How to stop Uber, Hulu, Pornhub, and more from selling your data

California’s new privacy law’s most powerful and controversial feature is the right to stop companies from selling data they collect on you to other companies. Here’s how you can take advantage.

How to stop Uber, Hulu, Pornhub, and more from selling your data
[Photos: Victor Metelskiy/iStock; marinzolich/iStock; mattesimages/iStock; Flickr user Martin Jambon]

On January 1, the country’s biggest online privacy law came into force. The California Consumer Privacy Act prompted a mad dash to comply for any company that does business in California—which is pretty much any company, as the state has nearly 40 million people and the world’s fifth largest economy. This counts not only for tech companies such as Google, but for any company, such as a retailer, that collects any user data online or offline. While only required to offer new protections to Californians, many companies have extended at least some of these rights to all users. So no matter where you live, the CCPA may strengthen your privacy.


The law enshrines a lot of new rights, such as the ability to see the data a company already has collected on you and the requirement that the company delete all that data if you tell them to. Perhaps the biggest right—and certainly the most contested—is the ability to stop companies from selling your data to other companies, such as advertisers. A company that sells user data even has to provide a big “Do Not Sell My Personal Information” link on its website, directing people to opt-out instructions.

Selling data could be the most aggravating thing for consumers. It’s one thing if a company I have a relationship with collects data I voluntarily share, such as photos on Facebook or my address for Amazon delivery. It’s another thing if they cash in on my info so other companies I’ve never heard of can profile me—without my knowledge or consent.

A sale doesn’t have to be in dollars. If a company gets something in trade or any other benefit for passing your data on to others, CCPA considers it a sale. That could even extend to peppering its website with cookies or code that allow advertisers to track your activity on the site. One key exception to “selling” is if a company sends data to a “service provider”—say if an e-commerce site shares your credit card number and address with a payment processor to enable the sale.

Companies are carefully parsing the CCPA language to explain that they are not data sellers. Some of the biggest companies making that argument include Google, Facebook, Amazon, Microsoft, eBay, Twitch, Walmart, LinkedIn, Pornhub, and Lyft. Privacy advocates, regulators, or the courts may challenge any of those claims in the future.

Other major companies say they do sell data and offer easy tools to opt out. And even some who say they don’t sell data offer tools to restrict how they use your info. So with the CCPA finally in force, I analyzed the data sale policies for some of the biggest consumer-facing companies, in terms of sales, global web traffic, and just how pervasive they are in our lives.

With a few exceptions I’ll mention, these privacy settings work for everyone, not just Californians.


Google (including YouTube)

The Leviathan of tech collects enormous amounts of information about us, some of which influences advertising (as the company details in its privacy policy). But Google operates its own ad networks. That means the user data it captures isn’t being sold to another party—which Google argues makes it exempt from the data sales opt-out restriction in the CCPA. But if you’d like to stop Google from sharing your data with its own advertising division, it offers a tool for anyone to opt out of what it calls “ad personalization.” Just click the slider on the Ad Settings page to turn off personalization.


Whether or not it “sells” data, the social network allows third-party apps you install to access plenty of information, such as your birthday and email address. Services like Spotify that let you sign up through Facebook can do the same. To cut access, head over to Facebook, and go to Settings > Apps and Websites. Under “Active Apps and Websites,” click the checkbox next to any you’d like to disconnect. (This is just one of our top Facebook privacy and security tips.)


The still-giant web portal, now owned by Verizon, has added a “Do Not Sell My Info” link to its privacy dashboard, which leads to a simple toggle switch. While there, you can also turn off other kinds of ad targeting that Yahoo itself uses to market to you, based on factors like your geographic location and search history.


The home of short messages is short on info here. Although generally quite detailed (and readable), its new privacy policy fails to directly address the CCPA or whether it sells information. However, anyone can opt out of ads that Twitter itself delivers to users based on their personal details by visiting the “Personalization and data” settings page and turning off “Personalized ads.”


The king of kink is a bit coy. Its updated privacy policy says the company hasn’t sold data in the past 12 months (a key threshold for the CCPA). But you can email to proactively opt out of possible data selling in the future. I sent an opt-out request and am waiting to hear back from them.



The streamer’s surprisingly frank privacy policy confesses to being unsure whether the way it shares data will count as a sale under California law. Meanwhile, you can stop Spotify from getting info about you from advertisers’ profiles by toggling off “Tailored ads” in the Privacy settings. There you can also stop Spotify from using any data from your Facebook account to target ads to you.


Following a lecture on what the word “sell” should mean, the tech retailer’s privacy policy says that any users can opt out of data sales by changing the settings for advertiser cookies in their browser and on their mobile devices, with links to Google, Apple, and other companies for instructions. It’s the weakest opt-out assistance I came across.


The online marketplace quibbles over whether the word “sell” should apply to “interest-based advertising,” then grudgingly admits that all users can opt out of these ads. Just click the “Privacy Policy” text on the very bottom of the home page to launch a pop-up window. Scroll to and toggle off “Personalized Advertising.”


The largely ad-supported video service states that it allows only Californians to opt out of data sales. But colleagues in other states had no problems taking action. Like me, they just went to the Privacy section of their account settings and clicked to opt out.



The real estate site gets points for coming clean that advertiser cookies and other ad trackers on its sites are a form of data selling. To disable them, click on Cookie Preference at the bottom of the home page and toggle off “Advertising Cookies.” The company also explains how to change cookie settings on sister sites Trulia and Hotpads.


The ride-share king also gripes about the word “sale” in its privacy policy but provides a simple toggle to disable sharing your data with advertisers. This feature appears on the privacy page for “California Consumers” but works for out-of-staters, too.

About the author

Sean Captain is a Bay Area technology, science, and policy journalist. Follow him on Twitter @seancaptain.