Whether any of this affects a given consumer depends entirely on where they live. There is no federal baseline. The 21 states with opt-out protections vary in scope, and residents elsewhere largely have no legal basis to submit requests at all.

Even within covered states, the rights are structurally narrow. Consumers must typically file requests one company at a time, working through each platform's individual process. That structure creates significant friction before any manipulative design enters the picture in practice, it can mean a long series of company-by-company submissions for anyone with an active online presence.

A separate FTC staff report examining nine major social media and video streaming companies, including Meta, YouTube, ByteDance's TikTok, and Snap, found that users and non-users alike had little or no way to opt out of how their data was used by the platforms' automated systems, regardless of what state law technically permitted (FTC, September 2024). Having a right and being able to exercise it are different things.

EPIC's eight-category taxonomy maps recognizable territory. Some platforms offer no clear opt-out mechanism at all. Others bury the link several clicks deep, require users to log in or pay for a subscription before accessing the form, or route people through multiple separate submission flows to complete what should be a single request (EPIC, May 2026). The subtler tactics live in the language: phrasing that implies opting out carries consequences, confirmation screens vague enough to leave users unsure whether the request went through, and checkboxes pre-selected to share data by default.

The FTC-led global review found the most common tactics were "sneaking" hiding or delaying disclosure of information that might affect a consumer's decision and "interface interference," which includes pre-selecting data-sharing options and visually de-emphasizing privacy controls to steer users toward choices that benefit the platform (FTC/ICPEN/GPEN, July 2024).

The business logic is not complicated. The FTC's social media staff report found that targeted advertising, fueled by mass data collection, accounts for most of the revenue at many major social media and video streaming companies, and that this model is structurally in tension with user privacy (FTC, September 2024). When opting out reduces revenue, friction in the opt-out process is a product decision.

The GM case shows the real-world stakes. The FTC alleged that GM and its OnStar subsidiary collected precise geolocation and driving behavior data from millions of vehicles and sold it to consumer reporting agencies without adequately notifying drivers or obtaining their consent (FTC, January 2025). According to the complaint, location data was collected as frequently as every three seconds for some users. These are allegations in a proposed settlement, not adjudicated findings. Under the proposed order, GM and OnStar would be banned for five years from disclosing that data to consumer reporting agencies, which had used it to compile reports that insurance companies then used to deny coverage and set rates.

One GM customer, after discovering what had happened, told a company representative: "When I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. Nothing. [..] You guys are affecting our bottom line. I pay you, now you're making me pay more to my insurance company."

Opt-outs that appear to succeed sometimes don't hold, either. The FTC's social media investigation found that some platforms failed to fully delete user data after receiving deletion requests, and that companies often retained data indefinitely including data on people who never had an account and therefore never had an opt-out to submit. The FTC called those data minimization and retention practices "woefully inadequate" (FTC, September 2024).

The Avast case illustrated a distinct failure mode: a privacy tool that was itself the surveillance mechanism. The FTC alleged that Avast collected detailed, re-identifiable browsing histories through its own antivirus software and browser extensions, claiming to protect users from third-party tracking, then sold that data to more than 100 third parties through its subsidiary Jumpshot without adequate notice or consent. The FTC finalized a settlement requiring Avast to pay $16.5 million and permanently barring it from selling browsing data for advertising (FTC, June 2024). The order also required deletion of all previously transferred data and any products derived from it.

Where consumers live determines what tools are available. Residents of the 21 states with opt-out protections have a legal basis to submit requests to stop the sale or sharing of their data; those elsewhere largely do not. Even within those states, rights vary and require action per company rather than a blanket preference.

The most practical near-term option for residents in covered states is a universal opt-out mechanism a browser-level signal that automatically sends an opt-out request to every site visited, without requiring individual form submissions. Some states, including California, already require companies to honor these signals. EPIC recommends more states mandate compliance, which would reduce the per-site burden that currently makes exercising rights impractical at scale (EPIC, May 2026).

EPIC also recommends that more states follow California's lead in adopting a universal deletion mechanism, letting residents request data deletion across multiple companies through a single process rather than navigating each company's individual opt-out flow (EPIC, May 2026). For everyone outside covered states, the honest assessment is that the tools are limited and the burden falls almost entirely on the consumer.

EPIC's conclusion is direct: consumers cannot effectively protect their own privacy by exercising opt-out rights as currently designed. The report calls on states to replace the notice-and-choice framework with strong data minimization standards legal requirements limiting what companies can collect in the first place, rather than placing the burden on users to navigate systems built to frustrate them (EPIC, May 2026).

The FTC's social media staff report arrived at the same position from a different direction, recommending that Congress pass thorough federal privacy legislation establishing baseline limits on data collection, and calling on companies to implement enforceable data minimization and deletion policies rather than waiting for legal compulsion (FTC, September 2024).

The enforcement record offers some signal. The GM proposed order, the finalized Avast settlement, and the FTC's click-to-cancel rule which requires that canceling a subscription be no harder than signing up for one (FTC, October 2024) each apply the same underlying principle: exit should be as easy as entry. The open question is whether regulators will codify that principle into baseline rules that apply to everyone, or whether it remains a standard reached only when individual cases get litigated. Given what the prevalence data shows, the latter is unlikely to be enough.