The Consumer Reports study was launched last October, when CR researchers acted as an intermediary between 124 consumers in California and 21 large companies that deal in personal information—a mix of familiar names like Airbnb and Starbucks plus behind-the-scenes data brokers including Equifax, LiveRamp, and Oracle. In the study, Consumer Reports acted as an authorized agent for participants, asking the companies to stop selling their personal data to other companies.
CR researchers manually submitted opt-out requests for volunteers, sending requests from 10 participants to each company. That was a laborious process that was fine for conducting a study like this. But to really work for hundreds of thousands or millions of individuals, the researchers say, the process would likely need to be automated.
The researchers encountered some sort of barrier with almost all 21 companies. Some provided only vague or incomplete information on their websites about how either an individual or an authorized agent could make an opt-out request. Others asserted that they weren’t covered by the part of the CCPA that allows consumers to opt out of data sales. And a few companies never acknowledged any of several messages that CR made on behalf of consumers.
“We were surprised at how challenging it is to send requests and get reliable follow-up from companies,” says Ginny Fahs, one of the researchers behind the CR study, which was published Thursday. “As a consumer, you’d hope that working through an agent would be a reliable process.”
In one case, a major data broker’s website sent researchers ping-ponging from page to page in search of the right way to submit opt-out requests on behalf of a consumer. In the end, CR ended up submitting the requests to the company, Acxiom, by mail. (Note: Consumer Reports works with Acxiom, LiveRamp, and other companies for marketing purposes.)
And when CR researchers couldn’t access an online system for making privacy requests to Intuit, the company behind Mint and TurboTax, they sent a message to an email address for the company’s North America privacy office. The company replied, saying that CR had reached the wrong address and that it would “not respond to any further emails coming directly from” the researchers.
“Few companies were willing and able to provide useful information to make sure these opt-outs were processed effectively,” says CR’s Mahoney. “There was almost no help or recourse if the agent or consumer ran into trouble, and this seriously interfered with our efforts to help consumers protect their privacy.”