Don’t Believe Data Brokers Saying Data Deletion Is Snake Oil

States around the country are working to give consumers more control over their data being sold by data brokers—the thousands of firms that comprise a multi-billion dollar industry of companies collecting, aggregating, analyzing, and selling and sharing people’s data. California regulators are implementing the Delete Act, which requires that by January 1, 2026, the California Privacy Protection Agency provides consumers with an accessible, one-stop-shop website where they can tell some third-party data brokers to stop selling some of their data; Vermont, Nebraska, and Illinois just introduced their own Delete Acts, too.

While the states work away on rules for the highly unregulated data broker industry, brokers and their allies are rolling out the attacks. The latest target? Companies providing consumers with data deletion and opt-out services, so-called authorized agents that act on people’s behalf. The International Association for Privacy Professionals (IAPP) published an op-ed on February 13 from the vice president and general counsel of the Network Advertising Initiative, an adtech trade group, arguing that some authorized agent providers are “selling privacy snake oil” and that “it needs to stop.”

The op-ed nominally pointed out places where some providers could improve their offerings, yet it simultaneously painted with a broad brush implying that the industry in general misleads consumers, fails to effectively exercise consumers’ rights, and creates more privacy concerns than it addresses. These arguments are misleading, do not offer specific alternatives for quickly and effectively processing consumer requests, and shift the focus away from data brokers amassing people’s data without their knowledge or actual consent in the first place. Hidden within the language, these narratives also highlight that data brokers are looking to defy their subjects’ consent requests unless the law compels them—outright rejection of consumer will.

As a current and former advisor to companies in the privacy tech and data deletion spaces, I’ll be one of the first to say—as I have spoken about repeatedly—that none of these solutions work “perfectly” in guaranteeing that a consumer’s data will never be sold after the subscription fee is paid and the deletion requests are filed. Certainly, in some cases, this is partly because some companies haven’t designed their services as well as they could to function best for consumers. But to broadly characterize the current data deletion service industry as selling “snake oil” ignores all the work data brokers do to make deletion more challenging, including making the opt-out process difficult for consumers, repopulating databases with people’s data after they requested its deletion, and lobbying against the existence of these rights in the first place—not to mention the fact that the brokers, not the deletion companies, are the ones collecting and selling people’s data to begin with. It avoids the fact that plenty of these authorized agents are offering privacy-focused services attempting to help people fight back against a multi-billion-dollar surveillance machine, a task made all the more difficult by the lack of regulation on the data brokerage industry and the lack of data rights for consumers writ large.

This industry op-ed makes several particular and misleading claims about data deletion companies. First, it says that deletion companies mislead consumers because they market their services to everyone in the United States, not just people who live in states with data deletion rights in law. It is correct that plenty of states do not have consumer data deletion rights. But this argument—focusing on what the deletion companies advertise state-by-state—implicitly clarifies that data brokers find this misleading to consumers because data brokers have no interest in responding to deletion requests unless legally compelled.

After all, if deletion companies offered services to consumers in all states, and brokers respected those expressions of consumer non-consent in all states (legally compelled or not), why would data brokers see an offering in a no-deletion-law state as deceptive? Spoiler alert: they wouldn’t. The op-ed articulates this perspective plainly: authorized agents should stop making requests, it says, that “they aren’t empowered to under the law.” (Some brokers do indeed offer data deletion voluntarily, although such voluntary offerings have few legal safeguards or oversight; many do not.) When a company invades people’s privacy, it still holds blame for not letting people correct those violations through expressing their consent decisions, whether or not a law is in place.

Second, the op-ed says that authorized agents fail to act on real consumer rights. This is supposedly because they send data to data brokers that doesn’t help brokers match a person’s request to the person’s data in the broker’s system. For example, the op-ed says, brokers with people’s device IDs and IP addresses cannot use consumers’ full names and physical addresses to identify the right device IDs and IP addresses to delete; “it is not possible” for a broker to make this pairing in many cases, according to the author.

There are a few points to note here. Many data brokers do in fact sell people’s data with names attached, whether mental health and prescription data or financial information on military service members; such brokers have no reasonable argument that they cannot process a deletion request if that exact same information is submitted in a deletion request from a consumer. While the op-ed doesn’t make this exact argument, it is worth noting as this representation circulates elsewhere in the ether.

For brokers that don’t collect and store people’s physical addresses or names per se (the article’s focus), but which do collect and sell their device IDs and IP addresses, the supposed solution to the data brokers’ collection-caused problems is unclear. Do brokers want deletion companies to submit consumers’ device IDs and IP addresses? It could be possible for a deletion company to, say, pull a person’s device ID and IP address from a mobile app through which they submit their request—although the authorized agent would be doing it (there is little chance most consumers know their own), and a successful request for a consumer would depend on covering all the device IDs and IP addresses they have ever had (not plausible for a request submitted from one device at one time), in the event multiple IDs for one person exist in the broker’s system, and thus should be deleted, but are not tied together. A request based on this data could also be thrown off if a broker has other data files on a person that are linked to a broker’s internally created identifier but not to the device ID or IP address the person submits. Do brokers want consumers and authorized agents to submit names and physical addresses, with brokers legally required to connect those data points to device IDs and IP addresses for deletion, to close some of these gaps? Something else to facilitate compliance? It seems that data brokers would rather throw up their hands and claim that deletion is not possible, all the while connecting hundreds or even thousands of data points about people in their systems.

Lastly, the op-ed argues that data deletion companies are not helping, or are in fact harming, consumer privacy because of how they supposedly transmit deletion request information. A “common scenario” data brokers encounter, the article says, is an authorized agent including “excessive and unencrypted personal information about the consumer, such as full name, birth date, physical address, and even photos of their driver’s license.” Of course, if unencrypted data transmissions were indeed happening, that would be bad from a cybersecurity and privacy perspective, and any companies doing so should correct it. Data brokers would also have to make sure they are making it practically straightforward for authorized agents and consumers to transmit deletion request information to their systems in secure, encrypted formats. 

However, it is difficult to evaluate this claim—which is nominally about just some data deletion companies—because the op-ed gives no specific examples of this taking place. According to a March 2024 public records request in California submitted by Private Rights Clearinghouse, the California Privacy Protection Agency (CPPA) had not received any complaints from consumers or businesses of fraudulent activities associated with authorized agents, nor any complaints related to authorized agents violating California law’s requirement that they “implement and maintain reasonable security procedures and practices” to protect consumer data.” (California declined to respond to an updated request that I submitted in March 2025—which also requested information on complaints about data brokers, fraudulent activities, and noncompliance with opt-out requests—citing disclosure exceptions for investigative-related records.) It’s worth stating as well that a company mishandling the processing of data deletion requests wouldn’t be a reason to dismiss data deletion laws altogether.

With seemingly no sense of irony, the op-ed then says that “this indiscriminate sharing of excessive personal information by agents with hundreds of businesses runs deeply counter to good data minimization and security practices.” To say nothing of the data brokers actually gathering and selling tons of data on people in the first place, to unknown numbers of businesses and entities, without people’s actual consent—hardly moral champions of good privacy and security practices. The op-ed continues with:

Irresponsible agents are depleting business resources that should be allocated to implementing genuine privacy measures instead of responding to voluminous, spurious requests.

Once again, it begs the question of what these “genuine privacy measures” are if data brokers are not actually getting consumers’ real, fully informed, freely given consent in the first place to collect and sell their data—and are often taking the position that they will dismiss consumers’ expressed non-consent to their practices if the law doesn’t force the brokers to listen.

All told, the article speaks to a few valid points, such as that not all agents design their services in the most effective ways, but recognizing the hidden arguments and rhetorical twists and turns is essential. Most data brokers are, unbelievably and inaccurately, presented as privacy-respecting companies while plenty of unnamed data deletion companies, trying to help give consumers some small measure of control back over their own data, are painted as the bad guys. These narratives—while they may have factual points sprinkled in throughout—obscure the real privacy issues at play, set up scenarios where something like compliance with a data deletion request seems enormously difficult for a broker, and practically speaking leave consumers and their privacy in the dust.