abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb
Subscribe Search
English
العربيّة
Deutsch
Español
Français
日本語
Português
Русский
한국어
简体中文
繁體中文
Article

1 Apr 2025

Matt Schwartz, et al (Consumer Reports)

Allegations raise alarm over compliance breaches: Consumer Reports claims companies may be undermining privacy rights by violating opt-out laws

See all tags Allegations
Read more

Opt-out provisions, which allow consumers to restrict companies from selling or sharing their personal data for targeted advertising, are in many ways the core consumer protection under current state comprehensive privacy laws. However, opt-out provisions are meaningless if companies don’t comply with them. Despite sending opt-out requests to 40 brand-name retailers, we were able to generate retargeted ads from 12 of them with relatively little effort. This corroborates previous research on the topic and strongly suggests that consumers’ personal information may continue to be at risk for unwanted disclosure even when they take the appropriate steps to protect themselves under state privacy laws.

...

When we asked each of the companies in the “surefire” and the “very likely” tiers to explain why we might have received these targeted advertisements, we received the following responses (the remaining seven companies did not respond):

  • GM referenced its privacy policy, which states that they “respond to the Global PrivacyControl (GPC) signal when we detect that it is enabled on the particular web browser used to access our websites."
  • Ford said: “There could be a number of reasons this might be occurring, such as visiting a site with the Ford name that Ford does not control, such as a Ford dealer site or an unaffiliated accessories site. ” (Note: We viewed Ford products only on Ford’s official website.)
  • Wayfair said: “Our systems are set up to implement GPC signals in accordance with industry standards and regulatory requirements.”
  • Pottery Barn asserted: “The advertising activity that you described is not meant to be controlled by GPC or by do not sell or share opt outs under applicable state privacy laws. GPC and those laws provide an opt out from advertising based on interactions with multiple websites, often called cross-context behavioral advertising.”
  • Hims said: “Our site automatically opts Colorado users out of sharing collected information for non-essential purposes, including advertising. Further, we honor the privacy choices set by GPC signals for all non-essential purposes through a privacy compliance vendor."

The full report is available for download below.

Mixed Signals - Consumer Reports
PDF 8.4 MB
Download