How to Stop Companies Selling Your Data

TL;DR: You can stop companies from selling your personal data by enabling Global Privacy Control (GPC) in your browser, submitting CCPA/CPRA opt-out requests to individual companies, using PrivacyFetch to identify which companies sell data, and filing complaints with regulators when companies do not comply. The process takes effort, but legal frameworks in California, Colorado, Connecticut, and other states give you enforceable rights to opt out of data sales.

Why Are Companies Selling Your Data?

Personal data is a commodity. Companies sell it because it is profitable. Your browsing habits, purchase history, location data, and demographic information are packaged and sold to advertisers, data brokers, insurance companies, political campaigns, and other buyers.

Under the California Consumer Privacy Act (CCPA) and its successor the California Privacy Rights Act (CPRA), "selling" data includes any exchange of personal information for monetary or "other valuable consideration." This broad definition means that even sharing data with advertising partners in exchange for targeted ad services counts as a "sale."

PrivacyFetch analysis shows that approximately 38% of analyzed companies engage in some form of data selling or sharing that qualifies under this definition. The number is higher in certain industries: 67% of free-to-use apps and 54% of e-commerce companies engage in data selling.

The good news: you have legal tools to stop it.

Step 1: Enable Global Privacy Control (GPC) in Your Browser

Global Privacy Control is the single most effective first step. GPC is a browser setting that automatically tells every website you visit: "Do not sell or share my personal information."

GPC is legally binding in California under the CCPA/CPRA and is recognized in Colorado, Connecticut, Montana, and other states with comprehensive privacy laws. Companies that receive a GPC signal are legally required to treat it as a valid opt-out request.

How to Enable GPC

Firefox:

1. Go to Settings > Privacy & Security
2. Under "Website Privacy Preferences," check "Tell websites not to sell or share my data"
3. GPC is now active on every site you visit

Brave:

1. GPC is enabled by default -- no action needed
2. Verify at Settings > Privacy and security > Global Privacy Control

DuckDuckGo Browser:

1. GPC is enabled by default on desktop and mobile

Safari:

1. Safari supports GPC natively as of recent versions
2. Go to Settings > Safari > Advanced > check "Global Privacy Control"

Chrome:

1. Chrome does not natively support GPC
2. Install a GPC extension like OptMeowt or Privacy Badger
3. Or switch to a browser that supports GPC natively

On Mobile:

• DuckDuckGo Privacy Browser (iOS and Android) has GPC built in
• Firefox Focus (iOS and Android) supports GPC
• Brave Browser (iOS and Android) has GPC enabled by default

Verifying GPC Is Working

Visit globalprivacycontrol.org to verify that your browser is sending the GPC signal. The site will display a confirmation if the signal is detected.

Step 2: Identify Which Companies Sell Your Data

Before you can opt out, you need to know who is selling your data. There are three ways to find out:

Use PrivacyFetch

The fastest method. Search for any company in the PrivacyFetch directory and check the Data Sharing dimension of their privacy score. PrivacyFetch flags companies that:

• Explicitly state they sell personal data
• Share data with data brokers
• Share data with advertising networks for targeted ads
• Use language like "share with business partners for marketing purposes"

Companies flagged for data selling score poorly on the Data Sharing dimension (25% of the overall privacy score).

Check the California Data Broker Registry

California requires companies that meet the legal definition of a data broker to register with the state. The California Data Broker Registry (maintained by the California Privacy Protection Agency) lists hundreds of registered data brokers. If a company is on this list, it is in the business of selling your data.

Read the "Do Not Sell" Disclosures

Under CCPA/CPRA, companies that sell data must include a "Do Not Sell or Share My Personal Information" link on their website. If you see this link in a company's footer, it confirms they engage in data selling (or sharing that qualifies as selling under the law).

Step 3: Submit Individual Opt-Out Requests

GPC covers websites you actively visit, but it does not reach companies that already have your data and sell it behind the scenes -- especially data brokers. For these companies, you need to submit direct opt-out requests.

CCPA/CPRA Opt-Out Request Template

Use this template to submit opt-out requests to companies that sell your data:

Subject: Request to Opt Out of Sale/Sharing of Personal Information (CCPA/CPRA)

To whom it may concern,

I am a California resident exercising my right to opt out of the sale and sharing of my personal information under the California Consumer Privacy Act (Cal. Civ. Code 1798.120) and the California Privacy Rights Act.

Please immediately cease selling and sharing my personal information with third parties, including but not limited to:

• Advertising networks and partners
• Data brokers and data aggregators
• Marketing and analytics companies
• Any other third parties for monetary or other valuable consideration

My identifying information:

• Name: [Your full name]
• Email: [Your email address]
• Account ID (if applicable): [Account number or username]

Please confirm completion of this request within 15 business days as required by law.

I also request that you do not use my personal information for cross-context behavioral advertising as defined under the CPRA.

Regards, [Your name] [Date]

For Non-California Residents

If you live outside California, you may still have opt-out rights depending on your state:

If your state has a privacy law, modify the template above to reference your state's specific statute instead of the CCPA.

For EU/EEA Residents

Under the GDPR, you have the right to object to processing of your personal data for direct marketing (Article 21) and the right to withdraw consent (Article 7). Use the GDPR template from the PrivacyFetch GDPR rights guide instead.

Step 4: Opt Out of Major Data Brokers

Data brokers are the biggest sellers of personal information. They collect data from public records, purchase history, online tracking, and other data companies -- then sell comprehensive profiles to anyone willing to pay.

Here are the highest-priority data brokers to opt out of:

This is not a complete list. The California Data Broker Registry lists over 500 registered brokers. Opting out of all of them manually is time-consuming -- which is why automated tools and services exist to handle this at scale.

Step 5: Opt Out of Advertising Data Sharing

Even companies that do not technically "sell" data often share it with advertising networks. Here is how to limit advertising data sharing:

On Your Devices

• iPhone: Settings > Privacy & Security > Tracking > disable "Allow Apps to Request to Track"
• iPhone: Settings > Privacy & Security > Apple Advertising > disable "Personalized Ads"
• Android: Settings > Privacy > Ads > "Delete advertising ID" (Android 12+) or "Opt out of Ads Personalization"
• Windows: Settings > Privacy > General > disable "Let apps use advertising ID"

On Major Platforms

• Google: myaccount.google.com > Data & Privacy > Ad personalization > Turn off
• Facebook/Meta: Settings > Accounts Center > Ad Preferences > Ad Settings > manage each category
• Amazon: amazon.com/adprefs > disable "Interest-Based Ads"
• Twitter/X: Settings > Privacy and Safety > Ads preferences > disable "Personalized ads"

Industry Opt-Outs

• Digital Advertising Alliance: optout.aboutads.info (opt out of targeted ads from 100+ ad networks)
• Network Advertising Initiative: optout.networkadvertising.org (opt out of behavioral targeting)
• Your Online Choices (EU): youronlinechoices.eu (European equivalent)

Step 6: File Complaints When Companies Do Not Comply

If a company ignores your opt-out request or continues selling your data after you have opted out, you have legal recourse.

Filing a CCPA Complaint

1. Document your opt-out request (save emails, screenshots, dates)
2. Wait 45 days for the company to comply (the legal deadline)
3. If they have not complied, file a complaint with the California Privacy Protection Agency at cppa.ca.gov
4. The CPPA can fine companies up to $7,500 per intentional violation
5. You can also file with the California Attorney General at oag.ca.gov

Filing a GDPR Complaint

1. Document your request and the company's response (or lack thereof)
2. File a complaint with your national Data Protection Authority (DPA)
3. Find your DPA at edpb.europa.eu/about-edpb/about-edpb/members_en
4. DPAs can impose fines up to 4% of annual global turnover

Complaint Template

Subject: Complaint Regarding Failure to Honor Opt-Out of Data Sale

Dear [Regulatory Agency],

I am filing a complaint against [Company Name] for failure to comply with my request to opt out of the sale of my personal information.

Timeline:

• [Date]: I submitted an opt-out request via [email/web form/GPC signal]
• [Date]: [Company response, or note that no response was received]
• [Date]: I confirmed that my data is still being sold/shared [explain how you confirmed]

Supporting documentation is attached.

I request that you investigate this matter and take appropriate enforcement action.

Regards, [Your name] [Your contact information]

How to Monitor Ongoing Data Selling

Opting out is not a one-time action. Companies change their practices, new data brokers emerge, and previously compliant companies may backslide. Here is how to stay on top of it:

• Check PrivacyFetch regularly -- Company privacy scores are updated as policies change. If a company you use drops in score, investigate why. Browse the explore directory to stay informed.
• Re-verify GPC -- Make sure your browser still sends the GPC signal after updates
• Review new account sign-ups -- Before creating accounts with new services, check their PrivacyFetch score and data sharing practices
• Set calendar reminders -- Re-check data broker opt-outs annually, as some brokers re-add profiles over time

Key Takeaways

• Approximately 38% of companies analyzed by PrivacyFetch engage in data selling or sharing
• Enable Global Privacy Control (GPC) in your browser as the first line of defense -- it is legally binding in multiple states
• Submit direct opt-out requests to companies that already have your data, especially data brokers
• Use PrivacyFetch to identify which companies sell data before you sign up
• File complaints with the CPPA (California) or your national DPA (EU) when companies do not comply
• Opting out is an ongoing process -- review and re-verify regularly

This analysis is based on PrivacyFetch's automated privacy policy analysis. Check any company's privacy score