy law, which limits how much data companies can collect and essentially bans targeted ads to people younger than 18. That shifts the responsibility for protecting personal information to companies rather than individuals.
• One tiny win
Even if companies don't always comply with demands to stop the sale and sharing of your personal data, making those demands is still worthwhile. When we exercise our legal rights, we show that they're important. Here are some options:
• Use web browsers from Brave, Firefox or DuckDuckGo. Those browsers can automatically send legally binding orders, depending on your state, telling websites you visit not to share or sell information about you.
• Or Privacy Badger, software you can download from the Electronic Frontier Foundation consumer advocacy group, does the same thing as the browsers. It works with Google Chrome, Firefox or Microsoft Edge. (EFF has said it's working on adding Privacy Badger for Apple's Safari.)
• Try the Permission Slip app from Consumer Reports. The app can do the leg work to opt you out of companies sharing and selling your data. The basics of Permission Slip are free but it has a subscription fee for additional services.
• Consider supporting stronger privacy laws in your state. There is no broad national law in the United States about data privacy, but 19 U.S. states now have wide-reaching laws protecting your online information. They're all imperfect, as I wrote above, but some of them are a good start. More state privacy laws are under consideration now.
(COMMENT, BELOW)