Data brokers are required by California law to provide ways for consumers to request their data be deleted. But good luck finding them.
More than 30 of the companies, which collect and sell consumers’ personal information, hid their deletion instructions from Google, according to a review by The Markup and CalMatters of hundreds of broker websites. This creates one more obstacle for consumers who want to delete their data.
Many of the pages containing the instructions, listed in an official state registry, use code to tell search engines to remove the page entirely from search results. Popular tools like Google and Bing respect the code by excluding pages when responding to users.
Data brokers nationwide must register in California under the state’s Consumer Privacy Act, which allows Californians to request that their information be removed, that it not be sold, or that they get access to it.
After reviewing the websites of all 499 data brokers registered with the state, we found 35 had code to stop certain pages from showing up in searches.
While those companies might be fulfilling the letter of the law by providing a page consumers can use to delete their data, it means little if those consumers can’t find the page, according to Matthew Schwartz, a policy analyst at Consumer Reports who studies the California law governing data brokers and other privacy issues.
“This sounds to me like a clever work-around to make it as hard as possible for consumers to find it,” Schwartz said.
After The Markup and CalMatters contacted the data brokers, seven said they would review the code on their websites or remove it entirely, and another two said they had independently deleted the code before being contacted. The Markup and CalMatters confirmed eight of the nine companies removed the code.
Two companies said they added the code intentionally to avoid spam at the recommendation of experts and would not change it. The other 24 companies didn’t respond to a request for comment; however, three removed the code after The Markup and CalMatters contacted them.
(See the data on our GitHub repo.)
Most of the companies that did respond said they were unaware the code was on their pages.
“The presence of the [code] on our opt-out page was indeed an oversight and not intentional,” May Haddad, a spokesperson for data company FourthWall, said in an emailed response. “Our team promptly rectified the issue upon being informed. As a standard practice, all critical pages—including opt-out and privacy pages—are intended to be indexed by default to ensure maximum visibility and accessibility.” The Markup and CalMatters confirmed that the code had been removed as of July 31.
Some companies that hid their privacy instructions from search engines included a small link at the bottom of their homepage. Accessing it often required scrolling multiple screens, dismissing pop-ups for cookie permissions and newsletter sign-ups, then finding a link that was a fraction the size of other text on the page.
So consumers still faced a serious hurdle when trying to get their information deleted.
Take the simple opt-out form for ipapi, a service offered by Kloudend that finds the physical locations of internet visitors based on their IP addresses. People can go to the company’s website to request that the company “Do Not Sell” their personal data or to invoke their “Right to Delete” it—but they would have had trouble finding the form, since it contained code excluding it from search results. A spokesperson for Kloudend described the code as an “oversight” and said the page had been changed to be visible to search engines; The Markup and CalMatters confirmed that the code had been removed as of July 31.
