¾ÅÉ«ÊÓƵ

¾ÅÉ«ÊÓƵ and Consumer Reports (CR) researchers released findings from that examines how companies are complying with opt-out requests that protect personal consumer data. CR and Wesleyan are founding organizations and supporters of , a universal opt-out tool.  

The study examined 40 online retailers and found that many of them appear to be ignoring opt-out requests under state privacy laws. Universal opt-out mechanisms, such as GPC, allow consumers to restrict companies from selling or sharing their personal data for targeted advertising and are in many ways the core consumer protection under current state comprehensive privacy laws. As it stands, 19 states have comprehensive state privacy laws, making up approximately 44 percent of the country’s population. 

“While there are a number of sites that are compliant, many site operators still have a good amount of work to do,” said Sebastian Zimmeck, assistant professor of computer science. “They should work with ad networks that protect people's privacy and ensure that their third-party ad integrations are implemented properly. It is also important that the online ad industry as a whole increases its efforts to respect people's privacy rights.” 

To conduct the study, researchers used a VPN to browse the internet with IP addresses pegged to either Los Angeles, California or Denver, Colorado. With GPC enabled, the researchers visited 40 retailer websites, placing various items into their shopping carts. They then visited 10 publisher websites and catalogued the advertisements they received to determine if any appeared to be re-targeted based on their browsing history. 

The 40 retailer sites comprised a wide variety of industries, including traditional retail (Macy’s, Overstock, Wayfair), hospitality (Marriott), direct-to-consumer health (Hims), telecom (Verizon), and more. Of the 40 retailers examined, 12 (30 percent) appeared to be serving retargeted advertisements on other publisher websites despite receiving GPC opt-out requests. The ability to generate retargeted ads on 12 of 40 websites with just a few clicks suggests that there may be a major gap in state privacy law compliance. Other recent research conducted by and privacy compliance companies similarly indicate that universal opt-out compliance is lower than expected. 

“This study highlights the need for more aggressive enforcement of existing privacy laws,” said Matt Schwartz, policy analyst at CR. “While it’s great that the United States now has 19 states with privacy laws, their impact is undermined if companies are not held accountable for non-compliance. Without strong enforcement, companies can simply ignore these laws with impunity. Consumers deserve better. State attorneys general need more resources to enforce these laws, and individuals harmed by privacy violations should have the right to take action through a private right of action.”