Audit: Big Tech often ignores California privacy law opt-out requests

Introduction: A right ignored

A landmark audit by the non-profit advocacy group Privacy Rights Clearinghouse (PRC) has revealed a troubling pattern of non-compliance among some of the world's largest technology companies. The report, titled "Big Tech's Big Fail," found that giants like Google, Meta, and Microsoft failed to honor legally mandated consumer opt-out requests approximately half the time. These requests, made under California’s comprehensive privacy laws, are a cornerstone of consumer data rights, designed to give individuals control over how their personal information is sold or shared for targeted advertising. The findings suggest that for many consumers, this fundamental right exists more on paper than in practice.

Background: California's privacy framework

To understand the audit's significance, one must look at the legal foundation it tests: the California Consumer Privacy Act (CCPA) of 2020 and its successor, the California Privacy Rights Act (CPRA), which took full effect in 2023. These laws grant California residents several core rights, including the right to know what personal data companies collect about them and the right to request its deletion. Critically, they also established the right to opt out of the "sale" of personal information.

The CPRA expanded this protection to include the "sharing" of personal data for cross-context behavioral advertising. This change was designed to close a loophole where companies claimed they didn't "sell" data for money but rather "shared" it with advertising partners in exchange for services. The "Do Not Sell or Share My Personal Information" (DNSOS) request is the mechanism through which consumers exercise this right. The California Privacy Protection Agency (CPPA) was also established by the CPRA to enforce these regulations, a role it began in July 2023.

Technical details of non-compliance

The PRC's audit, conducted between May and August 2023, did not uncover a software vulnerability but rather a systemic failure in compliance processes. The group submitted 50 DNSOS requests to ten major companies, including tech firms and telecommunications providers, mimicking the actions of an average consumer.

The audit revealed several distinct forms of non-compliance, particularly from Google, Meta, and Microsoft, which failed to process requests correctly in about 50% of cases. Amazon had a 20% non-compliance rate, while telecom companies like Verizon and AT&T performed significantly better, with a failure rate of around 10%.

The specific failures included:

• Ignoring requests entirely: The most direct form of non-compliance, where a company simply took no action on a submitted request.
• Failure to confirm receipt: California law requires companies to confirm receipt of a request within 15 business days. Many failed to send this basic acknowledgment, leaving consumers in the dark about the status of their request.
• Exceeding processing deadlines: Companies have 45 days to substantively respond to a request. The audit found numerous instances where this deadline was missed without proper notification of an extension.
• Imposing unreasonable verification hurdles: Some companies demanded excessive personal information to verify an identity, such as government-issued IDs, creating a chilling effect where consumers must surrender more privacy to protect their privacy.
• Ineffective processing: The ultimate failure occurred when a company claimed to have processed a request, yet evidence suggested that the consumer's data was still being shared for targeted advertising purposes.

These process failures demonstrate a significant disconnect between corporate privacy policies and their operational execution. While mechanisms like dedicated web forms and privacy dashboards exist, the audit shows they are often ineffective or are not being managed in accordance with legal requirements.

Impact assessment: A widespread erosion of trust

The immediate impact of these findings falls on California residents, whose statutory rights are being systematically disregarded. When consumers cannot reliably opt out of data sharing, the law loses its power, and the promise of data control becomes illusory. This fosters a sense of helplessness and deepens public distrust in the technology sector.

The implications, however, extend far beyond California. Many companies apply their privacy practices across all jurisdictions, meaning the difficulties faced by Californians are likely shared by consumers nationwide. As more states like Virginia, Colorado, and Utah enact their own privacy laws, this audit serves as a critical benchmark for regulators, highlighting potential areas for enforcement actions.

For the implicated companies—Google, Meta, and Microsoft—the report poses a significant reputational risk and invites regulatory scrutiny. The CPPA and the California Attorney General now have clear evidence to launch investigations, which could result in substantial fines. In 2022, the California AG fined Sephora $1.2 million for similar violations, setting a clear precedent for enforcement. For an industry built on data, being labeled as non-compliant with privacy law is a serious blow that can damage user trust and investor confidence.

How to protect yourself

While the PRC's report is disheartening, consumers are not powerless. Exercising your rights is still the most important step toward demanding accountability. Here are actionable steps you can take:

1. Locate the privacy portal: On any major service you use, look for a link in the website footer that says "Privacy Policy," "Do Not Sell or Share My Personal Information," or "Your Privacy Choices." This is your starting point.
2. Submit a formal request: Use the company's designated web form or email address to submit your DNSOS request. Be clear and direct.
3. Document everything: Take screenshots of your submission confirmation page. Save any confirmation emails you receive. Note the date you submitted the request. This documentation is vital if the company fails to respond.
4. Enable Global Privacy Control (GPC): GPC is a browser-level signal that automatically tells websites you visit that you do not want your data sold or shared. Many modern browsers, like Brave, Firefox, and DuckDuckGo, have this feature built-in or available as an extension. Under California law, companies are required to honor the GPC signal as a valid opt-out request.
5. File a complaint: If a company ignores your request or fails to comply within the 45-day window, file a formal complaint with the California Privacy Protection Agency (CPPA). Your documentation will be essential evidence.
6. Enhance overall privacy: Submitting opt-out requests is a reactive measure. Proactively reduce the data you share by using privacy-focused browsers, limiting app permissions, and using tools like a hide.me VPN to mask your IP address and encrypt your internet traffic.

The audit from the Privacy Rights Clearinghouse is a critical piece of journalism and advocacy. It moves the conversation about non-compliance from anecdote to evidence, providing regulators and the public with the data needed to demand change. True data privacy will only be achieved when the rights enshrined in law are respected in practice.