Here’s What The “Do Not Sell My Personal Data” Button Does
I clicked them so you don’t have to.
Around 2015, people started realizing that all the stuff they thought they were privately sharing with their friends on Facebook was actually being monetized and exploited for profit. So to combat this, the California Consumer Privacy Act (CCPA) was passed. It said that by 2020, companies have to let users say no to the sale of their personal data. Other states are now passing similar bills.
So what’s “personal data”? The most common form of personal data is your unique IP address — it looks like “184.108.40.206”, and it’s the ID that you automatically give to every site and app you use. Advertisers, data brokers, and tracking companies use your IP to follow you. That’s why if you’re shopping for blue hiking shoes, and then went to read the news on another site, you’ll see ads for blue hiking shoes on the news site. The fact that everyone has a unique IP makes it the most common and easily exploitable personal data.
So this new law passes, and now sites have a “Do Not Sell My Data” button. What do they do? Do they work? I set off to look for the answers at some popular websites:
For shopping sites Bloomingdale’s, Nordstrom, and Lowe’s, the “Do Not Sell My Info” links lead to forms where, ironically, I’m required to give more of my personal data in order to proceed to whatever the next step is. If I’m someone who is privacy-conscious enough to click these buttons, why would I give away my full name, emails, phone number, home address, and even credit card number — to be sent off to another third party that’s going to do god-knows-what with this information? Thanks, but no thanks.
On popular news site The Hill, clicking “Do Not Sell My Data” shows a dialog that links to the privacy policies of the 32 advertising and tracking companies they work with. The “Save & Exit” button makes no sense because there are no options to save, and clicking it does nothing. The “Do Not Sell My Data” button dismisses the dialog without any visible response. Did that… do something? Do I have to click that every time I visit the site? And most importantly, am I expected to read and keep updated with all 32 privacy policies just to read the news in peace? 🤦🏻♂️
Clicking “Do Not Sell My Data” buttons on other sites, other issues surfaced:
First, the opt-out forms apparently need to be completed using every browser and device I use to access the apps or sites. So the number of times I have to do this process is (number of sites & apps) * (number of devices) * (number of browsers). The time wasted ends up getting pretty huge, pretty quickly.
Second, I learn that every time I clear my cookies (cookies are another way websites track users), I have to redo everything. So if I attempt to reduce tracking by clearing my cookies, I’m actually also implicitly agreeing to let companies sell my personal data, and I have to opt-out on every site again. 🤦🏻♂️
Why do we have to find and click a tiny button, fill out forms, give more personal data, and jump through whatever hoops on every single site and app, on every device and browser, in order to not have our personal data sold to third parties? Should we also have to specifically tell every restaurant we dine at to not spit in our food? Or have to specifically tell every plumber we hire to not steal from our homes?
Obviously, nobody wants their personal data to be sold, so a more reasonable system would be for every website to by default not sell users’ personal data, instead of requiring users to opt-out.
So if we changed the law to simply penalize companies that sold user data without explicit consent, would that work better?
Nope, that wouldn’t work either — for three reasons:
First, tracking companies are already challenging what “sale” in “sale of data” means — arguing that many instances are a gray area. For example, if TRACKERS-R-US paid ACME App to add a tracker, does this count as “sale”? A high-powered attorney could argue that it’s not, because the data goes directly from users to TRACKERS-R-US, so it’s not owned by ACME — and you can’t sell what you don’t own. Or what if ACME doesn’t get cash, but instead gets a share of revenue or some service in return? Or what if TRACKERS-R-US is branded as a “analytics tool” that’s “crucial” to the functioning of ACME App? These nitpicky questions may seem inane and stupid to you, but the fact that there’s even some tiny chance of ambiguity can create years of litigation and appeals, because companies, like anyone else, are innocent until proven guilty. In these cases, companies don’t need to win — they simply need to drag out the legal battles as long as possible (see Uber).
Second, enforcing laws about what companies should do internally is nearly impossible, because catching violations relies on self-reporting, and also because many violators are outside of the law’s jurisdiction. There’s simply no scalable way to know if companies are selling user data. If a company claims they don’t sell user data, but does it anyway, they’ll get away with it 99.999% of the time, because the only people that know about the violation are themselves. Add a few more 9’s if the company is based outside the USA.
Third, some companies just don’t give a flying f about what the laws say, because they can easily afford the fines, and because the political climate doesn’t exactly lend itself to serious regulatory action against mega-corporations. While companies like CNN and Wal-Mart make attempts to comply by adding “Do Not Sell” links, Facebook (who collects more personal data than anybody else) has completely ignored it, choosing instead to wait for the next slap on the wrist.
If you want companies to not sell your personal data, we know what doesn’t work: It doesn’t work to spend all your free time clicking “Do Not Sell” buttons that probably do nothing, and it doesn’t work to pass regulations that are ultimately ignored or rely on ineffective self-policing.
What works to stop third-party data sharing?
Let’s go to the source: Sites you want to use are simultaneously serving you third-party trackers that you don’t want. Remember news site The Hill from earlier and their 32 tracking companies? You want the news, but you don’t want the third-party data sharing. And if it’s an app (instead of a site), this tracking can even happen in the background, when the app isn’t even open.
The simple solution that we (two ex-Apple engineers) came up with is to directly block the trackers, so that your personal data doesn’t get out to third parties in the first place. This is way more effective than allowing tracking and hoping that apps and sites don’t later sell your info.
We built a free and open source app that you can you can download right now called Lockdown, and it blocks trackers, ads, and badware in not just your browsers, but all apps. So you don’t have to stop reading the news, online shopping, or playing games— just install Lockdown, push a button to activate it, and then go on living your life — we take care of the rest.
“Wait a second… free? What’s the catch?”, you’re asking, “Are you guys trying to Zuck us over in some hidden, nefarious way?”
Nope. We’re pretty open about how we pay the bills. Lockdown lets you automatically block trackers with its free Firewall, but if you want more protection by hiding your IP address and encrypting your connections (for safety on public wi-fi and insecure sites/apps), you can pay for Lockdown’s fully-audited Secure Tunnel (VPN) service. Revenue goes to keeping the Firewall free and updated with the constantly changing (and increasingly clever) landscape of trackers, ads, and badware.
We believe people and companies that build privacy products have a unique responsibility to be more transparent than any other product line. That’s why Lockdown is 100% open source and openly operated — so that anyone can see what it’s doing, and just as importantly, what it’s not doing.
We built Lockdown because it’s something we wished existed: a simple, transparent, and powerful tool for stopping invasive third-party tracking. We hope it can do the same for you. Get it for free at LockdownHQ.com.
Johnny Lin and Rahul Dewan are ex-Apple engineers who created and maintain Lockdown and the Openly Operated transparency standard.