This story was originally published by CalMatters. Sign up for their newsletters.
Data brokers are required by California law to provide ways for consumers to request their data be deleted. But good luck finding them.
More than 30 of the companies, which collect and sell consumers’ personal information, hid their deletion instructions from Google, according to a review by The Markup and CalMatters of hundreds of broker websites. This creates one more obstacle for consumers who want to delete their data.
Many of the pages containing the instructions, listed in an official state registry, use code to tell search engines to remove the page entirely from search results. Popular tools like Google and Bing respect the code by excluding pages when responding to users.
Data brokers nationwide must register in California under the state’s Consumer Privacy Act, which allows Californians to request that their information be removed, that it not be sold, or that they get access to it.
After reviewing the websites of all 499 data brokers registered with the state, we found 35 had code to stop certain pages from showing up in searches.
While those companies might be fulfilling the letter of the law by providing a page consumers can use to delete their data, it means little if those consumers can’t find the page, according to Matthew Schwartz, a policy analyst at Consumer Reports who studies the California law governing data brokers and other privacy issues.
“This sounds to me like a clever work around to make it as hard as possible for consumers to find it,” Schwartz said.
After The Markup and CalMatters contacted the data brokers, seven said they would review the code on their websites or remove it entirely, and another two said they had independently deleted the code before being contacted. The Markup and CalMatters confirmed eight of the nine companies removed the code.
Two companies said they added the code intentionally to avoid spam at the recommendation of experts and would not change it. The other 24 companies didn’t respond to a request for comment; however, three removed the code after The Markup and CalMatters contacted them.
(See the data on our GitHub repo.)
Most of the companies that did respond said they were unaware the code was on their pages.
“The presence of the [code] on our opt-out page was indeed an oversight and not intentional,” May Haddad, a spokesperson for data company FourthWall, said in an emailed response. “Our team promptly rectified the issue upon being informed. As a standard practice, all critical pages—including opt-out and privacy pages—are intended to be indexed by default to ensure maximum visibility and accessibility.” The Markup and CalMatters confirmed that the code had been removed as of July 31.
Some companies that hid their privacy instructions from search engines included a small link at the bottom of their homepage. Accessing it often required scrolling multiple screens, dismissing pop-ups for cookie permissions and newsletter sign-ups and then finding a link that was a fraction the size of other text on the page.
So consumers still faced a serious hurdle when trying to get their information deleted.
Take the simple opt-out form for ipapi, a service offered by Kloudend, Inc that finds the physical locations of internet visitors based on their IP addresses. People can go to the company’s website to request that the company “Do Not Sell” their personal data or to invoke their “Right to Delete” it — but they would have had trouble finding the form, since it contained code excluding it from search results. A spokesperson for Kloudend described the code as an “oversight” and said the page had been changed to be visible to search engines; The Markup and CalMatters confirmed that the code had been removed as of July 31.
Telesign, a company that advertises fraud-prevention services for businesses, offers a simple form for “Data Deletion” and “Opt Out / Do Not Sell”. But that form is hidden from search engines and other automated systems, and isn’t linked on its homepage.
Instead, consumers must search about 7,000 words into a privacy policy filled with legalese to find a link to the page.
A spokesperson for Telesign didn’t respond to a request for comment.
Five of the pages listed in the California registry not only aren’t indexed for search, but don’t exist. For example, a company called BrightCheck, which offers “AI-driven identity verification,” lists a privacy instructions page on the California registry. But when The Markup and CalMatters visited the page in late July, we found a notice that the page no longer exists. The page was there on March 18 when The Markup and CalMatters first scanned the site, and the Wayback Machine has an archive of the page from February 14.
BrightCheck didn’t respond to a request for comment.
The CCPA
The California Consumer Privacy Act went into effect in 2020, governing companies that make most of their revenue from selling consumer data, or who make more than $25 million per year or handle the data of more than 100,000 people in the state. With no comprehensive federal privacy law, the law is among the few regulations data brokers must comply with.
California’s most recent broker database lists nearly 500 companies, most of which consumers have likely never heard of. They include businesses with zippy start-up names like StatSocial and UpLead, and offer everything from email marketing tools to contact directories. CalMatters last year published a guide with information on how consumers can exercise their rights using the database or third-party tools and on how they can request deletion of their children’ s information.
Tom Kemp, executive director of the entity tasked with enforcing the privacy law, the California Privacy Protection Agency, said in an interview that the agency had reproduced The Markup and CalMatters’ findings. While he declined to comment on any particular company’s practices, he pointed to an enforcement advisory from the agency on “dark patterns,” which are design choices that have “the substantial effect of subverting or impairing a consumer’s autonomy, decisionmaking, or choice.”
If a company makes it much more difficult to choose to remove their personal data than to contribute it, or includes excessive jargon or other hurdles for consumers to jump through to remove it, according to the advisory, they might be violating the law.
This year, the privacy agency has taken enforcement action against companies including Todd Snyder and Honda for, among other violations, making it too difficult to choose to not have their data used. Todd Snyder paid a nearly $350,000 fine this year, while Honda agreed to pay more than $630,000. Both agreed to overhaul their privacy practices.
Kemp said that, when determining whether a company has violated the privacy act, it’s important to determine whether there’s a pattern of activity making it difficult for consumers to exercise their rights. Hiding a privacy instructions page could be the first “thread” in determining whether a company is shirking their obligations.
In the past, other companies have been criticized for hiding important web pages from search engines. In 2019, ProPublica revealed how the company behind tax filing service TurboTax added code to effectively hide an option for users to file their taxes for free. A 2021 report from the Wall Street Journal found that hospitals were hiding prices they were required to post under federal transparency rules.
Recognizing that most Californians have never heard of the hundreds of companies in the data broker registry, lawmakers in California recently passed the Delete Act. The law will create a system called the Delete Request and Opt-out Platform, or DROP, which will allow consumers in California to send a single, legally binding request to all data brokers on the registry at one time. The privacy protection agency intends to launch it next year.
