Incognito — September 2025: How Data Brokers Trick the Internet

This month: 

• Data brokers don’t want you to opt out, so they use dark patterns to stop you.
• Human hacking? Our podcast “What the Hack?” goes inside DEF CON’s Social Engineering Village to reveal how scammers work. Listen here.
• Essential reading: Learn how scammers are using AI to create near-perfect websites to trick you into sharing sensitive details.
• Q&A: “Different email addresses for different things is the recommendation to improve privacy. Should I be doing the same thing with phone numbers, too?”

Even Google Is Stumped by These Opt-Out Pages

A few weeks ago, WIRED co-published an investigation that won’t surprise anyone who’s been following privacy news, but it’s still infuriating.

Under the California Consumer Privacy Act (CCPA), data brokers are legally required to provide an easy way for Californians to request the deletion of data collected about them. But a joint investigation by The Markup and CalMatters found that dozens of brokers are making that process deliberately difficult.

The hard numbers: 35 of the 499 registered data brokers in California are actively blocking search engines from indexing their opt-out or data deletion instruction pages. Google the opt-out page of one of these 35 brokers, and you’re not going to find it, and that’s by design.

After the investigators contacted these data brokers, only nine removed or promised to remove the search blocks from their opt-out pages.

Most didn’t respond. Some data brokers said the hidden pages were an “oversight,” while others said it was intentional (claiming “spam concerns”). 

Hide-and-Seek

Navigating a data broker’s website to opt out is deliberately difficult. These companies employ various tactics to obstruct the process and prevent you from removing your personal information.

Some brokers, for example, hide opt-out instructions deep within confusing and lengthy privacy policies. Others may use a series of frustrating pop-ups and deceptive overlays that make it nearly impossible to access the opt-out form. In some cases, they claim to have an opt-out page that doesn’t actually exist.

DeleteMe found countless examples of these obstacles in its own research. One data broker stated its opt-out form was in its privacy policy, but the link to the policy was unclickable. Another listed an opt-out email in white text on a white background, making it invisible to the average consumer. This forces people to mail a physical letter instead, creating a significant barrier to data removal.

You can’t make up this stuff. 

It’s Totally Intentional 

User experience (UX) experts, the people who design websites with usability in mind, have a name for these deliberate design tricks: dark patterns. Instead of making a website easier to use, these tactics are designed to make it more difficult for you to perform a necessary task, or worse, to steer you into choosing an option that is not in your best interest.

In 2024, researchers identified 11 distinct dark patterns used by data brokers to make opting out more difficult than it should be. Three stand out: 

• Privacy maze: Opt-out processes that are unnecessarily complicated.
• Information overload: Lengthy and confusing disclosure pages that make it time-consuming to find the opt-out instructions.
• Aesthetic manipulation: Design choices that make opt-outs hard to locate, like bad color contrast with the surrounding text (or the invisible email address we encountered). 

The dark patterns don’t stop once you find the opt-out link. A consumer who locates the opt-out mechanism may then have to jump through even more hoops. You might have to submit separate requests to opt out of the sale and sharing of personal information, solve a CAPTCHA, or verify your identity via email or phone. You may even be asked to provide additional personal details to the data broker before you can submit the request.

After all that, you might hit “submit” and feel like you’re done. But not so fast. Many data brokers do not confirm whether your request has been processed. Others send vague and confusing instructions, sometimes even asking you to mail a photocopy of your driver’s license, creating even more friction and frustration, not to mention personal information exposure.

While some of these tactics are explicitly prohibited by privacy laws like the CCPA, they still happen. Others exist in a legal gray area, where brokers exploit loopholes and push boundaries to make opting out as painful as possible.

How to Fight Back 

DeleteMe knows how to outsmart these tactics, handling the complex and time-consuming process of removing your information from data broker databases and ensuring it stays gone.

If you’re not a DeleteMe user and want to manually handle opt-outs:

• Anticipate dark patterns. Be prepared to overcome them by paying close attention to every detail, ensuring you don’t miss a required step in your opt-out request.
• Be patient. The process is designed to be frustrating.

Dark patterns aren’t just a data broker problem, of course. You’ve likely encountered them elsewhere if you’ve ever:

• Shared more information than you intended (a trick known as “Privacy Zuckering”).
• Clicked a massive “Accept All” button because the “Reject” option was tiny or buried.
• Had to wade through a dense privacy policy to find out what you’re agreeing to.

So, how do you fight back against these pervasive design tricks?

• Recognize the patterns. Once you know what dark patterns look like, you’re less likely to fall for one.
• Slow down and take control of your choices. For example, if the “Accept All” button is huge, check for a tiny “Manage Settings” or “Reject” link.
• Use privacy tools. Install tracker blockers, turn on Global Privacy Control, and bookmark websites like Terms of Service; Didn’t Read, which summarizes privacy policies. 
• Report deceptive practices. Sharing a dark pattern with the Dark Patterns Tip Line and online forums, such as the Dark Patterns subreddit, helps raise awareness. 
• Use alternatives. Where possible, use products and services that are known for their ethical design. 

Dark patterns are designed to confuse and exhaust you, but once you know how to spot them, you can start to take back control.

We’d Love to Hear from You!

Have a story for our podcast? Any privacy stories you’d like to share, or topics you’d like to see in Incognito? We’d love to hear from you!

Drop a line to Laura Martisiute at laura.martisiute@joindeleteme.com. She’s keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

“Panama Playlists” Exposes Spotify Habits of Public Figures

A new site called the “Panama Playlists” claims to have exposed the private Spotify accounts of politicians, CEOs, and other public figures, including Vice President JD Vance, Pam Bondi, and White House Press Secretary Karoline Leavitt. The anonymous creator says they’ve been scraping Spotify data since summer 2024, tracking playlists, listening habits, and song histories. 

New AI Smart Glasses Promise “Infinite Memory” but Raise Privacy Concerns

Two Harvard dropouts launched Halo X, AI-powered smart glasses that are “always on”, capable of listening to, recording, and transcribing every conversation while displaying real-time information to the wearer. The glasses aim to provide “infinite memory” and instant knowledge, but have sparked privacy concerns since they lack an external recording indicator. 

AI Allows Scammers to Create Near-Perfect Fake Websites

Cybercriminals are using AI-powered tools to create near-perfect copies of legitimate websites in minutes, making it easier to deceive consumers into sharing their personal and financial data. Recent scams include Joann Fabrics bankruptcy sale sites. These fake, AI-generated sites are often promoted through phishing texts and deceptive ads, making them harder to detect. 

Grok AI Chat Leak Makes Private Chats Public 

Over 370,000 Grok chatbot transcripts were accidentally exposed on Google search results, making private user chats publicly accessible without their knowledge. Although names weren’t directly attached, many transcripts include sensitive personal details, from medical and psychological questions to contact information and even at least one shared password. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Different email addresses for different things is the recommendation to improve privacy. Should I be doing the same thing with phone numbers, too?

A: What a great question! 

The answer is if you care about your privacy, 100% yes. Using a unique phone number for each online service/service type can make a big difference. 

Data brokers and advertisers use phone numbers to link accounts across different platforms, and some social platforms allow advertisers to upload phone numbers to find users. 

Also, if your number is exposed in a data compromise, anyone can use it to connect you to other services you use. 

A unique/temporary phone number breaks the link between your activities on different platforms. If a service sells your number (which happens often), only that specific number will receive spam calls or texts (and you can block or discard it without affecting your normal phone number). 

Here are some general tips:

• Actual phone number: Essential services/people (e.g., banking, family, etc.).
• Virtual number: Non-essential service (e.g., social media, certain shopping sites).
• Burner number: One-time sign-ups or services you don’t plan to use for long. 

Q: I feel like every week I’m agreeing to new terms somewhere, but nothing’s different. What’s the point of all these updates?

A: You’re right, it can feel like a constant stream of updates, and you’re definitely not alone. While it’s easy to get frustrated, these updates are usually a response to a few key factors.

Companies update their terms of service to address new laws and regulations, which helps them avoid legal penalties. They also make changes to cover new technologies and services, with recent updates often focusing on AI and data usage. Other reasons include new partnerships, pricing adjustments, or a need for more legal clarity to protect the company from liability.

Since these agreements are designed to protect the business, companies tend to over-communicate rather than risk a misstep. If you’re tired of sifting through dense legal text, check if there’s a “summary of changes” provided. When you do read the fine print, pay close attention to sections on data sharing, AI, advertising, and dispute resolution.

Q: I got an email threatening me and accusing me of contacting an escort service. Do people really fall for these kinds of scams?

A: Ah, the classic sextortion scam. Yes, unfortunately, they do. 

These messages are designed to feel personal and terrifying, even for those who have done nothing wrong. Scammers often use exposed personal information to make their threats seem more legitimate and believable. This causes victims to panic and do whatever it takes to make the problem go away, often paying the requested ransom. 

That’s why your best defense is to stay informed about the latest scams that are making the rounds.

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

That’s it for this issue of Incognito. Stay safe, and we’ll see you next month.