The digital rights nonprofit Electronic Privacy Information Center (EPIC) has released a comprehensive audit revealing that some of the most prominent data-collecting entities in the United States employ manipulative design tactics to prevent consumers from exercising their privacy rights. The study, which scrutinized 38 major companies ranging from artificial intelligence vendors and defense contractors to dating apps and data brokers, documented a systemic reliance on "dark patterns"—deceptive user interface designs—intended to discourage or outright block users from opting out of the sale and sharing of their personal information. The findings suggest that despite an increasing number of state-level privacy protections, the actual process of removing one’s data remains a labyrinthine challenge for the average consumer. Researchers identified at least eight distinct categories of manipulative design used to undermine consumer autonomy. These include burying opt-out links in fine print, requiring users to navigate multiple redundant forms, and mandating that individuals create paid accounts or subscriptions before they can request that their data not be sold. According to EPIC, these practices are not merely inconveniences but represent a fundamental disregard for consumer rights that necessitates intervention from both state and federal regulators. A Chronology of Privacy Concerns and Data Misuse The release of the EPIC audit on May 20, 2026, marks a significant milestone in a multi-year timeline of escalating concerns regarding the data broker industry and the expansion of AI-driven data harvesting. The report builds upon a foundation of previous research and real-world incidents that highlight the physical dangers of unchecked data circulation. In June 2025, the potential for lethal consequences of data availability was tragically demonstrated in the case of Vance Boelter. Prosecutors allege that Boelter utilized people-search data brokers to obtain the home address of Minnesota State Representative Melissa Hortman and her husband, Mark, whom he is charged with murdering. This incident served as a catalyst for renewed scrutiny of the data broker industry, illustrating how commercially available information can be weaponized by bad actors to locate and harm targets. Prior to the current audit, EPIC released two critical analyses in late 2025. In December 2025, the organization published a study focusing on the specific harms data brokers pose to survivors of domestic violence. This was followed by a report detailing the increasing threats to public officials at all levels of government, who are frequently targeted via information obtained through people-search sites. The May 2026 audit serves as the culmination of these investigations, shifting the focus from the harms themselves to the deceptive mechanisms companies use to keep that data in circulation. The Taxonomy of Manipulative Design The EPIC researchers categorized the deceptive practices found across the 38 audited companies into several "manipulative design patterns." These tactics are designed to exploit human psychology and technical friction to ensure that data remains a liquid asset for the firms involved. One of the most prevalent tactics is the use of "buried links." Researchers found that major AI vendors, including Google, Meta, and OpenAI, frequently omit opt-out links from their homepages or even their primary privacy policies. Instead, users are often forced to hunt through layers of sub-menus or external help centers. Even when a form is located, the "multi-step friction" pattern often takes over. This involves routing a consumer through several separate, disconnected forms to complete a single opt-out request, significantly increasing the likelihood that the user will abandon the process out of frustration. Another documented category is "forced account creation." Companies like Meta, X (formerly Twitter), OpenAI, and Tinder were found to require users to log in or create an account before they could even access an opt-out mechanism. This creates a paradox where a user must provide more data to the company in an attempt to protect the data the company already has. Furthermore, the audit highlighted "preselected toggles," a practice where companies default users into data sharing. On the dating app Bumble, researchers noted that the "Do Not Sell" option was visually styled to appear as if it were already selected, when in fact, the user had to click it to activate the protection. The AI and Big Tech Response The role of artificial intelligence companies in this ecosystem has become a primary point of contention. As these companies train large language models (LLMs) on vast swaths of personal data, the ability for individuals to opt out has become more critical. However, EPIC’s audit found that OpenAI’s current opt-out form does not actually offer a way to stop the sale or transfer of data. Instead, it provides an option to "remove personal information from ChatGPT responses." The researchers argue this is a mere output filter that does nothing to remove the underlying data from the company’s training sets or databases. In response to these findings, OpenAI spokesperson Shane Bauer stated that the company does not sell user data in the traditional sense, though it does share limited information with marketing partners for targeted advertising. Bauer defended the company’s practices, stating that OpenAI provides "straightforward ways" to control data usage within their apps and through a dedicated Privacy Portal available to non-account holders. Similarly, Meta has maintained a firm public stance. A spokesperson for the social media giant declined to address the specific claims regarding the difficulty of locating opt-out forms, instead pointing to the company’s privacy policy which states, "we don’t sell any of your information to anyone and we never will." However, privacy advocates often point out that while companies may not "sell" data for cash, the "sharing" of data for advertising services often falls under the legal definitions of a sale in various state jurisdictions, such as the California Consumer Privacy Act (CCPA). Data Brokers and the Persistence of Listings The audit’s most scathing findings were reserved for people-search data brokers like Spokeo, Whitepages, and National Public Data. These companies aggregate public records, social media profiles, and commercial data to create detailed dossiers on individuals. Researchers found that these brokers often do not offer a comprehensive opt-out of data sales at all. Instead, they require users to submit individual URLs for every specific listing they find on the site. This process is often described as a "whack-a-mole" system. Spokeo, for instance, explicitly warns consumers on its opt-out page that their information "may reappear on Spokeo in the future without notice," advising them to "regularly check" the site. A Spokeo spokesperson disputed the characterization of their process, claiming that the URL-based method is the most accurate way for consumers to identify their data and that the company attempts to apply opt-out requests to future data. Whitepages was found to gate its full reports behind a "Premium" subscription. This creates a "pay-to-privacy" barrier where a consumer might have to pay the broker to see exactly what information is being held about them before they can request its removal. For survivors of domestic violence or public officials, this lack of a permanent, comprehensive opt-out represents a persistent safety vulnerability. Corporate Rebuttals and Legal Interpretations Several companies included in the report challenged EPIC’s methodology and conclusions. Palantir, the defense and intelligence contractor, argued it was erroneously included in the study. A spokesperson stated that Palantir is a software company, not a data-collection or data-mining firm, and therefore does not buy or sell personal data. The company asserted that it merely integrates the existing datasets of its clients. Amazon also disputed the findings, with spokesperson Adam Montgomery stating that because Amazon does not sell customer information, users are "opted out by default." He noted that privacy preferences are accessible through "Your Ads Privacy Choices" and "Advertising Preferences" pages, which cover the uses defined by applicable laws. The surveillance vendor SoundThinking (formerly ShotSpotter) and the HR platform HireVue also provided clarifications. SoundThinking noted that its opt-out forms and a help phone number are available at the bottom of its privacy policy. HireVue stated that its public-facing privacy policy applies only to marketing website visitors, while job applicant data is handled under consent controls configured by individual employers. However, the EPIC report noted that HireVue and DataTrust still frame their opt-out instructions as being available primarily to California residents, despite 20 other states having passed similar privacy legislation. Broader Impact and the Call for Data Minimization The implications of the EPIC report extend beyond mere technical compliance. The study argues that the current "notice and opt-out" framework is fundamentally broken. Even if every company adopted a transparent, one-click opt-out process, the sheer volume of data-collecting entities—numbering in the thousands—makes it impossible for an individual to manually manage their digital footprint. For vulnerable populations, the failure of the opt-out system is a safety crisis. Women, people of color, and LGBTQ+ individuals are disproportionately targeted by online harassment and stalking, often facilitated by the very data brokers EPIC audited. When opt-out processes are intentionally designed to be difficult, these individuals are left exposed to physical harm. EPIC’s final analysis suggests that the solution is not better forms, but a shift in the regulatory paradigm toward "data minimization." This principle dictates that companies should be legally barred from collecting, processing, or retaining any personal information that is not strictly necessary for the primary purpose of the service being provided. By moving the burden from the consumer (who must currently "opt out") to the corporation (which would be prohibited from collecting in the first place), regulators could effectively neutralize the effectiveness of manipulative design. As of May 2026, twenty U.S. states have enacted comprehensive privacy laws, but a federal standard remains elusive. The EPIC report serves as a formal call to action for the Federal Trade Commission (FTC) and Congress to address the use of dark patterns and to establish a national baseline for data minimization, ensuring that privacy is a default setting rather than a difficult-to-attain privilege. Post navigation Federal Trade Commission Penalties Cox Media Group and Partners for Deceptive Active Listening Marketing Claims
