In the rapidly evolving world of data privacy, one of the most frustrating realities for consumers is the illusion of control. You think you can opt out of data sharing — but many companies make that process so convoluted, hidden, or outright ineffective that it feels impossible. A powerful new report from the Electronic Privacy Information Center (EPIC) exposes how major data brokers, AI companies, defense contractors, and even dating apps are using manipulative design tactics to keep your personal information flowing through the data economy.
The EPIC Report: Shining a Light on Manipulative Design
Released in May 2026, EPIC’s audit examined the opt-out processes of 38 major data-collecting companies. The findings are troubling: widespread use of at least eight distinct dark patterns and obstructive tactics that make exercising your privacy rights unnecessarily difficult.
These tactics include:
- Buried or missing opt-out links on homepages and privacy policies
- Forms that don’t actually stop the sale or sharing of your data
- Requiring users to complete multiple separate requests
- Forcing account creation or paid subscriptions to opt out
- Pre-checked toggles that default users into maximum data sharing
- Geographic limitations that ignore broader state privacy laws
The report highlights a critical truth: When opt-out mechanisms are built to fail, they undermine the very foundation of consumer privacy rights.
AI Companies Falling Short on Transparency
Major players in the artificial intelligence space — including OpenAI, Google, and Meta — received particular scrutiny. Many fail to provide clear, prominent links to opt-out forms from their homepages or privacy policies. Even when users locate the forms, the options often fall short.
OpenAI’s process, for example, allows users to request removal of personal information from ChatGPT responses — but this only filters outputs rather than deleting underlying training or profile data. This distinction matters immensely in an era where AI systems are trained on vast datasets that can include scraped personal information.
Similar issues appear with platforms like TikTok and Amazon, where opt-out options for data sale or sharing are either absent or not clearly presented.
Data Brokers: The Highest Stakes for Safety
People-search sites like Spokeo, Whitepages, and National Public Data present some of the most concerning findings. These brokers often do not offer true opt-outs from data sales. Instead, they provide limited tools to remove individual listings — one URL at a time — with explicit warnings that the same information may reappear later without notice.
Whitepages takes this further by gating full reports behind a paid subscription, effectively forcing consumers to pay the company that profited from their data just to locate and attempt to remove it.
These practices carry real-world safety implications. EPIC connects these failures to tragic cases, including the 2025 murder of a Minnesota state representative, where the perpetrator allegedly used people-search data to locate victims. Domestic violence survivors, public officials, and vulnerable populations are disproportionately affected when home addresses and personal details remain easily accessible.
Other Troubling Examples Across Industries
The report doesn’t stop at AI and data brokers. Dating apps like Bumble and Tinder, defense contractors like Palantir, and surveillance companies like SoundThinking and HireVue also employ questionable practices. Some default users into broad data sharing through misleading interface design, while others limit opt-out instructions to California residents despite broader state laws granting similar rights.
These findings reveal a systemic issue: Many companies treat privacy rights as a regulatory checkbox rather than a genuine consumer protection mechanism.
What This Means for Compliance Professionals and Businesses
For organizations committed to ethical data practices, this report serves as both a warning and a roadmap. Here are key takeaways and actionable recommendations:
- Audit Your Own Opt-Out Processes
Review every data-sharing activity and ensure opt-out mechanisms are prominent, functional, and actually effective. Test them from the perspective of an average user. - Avoid Dark Patterns
Eliminate pre-selected toggles, buried links, confusing language, and unnecessary hurdles. Opt-out should be as easy as opting in — ideally easier. - Go Beyond Minimum Compliance
Even if your company doesn’t “sell” data under narrow legal definitions, provide clear controls for sharing, third-party transfers, and AI training uses. - Prioritize User Experience
Make privacy controls intuitive and accessible without requiring logins where possible. Prominently link them from your homepage and privacy policy. - Document and Monitor
Maintain records of how opt-out requests are processed and regularly test for effectiveness, especially after product updates or new integrations.
Building Trust Through Genuine Privacy Respect
In 2026, consumers are increasingly aware of how their data is collected, shared, and monetized. Companies that treat privacy as a genuine right — rather than an obstacle to be minimized — will stand out as trustworthy partners.
The EPIC report underscores a growing regulatory and public expectation: Opt-out mechanisms must work in practice, not just on paper. State attorneys general and federal regulators are paying attention, and enforcement actions are likely to increase.
