A recent report has unveiled that some of the largest data collection companies in the United States, including AI firms and defense contractors, rely on misleading methods to keep consumers away from opting out of selling and sharing their personal information. This was highlighted in a study conducted by the Electronic Privacy Information Center (EPIC).
Researchers at EPIC audited the opt-out processes of 38 major data collection companies and identified at least eight distinct categories of misleading designs. Among these tactics are opt-out forms that do not actually allow users to withdraw from the sale of their data, links buried in small text that are not present on the main pages, and directing consumers through multiple forms to complete a single request.
Details of the Findings
The report states that major companies offering large language models, such as Google, Meta, and OpenAI, fail to clearly link opt-out forms from their homepages or privacy policies. Moreover, many of these companies require consumers to submit multiple separate forms to complete a single request. For instance, the OpenAI form, when located, does not provide a means to opt out of the sale or transfer of personal data but offers an option to "remove personal information from ChatGPT responses," which EPIC considers merely a filter on the bot's outputs, not a removal of the underlying data.
EPIC views the failure of opt-out processes as a safety issue, citing the case of Vance Polter, the man accused of killing Minnesota state representative Melissa Hortman and her husband Mark in June 2025. Prosecutors allege that Polter used data from people search brokers to pinpoint their home address.
Background & Context
Reports indicate that abusive individuals have used commercially available data and technology for decades to locate their victims, with women, people of color, and LGBTQ+ individuals bearing the brunt of this issue. The report references a separate analysis by EPIC in December 2025 regarding the use of data brokers against survivors of domestic violence, as well as another concerning threats faced by public officials at all levels of government.
For individuals in these categories, opting out is often the only means available to remove their home address from circulation before someone shows up at their door. The report emphasizes that many individuals may need to remove their information from sites like Spokeo for safety reasons, such as survivors of domestic violence or public officials and their families.
Impact & Consequences
The findings demonstrate that opaque opt-out processes hinder consumers' ability to protect their privacy. Even if the process were perfectly designed, it would still require individuals to locate and submit requests to each company that holds, sells, or transfers their data. EPIC concludes that the real remedy is not improving forms but reducing data collection: regulations that prevent companies from collecting personal information that they do not need in the first place.
This issue requires urgent attention from regulators at both the federal and state levels, as regulatory bodies must intervene to defend consumers' rights to opt out. There is also an urgent need to develop legislation that ensures the protection of individuals' data and prevents its exploitation.
Regional Significance
In the Arab region, this issue highlights the importance of protecting personal data amid the increasing use of digital technology. As reliance on digital applications and services grows, it becomes essential for Arab countries to adopt legislation that safeguards individuals' privacy and ensures their rights to control their data. Public awareness regarding these issues must also increase, especially in light of potential threats individuals may face in cases of violence or security threats.
In conclusion, there must be joint efforts between governments and civil society to ensure the protection of personal data and to enhance individuals' rights in the digital world.