Digitized outline of the state of California framed by ones and zeros.

In March, California announced new rules for companies subject to the California Consumer Privacy Act. They bar companies from using "dark patterns" on their websites that can confuse a consumer trying to opt out of the sale of their personal information. The rules also make it easier for people to ask a third party to help submit such requests. These are among a number of rules CR has urged the state (PDF) to adopt. This article was originally published on Feb. 4, 2021.


A new Consumer Reports study found that there are big barriers to overcome before new services can start helping California residents opt out of data sharing under the California Consumer Privacy Act, a landmark law that went into effect Jan. 1, 2020.

The CCPA gives Californians several new rights over the information that private companies collect and store. Under the state law, consumers can tell companies to stop selling their personal information, to supply the consumer with a copy of the information, or to delete it altogether. The law also says that residents can ask a third party, or “authorized agent,” to help them exercise those rights by contacting data-holding companies on their behalf.

That’s the aspect of the CCPA that CR’s new study explores. The authorized agent provision is supposed to address a hurdle consumers face if they want to flex their rights to limit the way personal information is collected and used: Hundreds of companies may hold data about you, and it would be almost impossible for an individual to find and contact every company one by one.

More on Privacy

The ability to tell scads of companies how to handle your data with a single click would be a privacy superpower, consumer advocates say. But so far, no one has built a foolproof authorized agent. “Consumers should be able to protect their privacy in a single step—it’s not workable to contact thousands of companies one by one,” says CR policy analyst Maureen Mahoney, who helped conduct CR’s new research. “Companies are making it too difficult right now, which is holding consumers back from effectively controlling their personal data.”

One company that has been trying to act as an authorized agent is called DoNotPay. Its founder, Joshua Browder, has made a business of helping consumers navigate bureaucracy: His app helps people do things like contest parking tickets or get refunds from airlines with a few clicks. Last year, he added CCPA requests to the list—but immediately ran into some hurdles. Conveying opt-out requests to companies often involves navigating twisting, obstacle-filled processes.

“It’s been a huge challenge,” Browder tells CR. “Every day it’s like an arms race.” Many companies do their best to comply with DoNotPay’s requests on behalf of consumers, but other companies “don’t want to deal with these requests,” he says.

Hurdles and the Silent Treatment

The Consumer Reports study was launched last October, when CR researchers acted as an intermediary between 124 consumers in California and 21 large companies that deal in personal information—a mix of familiar names like Airbnb and Starbucks plus behind-the-scenes data brokers, including Equifax, LiveRamp, and Oracle. In the study, Consumer Reports acted as an authorized agent for participants, asking the companies to stop selling their personal data to other companies. 

CR researchers manually submitted opt-out requests for volunteers, sending requests from 10 participants to each company. That was a laborious process that was fine for conducting a study like this. But to really work for hundreds of thousands or millions of individuals, the researchers say, the process would likely need to be automated.

The researchers encountered some sort of barrier with almost all 21 companies. Some provided only vague or incomplete information on their websites about how either an individual or an authorized agent could make an opt-out request. Others asserted that they weren’t covered by the part of the CCPA that allows consumers to opt out of data sales. And a few companies never acknowledged any of several messages that CR made on behalf of consumers.

“We were surprised at how challenging it is to send requests and get reliable follow-up from companies,” says Ginny Fahs, one of the researchers behind the CR study, which was published Thursday. “As a consumer, you’d hope that working through an agent would be a reliable process.”

In one case, a major data broker’s website sent researchers ping-ponging from page to page in search of the right way to submit opt-out requests on behalf of a consumer. In the end, CR ended up submitting the requests to the company, Acxiom, by mail. (Note: Consumer Reports works with Acxiom, LiveRamp, and other companies for marketing purposes.)

And when CR researchers couldn’t access an online system for making privacy requests to Intuit, the company behind Mint and TurboTax, they sent a message to an email address for the company’s North America privacy office. The company replied, saying that CR had reached the wrong address and that it would “not respond to any further emails coming directly from” the researchers.

“Few companies were willing and able to provide useful information to make sure these opt-outs were processed effectively,” says CR’s Mahoney. “There was almost no help or recourse if the agent or consumer ran into trouble, and this seriously interfered with our efforts to help consumers protect their privacy.”

Some Companies Made Fixes

After CR researchers followed up with Acxiom to discuss the results, the company fixed its process for submitting authorized agent requests, and said it had honored the mailed requests. And three other data brokers—Brandwatch, LiveRamp, and Oracle—similarly fixed broken links and addressed similar issues after CR notified them about the problems.

However, five companies said they would not complete CR’s requests at all. These companies argued that the opt-out provision doesn’t apply to them because they don’t sell personal data for money. Amazon, for example, said it “is not in the business of selling our customers’ personal information.”

In a statement, an Amazon spokesperson said the company complies “fully” with the CCPA. “Our advertising system does not rely on selling customers’ personal information in order to deliver ads,” the company said. Amazon has a separate page where consumers can opt out of targeted advertising.

The statement highlights a gray area in the California law. Amazon does share some information with advertisers to help them target ads to individual customers, according to the company’s privacy policy. Consumer advocates argue that this is a situation that the CCPA was meant to address, even if the transaction between companies doesn’t involve an outright sale. But California Attorney General Xavier Becerra hasn’t told such companies they have to comply.

Proposition 24, a privacy-focused California ballot measure that passed in November, clears up the confusion. Once those rules come into force in 2023, companies that share consumer data for advertising will have to respond to opt-out requests, too.

How to Go It Alone—for Now

For now, DoNotPay is one of just a handful of companies that help consumers blast out CCPA requests. Others include Confidently and PrivacyBee.

But if you’re a California resident, you can always make individual requests to companies. A CR study last summer showed that many consumers found it very hard to make those requests, but consumer advocates say that some companies have improved since then. Here’s a crowdsourced list of opt-out links and contact email addresses for dozens of prominent companies, which you can use to tell companies to give you a copy of your data, delete your data, or stop selling it to other companies.

And if you run into unreasonable roadblocks, you can report them to the California attorney general. The attorney general’s office has already sent warnings to “numerous” companies, according to a spokesperson.

But if consumers are going to be able to take advantage of authorized agents to make requests to large numbers of companies, advocates say, the attorney general must step in more aggressively.

CR advocates sent a list of policy recommendations to the attorney general on Thursday, urging his office to go after companies that fail to follow the CCPA’s rules permitting authorized agents to submit requests on behalf of Californians, and to require companies to tell agents when they’ve completed a request—rather than leave the agent hanging, as several companies routinely did in CR’s study.

The state should also clarify that sharing personal information for the purpose of targeted advertising—like Amazon and Intuit do—is covered by the CCPA, CR said, rather than waiting for the next round of rules in 2023. (Consumer Reports is circulating a petition asking California’s attorney general to take action.)

Despite the hurdles, the volunteers in CR’s research project reported high levels of satisfaction with their ability to delegate opt-out requests to a third party. “That tells us that authorized agents are a great solution,” says CR’s Fahs.

The next big step, once companies have fixed problems like those that CR identified, is to automate the process so that it can expand to cover hundreds of companies, Fahs says. “A future is coming where the process will be quite easy.”

Correction: A previous version of this article said that Intuit's privacy office did not provide CR researchers with alternative contact information for filing authorized agent requests. The company did provide a customer service phone number, which was unable to answer CR's questions or help with the request.

This article, originally published Feb. 04, 2021, has also been updated with information from Amazon on opting out of targeted advertising.