Data brokers profit from selling personal information and often obstruct deletion requests using “dark patterns.” Despite privacy laws like GDPR and CCPA granting deletion rights, brokers hide opt-out pages and complicate processes. Weak enforcement, fragmented regulations, and deceptive designs undermine true consent, leaving consumers powerless to protect their digital privacy.
Despite attempts by data brokers to keep you from doing so, you have the right to delete your data. And no wonder – your personal information is one of the most valuable commodities being bought and sold in the world today.
It makes sense that data brokers would do anything to stop you from blocking their access to your real-time location data, a window into your shopping habits, and even access info on your political and religious beliefs. Data brokers depend on unfettered access to everything about you – and everything your digital footprint reveals about you – and therefore take nefarious steps to ensure that you are unable to defend your right to delete your own data.
In principles, you have a right to control – and request deletion of – your own data thanks to data privacy laws like the California Consumer Privacy Act (CCPA) and European Union’s General Data Protection Regulation (GDPR). In practice, though, erasure is not quite so straightforward.
A recent investigation by CalMatters and The Markup found that at least 35 data brokers deliberately hid their “opt-out” or “delete my data” pages from search engines by injecting code into their websites. This meant that when consumers searched for instructions on how to delete their data, those pages were buried or invisible.
Instead of empowering users to take control, brokers create friction – what is referred to as “dark patterns” – to discourage deletion requests. And while it could appear on the surface as though this is just about employing a few technical sleights of hand, it reveals a bigger picture about a system in which consumer privacy is devalued and undermined, regardless of what regulations mandate.
Fundamentally data brokers collect information about consumers from a wide variety of sources and use it to create detailed consumers profiles that they then sell on to all kinds of business. These profiles can include information, such as:
Purchase histories from retailers and loyalty programs
Geolocation data from smartphone apps
Health-related data, often inferred from searches or app use
Financial information, including credit-related signals
Political affiliations and religious beliefs, inferred through browsing and engagement patterns
According to a 2021 World Privacy Forum report, some broker profiles contain thousands of individual data points about a single person. In fact, Acxiom, one of the largest brokers, has claimed to have information on 2.5 billion people worldwide, with up to 1,500 attributes per individual.
These profiles are actively traded. The International Association of Privacy Professionals (IAPP) estimates that the data broker industry is worth over $200 billion globally. With so much money at stake, it’s no surprise that many brokers are reluctant to make the opt-out process easy.
The CalMatters/Markup investigation is one of the clearest examples of how data brokers frustrate consumer attempts to exercise their rights. By hiding opt-out pages from Google search results, they effectively put a barrier between consumers and true consent – and thus fail to comply with global data privacy laws.
This aligns with research into dark patterns and the proliferation of user interface designs intended to trick or discourage people from making privacy-protective choices. A 2020 study published in the Proceedings of the ACM on Human-Computer Interaction analyzed 1,818 websites and found widespread use of dark patterns in consent banners and privacy settings.
Examples include:
Obscuring opt-out links (as with the hidden pages)
Requiring excessive steps to complete a deletion request
Default settings that maximize data collection
Threatening consequences for opting out (e.g., degraded service quality)
In short: while you may have the legal right to delete your data, the practical experience often makes it feel nearly impossible.
Legislation has tried to keep up, but enforcement is uneven.
GDPR (EU): Since 2018, the GDPR has guaranteed the “right to erasure.” Yet enforcement actions have largely targeted tech giants like Google, Meta, and Amazon, not the sprawling network of mid-tier data brokers.
CCPA/CPRA (California): California gives residents the right to request deletion, but research from the Electronic Frontier Foundation (EFF) shows that many companies either ignore requests, delay excessively, or require burdensome proof of identity.
Other States: As of 2025, Colorado, Connecticut, Virginia, and Utah have passed their own consumer privacy laws. But the patchwork nature of US regulation means compliance is inconsistent.
It’s easy to think of this as a technical or regulatory issue, but there are real-world harms consumers may face:
What can be done to close the gap between rights and reality? Analysts and privacy advocates propose several measures:
Stronger enforcement: Regulators like the FTC and state attorneys general must hold brokers accountable for deceptive deletion processes.
Centralized opt-out mechanisms: Some have proposed a “Do Not Track”–style registry where individuals can submit a single request that applies across brokers. The California Privacy Protection Agency (CPPA) is considering such systems.
Standardization: Academic researchers suggest standardized deletion request formats, similar to how unsubscribe buttons are regulated in email marketing.
Transparency reports: Just as tech giants issue reports on government data requests, brokers could be required to disclose how many deletion requests they receive and honor.
Consumer tools: Private companies are emerging to help individuals navigate the complex opt-out maze, though these services come at a cost.
Enable real consent: Using a robust CMP can model the kind of transparent, consent-first behavior businesses should employ.
The right to delete your personal data is enshrined in law in many jurisdictions. But when dozens of data brokers hide, obscure, or complicate the process of exercising that right, it reveals a deeper truth: rights that cannot be exercised in reality are no rights at all.
Until enforcement catches up, consumers will continue to face an uphill battle in reclaiming their digital identities. The next frontier of privacy isn’t just about passing new laws. It’s about ensuring that the right to delete and to be forgotten is an accessible, and enforceable right and that consent management is real — not something buried behind hidden links and endless forms.
©2025 CookieHub ehf.
