Data Brokers, Privacy & the Problem of Request Handling
One of the most pernicious types of websites on the internet is the “people-search” site. If you’ve ever typed an old classmate, neighbor, or even your own name into Google, chances are sites like WhitePages are going to be on the first page.
These sites will usually have and share lots of personal data on a person, from email addresses and phone numbers to family connections and in many cases, physical addresses. Why do they have that data? These people-search sites are data brokers, and their express purpose for collecting data is to sell it to third parties.
Given over half of the US population is now covered by state-level data privacy laws and will have some collection of data rights by 2026 (when all of the currently passed laws will have entered into effect), one might think that opting-out of data collection and sending deletion requests to specific companies that have your personal data is the most effective approach to staying safe online. That certainly helps, but in many cases, getting your data off the sites of data brokers is even more impactful for your privacy and protection.
With that in mind, Consumer Reports teamed up with Tall Poppy, an organization that promotes digital safety online and particularly in the workplace, to investigate how easy it would be to remove one’s data from a litany of popular people-search sites.
The two conducted the test between May and September 2023, finally publishing the results last week in a groundbreaking report you can access here.
In short, the authors recruited 32 volunteers who had no prior experience opting-out or using paid solutions to remove personal data from people-search sites to test seven paid people-search removal services.
Half the volunteers lived in California, which has arguably the nation’s strongest data privacy law–the California Consumer Privacy Act–on the books, with the other half hailing from New York, which lacks a comprehensive data privacy law.
The Methodology
The team tried out the following removal services (price in parentheses):
- Confidently ($120)
- DeleteMe ($129)
- EasyOptOuts ($19.99)
- IDX ($139.92)
- Kanary ($179.88)
- Optery ($249)
- ReputationDefender ($99)
On the following 13 people-search sites (many of which you will likely recognize):
- BeenVerified
- CheckPeople
- ClustrMaps
- Dataveria
- Intelius
- MyLife
- Nuwber
- PeopleFinders
- PublicDataUSA
- Radaris
- Spokeo
- ThatsThem
- Whitepages
The test assigned four volunteers to each of the seven services and searched to see how many profiles could collectively be found across all 13 people-search sites, with a four-person control group manually opting-out of each site instead of using a paid removal service.
Perhaps the main limitation of the findings is the small sample size, as four data points (one per each individual) for every service is nothing in the research world, but the findings strongly correlate to the lived experience many people have: removing your data from data brokers is hard. Very hard.
The Results
This was the overall performance of the seven removal services tested:
The first takeaway? The team found 332 total profiles on the 32 volunteers across the 13 people-search sites they tested, meaning the average volunteer had a profile on nearly every one of the sites included (10.375/13).
Second? Only 35% of profiles were removed within 4 months across the seven paid removal services, and just two of those services were able to remove over 50% of the profiles discovered.
For contrast, the manual opt-out control group discovered 47 profiles on the four individuals within the group. 36 of the 47 profiles were removed within a month of the opt-out request, giving it the highest success rate of nearly 70%.
Beyond being a scathing indictment of the efficacy of people-search removal services, the report shows that the larger issue of data privacy persists even as efforts to protect people ramp up.
What We Can Do About It
Modern culture cannot be this bad at privacy. If we have little control or remedy over the data practices of the worst offenders online, how are we ever going to move the needle on an issue everyone agrees needs fixing?
Regulators, consumers, and businesses all have a role to play in combating the degradation of data privacy and protection online.
The Regulator
State-level data privacy laws must put higher requirements on data brokers, as companies like people-search sites help spread personal data across the internet like wildfire, and in many cases without consent or knowledge that it’s even happening.
California and Texas, for example, require data brokers to register with the state to be able to keep a closer eye on them, but an annual registry should be mandated from every state-level data privacy law.
To reinforce this commitment to data privacy, regulators must call for data brokers to conduct impact assessments and submit a record of processing activities on at least a yearly basis, with data brokers handling large amounts of sensitive data required to submit even more frequent assessments.
A patchwork approach only encourages loophole exploitation and other bad faith tactics, and if a federal law such as the American Privacy Rights Act is not going to pass, states need to come to an implicit agreement on where the floor for privacy should be.
The Individual
For individuals, be vigilant and persistent with your data rights and privacy. Understand which organizations likely have your personal data and don’t be afraid to opt-out and do the manual work required to remove your data from sites. It is not a perfect solution, but the more requests companies receive, the more likely they are to prioritize handling them.
The Company
Companies themselves, even if they are not data brokers, also must reckon with the state of data privacy. They must understand that trust is a primary driver in consumer behavior precisely because of how often people get burned by data collection practices.
They must understand that exemptions for publicly available information in data privacy regulations does not make it okay to ignore data minimization principles and data retention schedules, or to buy this data from third parties like people-search sites.
And most importantly, companies must understand that if you do not know where data lives within your organization and who has access to it, you cannot govern it.
Any organization that is committed to data privacy and security should be using a comprehensive and continuous data mapping solution, because without one there is little chance to complete deletion requests properly or identify the full scope of risk, internally and externally.
Interested in finding that solution? Talk with us and we’ll show you how MineOS’s data mapping powers privacy programs worldwide.