What the Investigation Found

In 2024, a joint investigation by CalMatters and The Markup revealed something that privacy advocates had long suspected but could not prove at scale: dozens of data brokers were deliberately hiding their opt-out pages from Google and other search engines. The investigation analyzed the technical configurations of data broker websites and found that at least 35 companies were using specific web technologies to prevent their privacy and opt-out pages from appearing in search results.

This meant that when a consumer searched Google for something like "how to opt out of [company name]" or "[company name] delete my data," the broker's actual opt-out page would not appear in the results — even though the page existed on the broker's website. The consumer would find blog posts, Reddit threads, and third-party guides, but not the official page they needed.

The discovery triggered a Senate probe led by Senator Maggie Hassan, who sent formal letters to the identified companies demanding explanations. The investigation found that at least five major data companies — Comscore, IQVIA Digital, Telesign, 6sense Insights, and Findem — were actively blocking their opt-out pages from search indexing. Four of the five removed the blocking code after Senate pressure. One — Findem — had not complied as of the time of reporting.

But those five companies are the ones a US Senator personally pressured. The other 30+ identified by CalMatters and The Markup represent a broader pattern of deliberate obstruction that the data broker industry has never been held accountable for.

How Data Brokers Hide Opt-Out Pages: The Technical Tactics

The investigation documented several specific technical methods data brokers use to prevent search engines from indexing their opt-out pages. Understanding these tactics is important because they reveal that hiding opt-out pages is not accidental — it requires deliberate engineering decisions.

Tactic 1: The noindex Meta Tag

The most common method is adding a noindex meta tag to the HTML of the opt-out page. This is a single line of code in the page header:

`<meta name="robots" content="noindex">`

When Google's crawler encounters this tag, it obeys the instruction and excludes the page from its search index. The page still exists and is fully functional — it simply cannot be found through Google. The CalMatters/Markup investigation found this was the single most common tactic, used by the majority of the 35+ identified brokers.

What makes this particularly revealing is that these same companies do not place noindex tags on their search pages, their pricing pages, or their marketing content. The tag appears specifically and exclusively on pages related to opt-out, data deletion, and privacy requests. This is not a site-wide configuration error. It is a targeted decision.

Tactic 2: Robots.txt Blocking

The robots.txt file sits at the root of a website and tells search engine crawlers which pages they are allowed to index. Some data brokers add their opt-out page URLs to their robots.txt file with a Disallow directive:

`Disallow: /optout`

`Disallow: /privacy/delete-my-data`

This prevents Google from even crawling the page, let alone indexing it. Like the noindex tag, this is a deliberate configuration. Website operators must specifically add these rules — they do not appear by default.

Tactic 3: Deep URL Nesting and Obfuscation

Some brokers do not technically block their opt-out pages from search engines but make them virtually impossible to find through normal navigation. Tactics include:

Burying the opt-out page 4 to 6 clicks deep within the site with no direct navigation links
Using non-descriptive URLs like /page/73892 or /form/request-type-7 instead of /optout or /delete-my-data
Omitting the opt-out page from the site's XML sitemap (which tells search engines about important pages)
Not linking to the opt-out page from any other page on the site, which prevents Google from discovering it through crawling

Without internal links or sitemap inclusion, even pages that are not technically blocked may never be indexed by Google because the crawler never finds them.

Tactic 4: CAPTCHA Walls on Opt-Out But Not on Search

This tactic is not about search engine visibility but about making the opt-out process deliberately harder than the data-search process. Several brokers require users to complete CAPTCHA challenges, multi-step identity verification, or account creation to access the opt-out form — while allowing anyone to search and view personal data with no friction whatsoever.

The asymmetry is the tell. If a CAPTCHA is necessary for security, it should apply equally to searching for someone's personal information and to requesting deletion of your own data. When CAPTCHAs appear only on the opt-out side, it is a friction mechanism, not a security measure.

Tactic 5: JavaScript-Only Rendering

Some brokers build their opt-out pages using JavaScript frameworks that render content only after the page loads in a browser. While Google has improved its ability to render JavaScript, not all search engines process JavaScript pages reliably. By making the opt-out page a client-side rendered application while keeping marketing pages server-rendered (and easily crawlable), brokers create a technical disparity that reduces opt-out page visibility.

Why This Matters for Your Privacy

The implications of this practice go beyond individual inconvenience. When data brokers systematically hide their opt-out pages from search engines, they undermine the entire framework of consumer privacy rights.

Privacy laws become unenforceable in practice. The CCPA, VCDPA, CPA, and other state privacy laws grant consumers the right to delete their personal information from data brokers. But a right that cannot be exercised is not a right at all. If consumers cannot find the mechanism to request deletion, the legal protection exists on paper only.

The burden shifts entirely to the consumer. Privacy laws were designed to place the burden of compliance on businesses, not consumers. When a broker hides its opt-out page, it forces consumers to spend additional time, effort, and expertise to locate a page that should be trivially findable.

It reveals the industry's true incentives. Data brokers profit from collecting and selling your personal information. Every deletion request reduces their inventory and costs them processing time. Hiding the opt-out page is a rational economic decision for a company that views your data as its product and your privacy as its cost center.

It affects the most vulnerable disproportionately. People who most urgently need to remove their data — domestic violence survivors, stalking victims, people fleeing abusive situations — are often under time pressure and emotional stress. Making opt-out pages unfindable creates a barrier that hits the most vulnerable hardest.

The Senate Response

Senator Maggie Hassan's investigation put public pressure on the most egregious offenders, but the response also highlighted the limitations of the current regulatory framework.

The Senator's office sent letters to the five companies identified as blocking opt-out pages from Google. Four complied by removing the blocking code. One did not. There were no fines, no penalties, and no new legal requirements imposed.

The investigation prompted calls for legislation that would explicitly require data brokers to make their opt-out mechanisms easily discoverable through standard search engines. As of 2026, no such federal law has been enacted. The American Data Privacy and Protection Act (ADPPA) has been proposed at the federal level but has not passed.

At the state level, California's DELETE Act (SB 362) and the upcoming DROP platform partially address this problem by creating a centralized deletion mechanism. But DROP covers only the approximately 530 data brokers registered with California — a fraction of the more than 4,000 data brokers operating in the United States.

Which Brokers Were Caught

The CalMatters/Markup investigation identified 35+ data brokers using one or more of these opt-out concealment tactics. While not all were named publicly in initial reporting, the companies that received the most scrutiny include:

Comscore — used noindex tags on privacy and opt-out pages (removed after Senate pressure)
IQVIA Digital — blocked opt-out pages via robots.txt (removed after Senate pressure)
Telesign — noindex tags on data deletion request pages (removed after Senate pressure)
6sense Insights — opt-out page excluded from search indexing (removed after Senate pressure)
Findem — blocked opt-out page from Google (had not complied as of reporting)

The remaining 30+ companies span categories including people-search sites, marketing data aggregators, advertising technology firms, and analytics companies. The common thread is that all are in the business of collecting and monetizing personal data, and all made deliberate technical decisions to make it harder for consumers to exercise their privacy rights.

It is worth noting that these are only the companies that were caught and publicly reported. The investigation methodology — checking for noindex tags and robots.txt rules — can only detect the most obvious forms of concealment. Brokers using subtler tactics such as deep nesting, missing sitemap entries, or JavaScript-only rendering would not have been identified through the same analysis.

What This Means for You

If you have ever searched Google for how to opt out of a data broker and felt like you were going in circles, this investigation validates your experience. You were not failing to find the page because you were searching incorrectly. In many cases, the page was intentionally hidden from you.

This also means that manual opt-out — the process of finding each broker's opt-out page, submitting a request, and verifying completion — is even harder than it appears on the surface. You are not just fighting each broker's individual opt-out process. You are fighting against deliberate engineering designed to prevent you from starting the process in the first place.

For data brokers that do surface their opt-out pages in search results, the process is still time-consuming. For brokers that hide them, it can be nearly impossible without direct knowledge of the specific URL. And with over 4,000 data brokers operating in the US, no individual consumer can reasonably audit the technical configurations of every broker's website.

How GhostMyData Bypasses These Barriers

GhostMyData does not rely on finding opt-out pages through Google. Our platform maintains a direct database of opt-out mechanisms, privacy contact emails, and deletion request endpoints for 1,500+ data brokers — including brokers that hide their opt-out pages from search engines.

Here is how we handle the specific tactics the investigation uncovered:

For noindex and robots.txt blocking: We maintain verified, up-to-date opt-out URLs for every broker in our database. We do not need Google to find these pages because we have already found them through direct research and continuous monitoring.

For deep nesting and obfuscated URLs: Our team identifies and catalogs the actual opt-out endpoints regardless of how deep they are buried in a broker's site structure. When a broker moves or renames their opt-out page, we update our records.

For CAPTCHA-gated opt-outs: Our automated removal system handles CAPTCHA challenges on your behalf using specialized solving technology integrated into our submission pipeline.

For legal deletion requests: For enterprise data brokers that may not have a web-based opt-out form, we send legally mandated deletion requests via email using CCPA, VCDPA, and other applicable state privacy laws. These legal requests do not depend on the broker's opt-out page being findable — they go directly to the broker's privacy or legal department.

The net effect is that the barriers the CalMatters/Markup investigation documented — barriers designed to prevent you from exercising your privacy rights — do not apply when GhostMyData handles the process on your behalf.

Automate Your Privacy with GhostMyData

The data broker industry has demonstrated, through both its business model and its technical decisions, that it does not want you to exercise your privacy rights. Hiding opt-out pages from search engines is just one manifestation of an industry that profits from your data and treats your privacy as an obstacle.

GhostMyData exists to shift that balance. We scan 1,500+ data broker sites, submit removal requests through every available channel — web forms, direct URLs, legal emails — and continuously monitor for your data reappearing.

Start your free privacy scan to see which brokers have your information, including the ones that have made their opt-out pages deliberately hard to find.

Frequently Asked Questions

Is it legal for data brokers to hide their opt-out pages?

Currently, there is no federal law in the United States that specifically requires data brokers to make their opt-out pages discoverable through search engines. State privacy laws such as the CCPA require that businesses provide a "clear and conspicuous" link on their website for consumers to opt out of the sale of personal information, but the interpretation of "clear and conspicuous" has not been litigated in the context of search engine indexing. The practice exists in a legal gray area that favors the brokers.

How can I check if a broker is hiding its opt-out page?

You can perform a site-specific Google search using the format: site:example.com optout (or "opt out" or "delete my data"). If the broker has an opt-out page but it does not appear in this search, it may be blocked from indexing. You can also check a page's source code for the noindex meta tag or use Google's URL Inspection Tool in Search Console (if you have access) to see whether a page is indexed.

Did the Senate investigation lead to any new laws?

Not yet. The investigation resulted in four of five identified companies removing their opt-out page blocks, but no new legislation was enacted as a direct result. Several bills have been proposed at the federal level, including the American Data Privacy and Protection Act, but none have passed as of 2026. California's DELETE Act addresses the broader problem by creating a centralized deletion platform, but it only covers brokers registered in California.

How many data brokers are hiding their opt-out pages?

The CalMatters/Markup investigation identified 35+ brokers using verifiable concealment tactics such as noindex tags and robots.txt rules. The actual number is likely much higher because subtler methods — such as deep URL nesting, missing sitemap entries, and JavaScript-only rendering — are harder to detect through automated analysis. There has been no comprehensive audit of all 4,000+ US data brokers.

Does California's DROP platform solve this problem?

Partially. The DROP platform, launching August 1, 2026, will allow California residents to submit a single deletion request to all registered data brokers in the state (approximately 530 companies). This eliminates the need to find individual opt-out pages for those brokers. However, DROP does not cover unregistered brokers or companies outside California's jurisdiction. GhostMyData covers 1,500+ data sources and works for residents of all 50 states. The two are complementary.

35 Data Brokers Were Caught Hiding Their Opt-Out Pages from Google