Consumer Reports and Wesleyan University researchers release joint study examining online retailers’ compliance with state privacy opt-out requests

Washington, DC – Consumer Reports (CR) and researchers from Wesleyan University released findings today from a joint study that examines how companies are complying with opt-out requests sent by universal opt-out mechanisms, such as Global Privacy Control (GPC) (CR and Wesleyan University are founding organizations and supporters of GPC). 

The study examined 40 online retailers and found that many of them appear to be ignoring opt-out requests under state privacy laws. Universal opt-out mechanisms, such as GPC, allow consumers to restrict companies from selling or sharing their personal data for targeted advertising and are in many ways the core consumer protection under current state comprehensive privacy laws. As it stands, 19 states have comprehensive state privacy laws, making up approximately 43 percent of the country’s population.

To conduct the study, researchers used a VPN to browse the internet with IP addresses pegged to either Los Angeles, California or Denver, Colorado. With GPC enabled, the researchers visited 40 retailer websites, placing various items into their shopping carts. They then visited 10 publisher websites and catalogued the advertisements they received to determine if any appeared to be re-targeted based on their browsing history.  

The 40 retailer sites comprised a wide variety of industries, including traditional retail (Macy’s, Overstock, Wayfair), hospitality (Marriott), direct-to-consumer health (Hims), telecom (Verizon), and more. The full list of companies can be viewed in the study. Of the 40 retailers examined, 12 (30 percent) appeared to be serving retargeted advertisements on other websites despite receiving GPC opt-out requests. The ability to generate retargeted ads on 12 of 40 websites with just a few clicks suggests that there may be a major state privacy law compliance gap. Other recent research conducted by academics and two separate privacy compliance companies similarly indicate that universal opt-out compliance is lower than expected.  

The study breaks out the sample of retailers into a few different tiers reflecting the level of confidence with the results: surefire retargets; very likely retargets; sent ads, but unlikely to be based on retargeting us; and no advertisements at all. 

• Surefire retargets (High degree of confidence that these retailers delivered advertisements to researchers based on user browsing activity, despite researchers sending GPC opt-out requests to them and the publishers that showed their ads.): American Eagle, Pottery Barn, Ford, Wayfair, WomanWithin, JCPenney, Macy’s, GM, Uniqlo 
• Very likely retargets (These websites all showed advertisements we believe were sent on the basis of the researchers web activity, but tended to be more generic than the ads received from businesses in the Surefire tier, slightly lowering the confidence level overall.): DollarShaveClub, Kroger, Hims
• Sent ads, but unlikely to have retargeted (This tier represents the list of websites for which researchers received advertisements but have no strong reason to believe they were re-targeted to the user based on our web activity.): Temu, Sephora, Walmart, Target
• No advertisements at all: remaining 24 companies

“This study highlights the need for more aggressive enforcement of existing privacy laws,“ said Matt Schwartz, policy analyst at CR. “While it’s great that the United States now has 19 states with privacy laws, their impact is undermined if companies are not held accountable for non-compliance. Without strong enforcement, companies can simply ignore these laws with impunity. Consumers deserve better. State attorneys general need more resources to enforce these laws, and individuals harmed by privacy violations should have the right to take action through a private right of action.”

CR and the Electronic Privacy Information Center recently introduced the State Data Privacy Act, model legislation developed to provide lawmakers with a framework for protecting the privacy of American consumers. Currently, there is no federal comprehensive federal privacy law, though 19 states have comprehensive privacy laws on the books that range in strength. CR is also pushing lawmakers in California to pass Assembly Bill (AB) 566, which would require browsers and mobile operating systems to natively support opt-out preference signals (currently, on most browsers consumers must download third-party extensions to send them). 

Contact: cyrus.rassool@consumer.org