California's new privacy law, which took effect in January, requires companies to allow state residents to opt out of the sale of their personal data.
But in practice, many consumers have trouble doing so -- often because they can't find the opt-out links, or the procedure is burdensome, or the companies simply aren't complying with the law -- according to a new study by Consumer Reports.
The California Consumer Privacy Act's opt-out approach “is inherently flawed,” Consumer Reports writes. “It places substantial responsibility on consumers to identify the companies that collect and sell their information, and to submit requests to access it, delete it, or stop its sale.”
The organization adds: “Even when companies are making a good-faith effort to comply, the process can quickly become unmanageable for consumers who want to opt out of data sale by hundreds if not thousands of different companies.”
For the study, Consumer Reports recruited more than 400 California residents to test opt-out mechanisms for 214 of the companies listed on a registry of data brokers -- including ad-tech companies -- maintained by the California attorney general's office.
The companies' websites were tested by three different California residents in May and June.
California Attorney General Xavier Becerra didn't begin enforcing the law until July, but Justin Brookman, director of consumer privacy and technology at Consumer Reports, says that follow-up research by staff showed the situation hadn't changed after July.
“We're still seeing some of the same problems,” he says.
“The opt-out approach is just not manageable,” Brookman adds. “By default a lot of data sharing should just be prohibited.”
Overall, testers said they were dissatisfied with the opt-out process 52% of the time.
One of the most common obstacles to opting out was buried links. Among other mandates, the law requires sites to place a do-not-sell link on their home pages.
But for more than four in 10 of the sites tested (42.5%), at least one of the three testers couldn't find a do-not-sell link, according to the report.
Additionally, even testers who found the do-not-sell links didn't always succeed in opting out, because they found the procedure too burdensome.
For instance, some companies asked people to send in a photo of a government ID, or a selfie, or provide an identifier, such as Apple's “identifier for advertisers” -- an alphanumeric string tied to people's mobile devices.
“The overwhelming reason for a consumer to refrain from part of a [do-not-sell] request process, or give up all together, was not feeling comfortable providing information requested,” the report states. “For example, nearly all consumers declined to provide a photo in order to process their opt-out requests. Out of 7 instances in which consumers reported that they were asked to provide a photo selfie, in 6 the consumer declined.”
At least one data broker added the person who was attempting to opt out to a marketing list, according to the study.
The report also found that testers who followed the opt-out procedures often didn't know whether they had succeeded, because companies aren't required to notify consumers about the status of their requests.
Consumer Reports is calling on the Attorney General to “vigorously” enforce the privacy law.
“Our study showed that a few improvements would go a long way,” the report states “For example, it was significantly easier to opt out of a data broker site when the company had a link clearly labeled “Do Not Sell My Personal Information” that took consumers directly to the interactive form.”
The report also says consumers need access to browser-based do-not-sell signals. Regulations promulgated by Attorney General Xavier Becerra require companies to honor browser-based “do not sell” commands. Currently, some browser developers offer “do-not-track” signals, but people who activate those signals don't necessarily communicate that they want their data “sold,” as that term is defined by the California law.