In conclusion
Dozens of websites were discovered by The Markup and CalMatters to be blocking the indexation of their legally mandated opt-out pages.
Greetings from CalMatters, the only nonprofit news organization dedicated exclusively to reporting on topics that impact all Californians. To get the most recent information and analysis on the most significant topics in the Golden State, sign up for WhatMatters.
California law mandates that data brokers give customers the option to seek the deletion of their data. But I hope you find them.
The Markup and CalMatters reviewed hundreds of broker websites and found that over 30 of the organizations that gather and sell customer personal information concealed their deletion instructions from Google. For customers who wish to remove their data, this adds another barrier.
Code is used by many of the pages with instructions that are registered in a state registry to instruct search engines to delete the page completely from search results. When responding to consumers, well-known tools like Google and Bing respect the code by removing pages.
In California, data brokers are required to register under the state’s Consumer Privacy Act, which gives Californians the right to request that their information be deleted, kept private, or made available to them.
We discovered that 35 of the 499 data brokers registered with the state had coding on their websites that prevented specific pages from appearing in searches.
According to Matthew Schwartz, a policy analyst at Consumer Reports who researches the California law governing data brokers and other privacy issues, even though those businesses may be following the letter of the law by offering a page for customers to delete their data, it won’t matter much if those customers can’t find the page.
According to Schwartz, this seems like a smart workaround to make it as difficult as possible for customers to find it.
Seven data brokers responded that they will examine or remove the code from their websites after being contacted by The Markup and CalMatters, while two more indicated they had already removed the code on their own before being approached. Eight of the nine businesses eliminated the code, according to CalMatters and The Markup.
Two businesses stated that they would not alter the code they purposefully added to prevent spam at the advice of experts. Three companies removed the code after being contacted by The Markup and CalMatters, while the remaining 24 companies did not reply to a request for comment.
(View the information on our GitHub repository.)
I think this is a smart way to make it as difficult as possible for customers to find.
The majority of businesses that did reply claimed not to have noticed the code on their pages.
In an email response, May Haddad, a representative for data business FourthWall, stated that the [code] was in fact an error and not deliberate on our opt-out page. After being notified, our team quickly fixed the problem. To provide optimal exposure and accessibility, it is common procedure for all important pages, such as opt-out and privacy pages, to be indexed by default. CalMatters and The Markup both attested to the code’s removal on July 31.
Some businesses placed a tiny link at the bottom of their homepages to conceal their privacy policies from search engines. It frequently required scrolling through several screens, ignoring pop-ups for newsletter sign-ups and cookie permissions, and then locating a link that was only slightly larger than the other text on the page.
Customers still had to overcome a significant obstacle in order to have their information removed.
Consider the straightforward opt-out form foripapi, a service provided by Kloudend, Inc. that uses IP addresses to determine the actual locations of website users. Individuals can visit the company’s website to request that their personal information not be sold or to exercise their right to have it deleted, but they would have had a hard time locating the form because it had coding that prevented it from appearing in search results. The Markup and CalMatters acknowledged that the code had been removed as of July 31. A Kloudend representative called the code an oversight and stated that the page had been modified to make it search engine visible.
A straightforward form for Data Deletion and Opt Out/Do Not Sell is provided by Telesign, a corporation that promotes fraud prevention services for organizations. However, such form is not linked on its webpage and is concealed from search engines and other automated systems.
Instead, to find a link to the page, users have to sift through almost 7,000 lines of legalese-filled privacy policy.
A request for feedback from a Telesign representative was not answered.
on addition to not being searchable, five of the pages on the California registry are nonexistent. For instance, the California register has a privacy instructions site for BrightCheck, a business that provides AI-driven identification verification. However, we discovered a message stating that the page was no longer available when CalMatters and The Markup visited it in late July. The Wayback Machine has a record of the page from February 14, and it was present on March 18 when The Markup and CalMatters first inspected the website.
An inquiry was not answered by BrightCheck.
The CCPA
Companies that earn more than $25 million annually, handle the data of more than 100,000 people in the state, or get the majority of their revenue from the sale of consumer data are subject to the California Consumer Privacy Act, which entered into effect in 2020. The rule is one of the few requirements data brokers must follow because there isn’t a complete federal privacy law.
Nearly 500 businesses are listed in California’s most recent broker database, the majority of which are probably unknown to customers. They offer everything from contact directories to email marketing solutions, and some of them have catchy start-up names like StatSocial and UpLead. Last year, CalMatters released a guide explaining how customers can use the database or third-party technologies to exercise their rights and how to ask for their children’s information to be deleted.
More on Opting Out
Who s selling your digital data? California gives you tools to protect your online privacy
In an interview, Tom Kemp, executive director of the California Privacy Protection Agency, which is responsible for implementing the privacy law, stated that the agency had replicated the results of The Markup and CalMatters. He cited an agency enforcement advice on dark patterns—design decisions that significantly undermine or impede a consumer’s autonomy, decision-making, or choice—but declined to comment on the activities of any specific organization.
According to the guidance, a corporation may be breaking the law if it makes it significantly harder for customers to decide whether to remove their personal data than to provide it, or if it uses too much language or creates other obstacles for them to overcome in order to do so.
Among other infractions, the privacy agency has launched enforcement action against Todd Snyder and Honda this year for making it too difficult for individuals to opt out of data use. This year, Honda agreed to pay more than $630,000, while Todd Snyder paid a fine of around $350,000. They both decided to change their privacy policies.
According to Kemp, identifying a pattern of behavior that makes it challenging for customers to exercise their rights is crucial in assessing whether a business has broken the Privacy Act. When assessing if a business is failing to fulfill its responsibilities, hiding a privacy directives page may be the first clue.
Other businesses have already come under fire for concealing crucial web pages from search engines. In 2019, ProPublica exposed how TurboTax, the firm that created the tax filing program, used code to cover off a free tax filing alternative. According to a 2021 Wall Street Journal story, hospitals were concealing costs that they were obligated to disclose in accordance with federal transparency regulations.
The Delete Act was recently passed by California lawmakers who realized that the majority of Californians are unaware of the hundreds of organizations included in the data broker registry. The law would create a system calledthe Delete Request and Opt-out Platform, or DROP, which will allow consumers in California to issue a single, legally enforceable request to all data brokers on the registry at one time. Next year, the privacy protection agency plans to debut it.
In the course of our investigation, we made adjustments to some URLs in California s registry. In order to fix server issues, we eliminated the www. from the beginning of the domain name for 64 sites. We manually changed the URL for 16 more sites to reach a functional page. In some cases, we fixed a typo, in others, we visited the broker s main site and found the correct link by navigating to it. Go here to read our entire methodology.
CalMatters has further information.
Text
Receive breaking news on your mobile device.
Get it here
Use our app to stay up to date.
Register
Get free updates delivered straight to your inbox.
Nonpartisan, independent California news for all
CalMatters is your impartial, nonprofit news source.
Our goal remains crucial, and our journalists are here to empower you.
-
We are independent and nonpartisan.
Our trustworthy journalism is free from partisan politics, free from corporate influence and actually free for all Californians. -
We are focused on California issues.
From the environment to homelessness, economy and more, we publish the unfettered truth to keep you informed. -
We hold people in power accountable.
We probe and reveal the actions and inactions of powerful people and institutions, and the consequences that follow.
However, without the help of readers like you, we are unable to continue.
Give what you can now, please. Every gift makes a difference.
