EPIC Audit Exposes Deceptive Opt-Out Designs Across AI and Data Brokerage Sector

A comprehensive audit by the Electronic Privacy Information Center (EPIC) has identified systemic manipulative design practices across 38 major data-collecting entities, including artificial intelligence vendors, data brokers, and dating applications. The study, released this week, documents how these companies employ deceptive interfaces to obstruct consumers from opting out of the sale and sharing of their personal information. Researchers identified at least eight distinct categories of design failures, ranging from buried navigation links and mandatory account creation to forms that fail to permanently remove underlying data.

The audit highlights significant gaps in the opt-out mechanisms of prominent technology firms. Major large language model providers such as Google, Meta, and OpenAI were found to lack clear links to opt-out forms on their homepages or privacy policies. EPIC noted that OpenAI’s available option merely filters chatbot output rather than removing personal data from its systems. Similarly, Palantir, a defence and intelligence contractor, provided a privacy form that lacked an option to opt out of data sales, despite operating in a sector heavily scrutinised for data handling. Researchers were also unable to locate opt-out processes on Meta, X, OpenAI, and Tinder without first logging into an account.

Safety implications were a central focus of the report, with EPIC citing the June 2025 murder of Minnesota state representative Melissa Hortman and her husband, Mark. Prosecutors allege that the perpetrator, Vance Boelter, utilised people-search data brokers to locate his targets. The audit found that brokers such as Spokeo, Whitepages, and National Public Data do not offer a mechanism to opt out of data sales. Instead, they require users to remove individual listings by URL, with Spokeo explicitly warning that information may reappear without notice and instructing users to regularly check the site for new listings.

The report also criticised the use of misleading interface elements by dating apps and other consumer-facing services. Four companies, including Bumble, were found to default users into data sharing through preselected toggles, where the “Do Not Sell” option is styled to appear selected when it is actually the action required to opt out. Additionally, Whitepages requires consumers to submit URLs for every listing of themselves, with full reports gated behind a paid subscription, effectively forcing users to pay the broker to access the information they wish to remove.

Several companies disputed the findings or failed to respond to requests for comment. Amazon stated that it does not sell customer personal information and that customers are opted out by default, while OpenAI argued it provides straightforward ways to control data use. HireVue disputed the scope of the audit, noting its public policy applies only to marketing website visitors, not job applicants. EPIC concluded that the current opt-out framework is insufficient, calling for regulatory intervention to enforce stricter standards and reduce unnecessary data collection.