• by Wendy Davis  @wendyndavis, April 2, 2025

Popular retail sites often fail to honor consumers' requests to reject targeted advertising, when those requests are transmitted through a universal opt-out mechanism, a new study suggests.

For the study, researchers at Consumer Reports and Wesleyan University tested 40 sites operated by larger retailers, including American Eagle, Pottery Barn and Macy’s. Twelve of those sites apparently failed to honor opt-out requests that were sent through the Global Privacy Control -- a tool developed by privacy advocates that enables people to automatically send opt-out requests to every site they visit.

That result “corroborates previous research on the topic and strongly suggests that consumers’ personal information may continue to be at risk for unwanted disclosure even when they take the appropriate steps to protect themselves under state privacy laws,” the report states.

To conduct the study, researchers used a virtual private network to make it appear as if they were in California or Colorado. Colorado's privacy law requires companies to honor opt-out requests send through universal mechanisms, such as the Global Privacy Control. In California, state officials have interpreted the law as also requiring companies to honor the Global Privacy Control -- though the ad industry disagrees with that interpretation.

Testers activated the Global Privacy Control, then visited retail sites and loaded shopping carts, but left without making a purchase. Next, the testers visited outside publishers' sites.

Twelve of the retail sites served testers what appeared to be retargeted ads.

“We are almost certain that these retailers delivered advertisements to us based on our browsing activity,” the study states. “In these instances, we either observed advertisements that contained images of the exact items that we had viewed or placed in our shopping carts, or we found evidence from the AdChoices icon that the ad had been retargeted to us based on our browsing history.”

An additional three sites served ads that the testers believe were “very likely” based on web activity.

The ad industry's privacy code requires businesses o honor consumers' requests to opt out of targeted advertising, but doesn't specifically say companies must respect the Global Privacy Control. Instead, the ad industry requires companies to provide opt-out links that consumers can click on site-by-site, and also offers an opt-out page where people can reject targeted advertising from a broad array of companies.