A new investigative report from the digital rights nonprofit Electronic Privacy Information Center (EPIC) has revealed that many of the largest data-collecting entities in the United States utilize manipulative design tactics to prevent consumers from exercising their privacy rights. The study, which audited 38 major corporations ranging from artificial intelligence developers and data brokers to defense contractors and dating applications, documented a systemic use of "dark patterns"—user interface designs intended to confuse, delay, or block users from opting out of the sale and sharing of their personal information. The findings suggest that despite a growing landscape of state-level privacy protections, the practical ability for a citizen to control their digital footprint is being undermined by intentional technical hurdles. EPIC’s researchers identified at least eight distinct categories of manipulative design, ranging from buried links and mandatory account creation to paywalls that require users to purchase a subscription before they can request the removal of their data. Systematic Obfuscation in the Opt-Out Process The EPIC audit highlights a significant disconnect between corporate privacy pledges and the actual user experience. According to the report, major technology firms including Google, Meta, and OpenAI fail to provide clear, accessible links to opt-out forms from their primary homepages or privacy policies. In several instances, consumers are forced to navigate a labyrinth of multiple separate forms to complete what should be a single, unified request. A primary example cited in the report is OpenAI. While the company provides a form, researchers found it does not actually offer a mechanism to opt out of the sale or transfer of personal data. Instead, the interface offers an option to "remove personal information from ChatGPT responses." EPIC clarifies that this function acts merely as a filter on the chatbot’s output rather than a deletion of the underlying data stored in the company’s training sets or databases. The report also identifies "preselected toggles" as a common deceptive practice. In the case of the dating app Bumble, researchers found that the "Do Not Sell" option was styled to appear as if it were already selected by default. In reality, the visual design was inverted, requiring the user to click the toggle to actually activate the opt-out—a tactic known in UX design as "misdirection." The Human Cost: Safety Risks and Data Brokerage EPIC frames these opt-out failures not merely as a matter of consumer inconvenience, but as a critical safety issue. The report points to the June 2025 case of Vance Boelter, a man charged with the murder of Minnesota State Representative Melissa Hortman and her husband, Mark. Prosecutors allege that Boelter utilized people-search data brokers to obtain the home address of his targets. For public officials, domestic violence survivors, and marginalized groups, the ability to remove a home address from public circulation is often a primary safety measure. However, the EPIC audit of people-search brokers such as Spokeo, Whitepages, and National Public Data found that these entities do not offer a comprehensive way to opt out of data sales. Instead, they require users to remove individual listings by URL one at a time. Furthermore, Whitepages reportedly gates full reports behind a "Premium" subscription. This creates a scenario where individuals may be forced to pay the very company selling their data just to identify which specific listings they need to request for removal. Spokeo’s interface explicitly warns consumers that their information "may reappear on Spokeo in the future without notice," shifting the burden of constant surveillance back onto the victim. Chronology of the EPIC Investigation and Audit The EPIC report is the culmination of a multi-month technical and legal audit designed to test the efficacy of modern privacy regulations. The timeline of the investigation highlights a period of rapid legislative change met with corporate resistance: January – March 2025: EPIC researchers began the initial selection of 38 target companies, focusing on industries with the highest volume of personal data processing, including AI, defense, and social media. April 2025: The technical audit phase commenced, where researchers attempted to exercise opt-out rights using standard consumer hardware and software, documenting every "click" and "redirect" encountered. June 2025: The murder of Minnesota State Representative Melissa Hortman underscored the real-world implications of data broker accessibility, prompting EPIC to expand its analysis into the specific harms faced by public officials. December 2025: EPIC released a preliminary analysis focusing specifically on the use of data brokers against domestic violence survivors, setting the stage for the full 2026 audit. May 2026: The final report, "Good Luck Opting Out," was published, documenting the eight categories of manipulative design and calling for federal intervention. Corporate Responses and Industry Defense Following the publication of the report, several of the named companies issued statements clarifying their positions or disputing EPIC’s findings. Amazon spokesperson Adam Montgomery disputed the report’s conclusions, stating that the company does not sell customer personal information and therefore considers customers "opted out" by default. Montgomery noted that privacy preferences are available through "Your Ads Privacy Choices" and "Advertising Preferences" pages, though EPIC maintains these links are often difficult for the average user to locate. OpenAI spokesperson Shane Bauer emphasized that the company provides "straightforward ways" for people to control their data directly within the applications. Bauer stated that OpenAI shares limited data with marketing partners but does not "sell" user data in the traditional sense, defending the company’s Privacy Portal as a valid tool for both users and non-users. Palantir, the defense and intelligence contractor, argued that its inclusion in the report was erroneous. A company spokesperson told reporters that Palantir is a software company, not a data-collection or mining firm. "We do not collect, sell, or buy personal data. We integrate our customers’ existing data sets," the spokesperson stated, adding that their website provides standard cookie opt-out options. Spokeo defended its URL-based removal process, claiming it is the most accurate way for consumers to identify specific listings. The company stated that once a listing is opted out, they attempt to apply that request to future data, though they did not directly address the warning on their site that information may reappear without notice. Meta, through a spokesperson, reiterated its long-standing policy: "We don’t sell any of your information to anyone and we never will." The company did not, however, address the specific claims regarding the difficulty of accessing opt-out forms without logging into an account. Fact-Based Analysis of Privacy Implications The EPIC report highlights a fundamental flaw in the "notice and consent" model of digital privacy. While 20 U.S. states have passed laws granting residents the right to opt out of data sales, the implementation of these rights is left to the very companies that profit from the data. This creates an inherent conflict of interest where companies are incentivized to make the opt-out process as frictionless as possible for their own data collection and as difficult as possible for the consumer. The use of "dark patterns" effectively creates a "privacy tax" on time. When a company like Whitepages requires a URL-by-URL removal or a company like OpenAI requires multiple forms, they are betting that the average consumer will abandon the process due to "consent fatigue." This is particularly effective in an ecosystem where thousands of companies may hold a single individual’s data; even if one form takes only five minutes, repeating the process for every data broker would require hundreds of hours of labor. Furthermore, the "login wall" identified at Meta, X, and Tinder presents a unique legal hurdle. By requiring a user to log in to opt out, these companies force individuals to interact with their platforms—and potentially agree to updated terms of service—just to exercise a statutory right to privacy. The Path Toward Data Minimization The Electronic Privacy Information Center concludes that the solution to these systemic issues is not merely "better forms" or clearer links. The report argues that as long as the burden of privacy remains on the individual to "opt out," the data collection industry will continue to find creative ways to circumvent the spirit of the law. EPIC advocates for a shift toward "data minimization"—a regulatory framework that would prohibit companies from collecting, sharing, or retaining personal information that is not strictly necessary for the service being provided. Under a data minimization regime, the "default" state of a consumer would be "opted out," and the burden would shift to the corporation to justify why any data collection is necessary. As state and federal regulators review the findings of the EPIC audit, the debate over manipulative design is expected to move into the legislative sphere. Without standardized, automated opt-out mechanisms—such as the Global Privacy Control (GPC) signal—the "Good Luck Opting Out" report suggests that the American consumer’s right to privacy will remain a theoretical privilege rather than a practical reality. Post navigation The White House’s Aliens.gov Site Brags That ICE Arrested More Than 700 US Citizens Global Security and Privacy Trends Military Vulnerabilities AI Threats and the Evolution of Modern Surveillance
