California's New Privacy Rights Are Tough to Use, Consumer Reports Study Finds

A mouse cursor sitting next to the entrance a digital maze. Illustration: Consumer Reports, iStock

In March 2021, California announced new rules for companies subject to the California Consumer Privacy Act. They bar companies from using "dark patterns" on their websites that can confuse a consumer trying to opt out of the sale of their personal information. The rules also make it easier for people to ask a third party to help submit such requests. These are among a number of rules CR has urged the state (PDF) to adopt. This article was originally published on Oct. 1, 2020.

  • The CCPA is supposed to make it easy for California residents to opt out of having their data shared or sold by companies.
  • Often, however, companies don’t have opt-out links on their home page, as the law requires.
  • In some cases, the companies ask people to provide additional, sensitive data before processing their request.

When Sharon Updike set out in June to ask a data broker to stop selling her personal data to other companies, she didn’t expect a scavenger hunt.

But the company—a small business called EVS7 that’s based in Texas and sells people’s phone numbers to advertisers—didn’t have an opt-out link on its home page, as required by a landmark California law that governs companies that trade in state residents’ personal information.

Instead, to opt out you were supposed to dive into the company’s privacy policy, then find a link to a separate page just for California residents. There, among the paragraphs of legalese, consumers were instructed to contact the company by phone or a sales email address.

More on Privacy

Updike, who lives near Los Angeles, is one of 500-plus California volunteers in a monthslong Consumer Reports study (PDF) of how the California Consumer Privacy Act is shaping up. The law, which went into effect on Jan. 1, 2020, is considered the strongest set of data privacy protections in the country, and could become a model for federal or other state legislation.

Updike couldn’t find the buried opt-out page, so she sent a message via the company’s contact form asking it to stop selling her information. The company’s president, Richard Hardgrave, responded two days later. “To verify which Sharon Updike that you are, we now need you to send us an AFFIDAVIT [sic] that has been signed by you and notarized,” he wrote.

Updike was aghast. “Can’t I simply give you my address?” she responded by email. “Surely you can discern which Sharon Updike I am if I give you my address.” Hardgrave agreed to remove Updike’s information without further documentation. The company never confirmed to her that it had done so, but Hardgrave later told Consumer Reports that EVS7 did quickly delete Updike’s personal data, as he’d promised.

Updike thanked Hardgrave for “being a reasonable person.” But still, the drawn-out exchange didn’t exactly feel like flexing a simple legal right. “It was extremely difficult,” the retired credit union CEO later told CR.

Opt-Out Process Slow, Sometimes Broken

Updike’s experience wasn’t unusual. When study participants tried to exercise their right to opt out of the sale of their personal data, they found enormous variation in how companies handled the requests. The 214 companies that participants contacted were all data brokers registered with the state of California.

With some companies, opting out was a walk in the park: Study participants clicked on prominent links on company home pages that read “Do not sell my data,” filled out a short form, and were quickly emailed a confirmation that the company would make good on the request. Or they just toggled a switch and the deed was done.

But for most, the process was slow, confusing, frustrating—or downright impossible to navigate.

Consumers Are Left Hanging
. . . of the time, study participants either didn’t know whether their opt-out request was successful, or say they weren’t able to make the request at all. And only in 18 percent of requests did participants report receiving a confirmation from the broker that their data would not be sold in the future.

Some study participants encountered complex processes that took a long time to untangle. Others were asked to accept website cookies or download a special app to submit their request. And 24 of the 214 companies CR studied didn’t have the legally required opt-out link on their home page at all.

"We were blown away by how complicated some of the opt-out processes were, especially since consumers have to submit opt-out requests to every company that collects data about them to fully protect their privacy,” says CR policy analyst Maureen Mahoney, who directed the study.

“Companies should make it easier, not harder, for consumers to exercise their rights,” she says. “And policymakers need to put in place commonsense reforms to rein in data collection, use, and sharing by default—not leave it up to the consumer to ask hundreds of different companies to stop selling their data.”

A six-month grace period for companies ended in July, allowing California Attorney General Xavier Becerra to begin going after CCPA scofflaws. The attorney general’s office tells CR that it has sent out warning letters “in the double digits” to noncompliant companies in different industries. No CCPA-related investigation or lawsuit has yet been made public. The attorney general’s office declined to comment on whether warning letters had been sent to any of the companies where we found problems.

This November, Californians will vote on a new ballot initiative that would update the privacy law. Mahoney says the initiative would close some of the loopholes that the CR study identified but would also introduce ambiguities that could allow some companies to avoid offering consumers their privacy rights.

Hardgrave, the EVS7 president, says the CCPA is overly complex and difficult to comply with. “We thought we did everything right,” he says. According to Hardgrave, his company has received only about a dozen opt-out requests so far. “We will make it easier right away,” he says. (The company has now added a link to the home page.)

To Protect Your Data, Give Us More Data

Perhaps the most common hurdle the participants encountered was that companies asked them to provide sensitive personal information before processing an opt-out request. To get them to stop selling their data, participants had to supply far more of it. Beyond phone numbers, email addresses, and home addresses, some companies asked for government ID numbers or photos of the ID card, detailed identity verification questions from credit reports, and even selfies.

Many of CR’s study participants decided not to go through with an opt-out request because they didn’t want to provide this sensitive data.

“They wanted more information than they already had,” says Karen McCall, a former schoolteacher who lives in Vacaville. She ditched an opt-out request when the company asked her to take a selfie holding her driver’s license.

Du—a retiree who lives in San Jose and asked us to use only his first name to preserve his privacy—said that TransUnion, a major data broker, asked him to enter his birth date, his mother’s maiden name, and his Social Security number in order to submit his opt-out request.

“There was no way I was going to give that information away just to protect my data,” he tells CR. “If it’s going to be that burdensome—especially if you have to provide sensitive info—then who’s going to bother to do it?”

CR’s Mahoney says that these types of requests are inappropriate. The CCPA tells companies to verify consumers’ requests to access or delete their data—but it doesn’t say anything about verifying opt-out requests, according to Mahoney. Companies should weed out clearly fraudulent requests, but asking for a government ID is “not necessary and is freaking people out,” she says.

Obstacles Remain
. . . of the time, study participants either gave up on their opt-out request because of the hurdles they faced, or couldn’t figure out how to make a request at all.

Mahoney says that California residents are facing other hurdles, as well. When she made her own opt-out request to X-Mode, a location data broker, Mahoney received an emailed invitation to sign up for the company’s newsletter. The law tells companies not to use data gathered from these requests for marketing or any other purpose, she says, because consumers may be less likely to exercise their rights if they think it could result in unwanted emails.

X-Mode says it’s investigating Mahoney’s experience. “To ensure the clarity of our opt-out options for consumers, we have paused any outbound newsletter emails until we complete our internal review,” a spokesperson said. The company also pledged to provide “more streamlined and comprehensive opt-out options.”

CR study participants who submitted opt-out requests were often left hanging. Companies stated clearly that they would stop sharing consumer data in response to just 18 percent of the requests. In almost half the cases, participants were left without any clear indication of whether or not their request had been acted on—and 14 percent of the time, the volunteers gave up or weren’t able to see the request through.

Several of the California volunteers CR spoke with said that they were encouraged by the new rights afforded by the data privacy law and that they were eager to make the most of them to protect their privacy.

But many said the system seemed broken because of the obstacles many companies have erected.

“The process is just very onerous, and it puts a lot of the effort and the heavy lifting on the consumer,” says Yadi Younse, a political consultant who lives in Pasadena. “I don’t think it should have taken as long as it did, or required a consumer to jump through so many hoops, to get this done.”

Headshot of CRO author Kaveh Waddell

Kaveh Waddell

I'm an investigative journalist at CR's Digital Lab, covering algorithmic bias, misinformation, and technology-enabled abuses of power. In the past, I've reported for Axios and The Atlantic, and as a freelancer in Beirut. Outside work, I enjoy biking and hiking in and around San Francisco, where I live, and doing the crossword while cheating as little as possible. Find me on Twitter at @kavehwaddell.