Another week, another privacy scandal hidden in plain sight.
A new investigation by Consumer Reports reveals that 30% of major brand-name retailers continued to serve targeted ads to consumers even after they sent valid Global Privacy Control (GPC) opt-out signals. Consumers followed the rules, exercised their "right to opt-out" – and were ignored! This is not a bug in the system; it’s the system itself.
But the deeper issue is not just poor compliance. It’s the false promise of opt-out privacy models.
Once your data is shared or sold, it's game over.
You can "opt-out" of future tracking, but there is no meaningful mechanism to claw back the data that’s already been sold, stored, profiled, or traded across a sprawling network of ad tech middlemen and Data Brokers.
The cat is out of the bag, and no "Delete My Data" button will ever fully put it back in.
The Reality of Opt-Out: A Broken System
The test in this report only scratched the surface. It focused narrowly on retargeting ads based on third-party cookies.
If the researchers had used more advanced methods (like active-active monitoring) and dug into server-side data sharing or ID matching, the non-compliance rate would not have stopped at 30% - it would likely have skyrocketed.
Because in reality:
- Most opt-outs only stop the next cookie drop.
They do not stop the downstream data trade. - There is no technical rollback of previously shared data.
If data was sold yesterday, today's opt-out won't unsell it. - Compliance often focuses only on cookie banners, not the data supply chain.
And that's where the real privacy breach happens.
Opt-In Is the Only Way Forward
The only meaningful way to protect consumers is through a default “No” position – where data collection, sharing, and profiling require clear, explicit, informed consent. Opt-in ensures that the data isn’t collected in the first place unless the user actively chooses to share it. That’s real control.
Anything less is a privacy charade. Opt-out mechanisms create an illusion that users can "take back" control – but it’s an after-the-fact, damage-control fantasy in a surveillance economy that runs on non-revocable, non-transparent data trading.
We Need to Change the Narrative
It’s time to stop debating how to enforce opt-out and start demanding opt-in as the default.
Because when privacy is designed around revoking access to data after it's already leaked, we are not protecting consumers - we're protecting an outdated, exploitative business model.
If you care about meaningful privacy, the question isn’t "how do we improve opt-outs?"
The question is: Why aren't we requiring opt-in everywhere?
Your data shouldn’t be a product unless you choose to sell it.
Ronni K. Gothard Christiansen
CEO & Technical Privacy Expert, AesirX.io