How to Take Back Control of Online Data With Apps Like Consumer Reports' Permission Slip

The apps use state privacy laws to tell companies to stop sharing your personal data or delete it altogether

By Kaveh Waddell

October 3, 2023

Permission Slip app on phone in person's hand. — CR's Permission Slip helps consumers take advantage of new state privacy laws.

Countless companies keep files on you. That’s the case if you’ve ever signed up for a loyalty program at a grocery store, if you have an account with an online retailer, or if you use apps and websites that require logging in.

It’s probably true even if you’ve done none of those things—data brokers gather information on essentially all consumers, using all kinds of sources.

Until recently, people didn’t have much say in this. However, state laws passed in recent years give consumers more control, including the right to tell companies to stop selling their data to others, or telling them to delete it altogether. It takes a while to make each request, though, and hunting down all the different places your information lives would be an unending battle: California’s attorney general maintains a list of over 500 data brokers.

How to Use Permission Slip

Permission Slip is a free app, available for both iOS and Android devices. It provides information on how more than 100 companies use your personal information, and lets you request that they stop selling it, or that they delete it.

Here’s how to get started.

3 phone screen showing the Permission Slip app — With Permission Slip you can (left to right) browse through companies that hold consumer data, make individual data requests, and use an automatic data-request feature.

Download Permission Slip from the iOS App Store or the Google Play Store and sign up with your email. (Note that this is true even for current Consumer Reports members. Their existing log-on credentials for CR will not work for Permission Slip.)
The app dashboard looks like a stack of cards with company logos on them. Swipe between cards to see the types of information each company gathers. (Cards with a big red dollar sign are data brokers: They compile data from all around the internet to build and sell customer profiles.)
When you find a company you think might have your data, tap on it and scroll down to the “Submit a request” section. Most of the time, you’ll know whether a company is likely to have data on you. If you’ve never shopped at Home Depot, for example, it’s unlikely they’ve got your info.
Data brokers are the exception: You may never have heard of them, but they’ve heard of you. It’s worth submitting requests to data brokers if you’re trying to minimize how your private information is shared.
On each company card, you’ve got two options: “Do not sell my data” and “Delete my account.” Each option has an explanation specific to the company you’re looking at, which can help guide you.
Before you make your first request, Permission Slip will ask for your address and phone number—which companies generally require in order to identify the consumer behind the request—and for your signed permission to act as your authorized agent. Permission Slip only uses this information to make requests on your behalf.

That’s it. You can make as many requests as you like, but be patient because things can take a while. Companies legally have 45 days to respond to requests, and some take even longer. You can track progress in the “Requests” tab. So far, nearly 14,000 users have made more than 200,000 data requests via Permission Slip.

To make the process even easier, you can put your privacy requests on autopilot: Head to the “Auto” tab, where you can sign up for a feature that automatically makes opt-out requests to every data broker in Permission Slip. It’ll send out requests to new data brokers as they’re added, too.

More Authorized Agents to Consider

Services that help you clean up your online presence have existed for years, but the ability to use CCPA data requests supercharged their abilities.

As companies have received more requests from both individuals and authorized agents, they’ve gotten better at responding. Early in 2022, a CR study found that companies were often completely unprepared to deal with authorized agents. In the study, volunteers submitted more than 200 data requests via CR—but fewer than a quarter were successful. (Those were requests to access data, which are more complicated to comply with than opt-out or deletion requests.)

Since then, things have gotten much better: Most authorized agent requests filed through Permission Slip are resolved quickly. “We do our best to let companies know when they will be added to Permission Slip, and often take calls with their privacy teams to figure out how we can best deliver requests,” says Ginny Fahs, a research director at CR who helped launch Permission Slip.

CR has been working to smooth the way, together with a group of other privacy-focused organizations, companies that get a lot of data requests, and software providers that process those requests on the companies’ behalf. Together, this group has developed a “data rights protocol” to standardize authorized agent requests, making it easier for companies to respond.

Three of CR’s data rights protocol collaborators have their own authorized agent services.

Incogni, from the privacy company Surfshark, can make data requests on your behalf to more than 180 data brokers, following up regularly to make sure your information doesn’t pop up again where it shouldn’t. It costs about $13 a month, or $78 if you pay for a whole year at a time.

Mine connects to your Gmail account to gather a list of companies that are likely to have data on you, and helps you make authorized-agent requests to remove your data from the ones you don’t use. The service is free for now, but Mine plans to charge for it in the future.

Yorba connects to your email to assemble a list of your accounts, and it also tracks mailing lists you’re on. It additionally asks to connect to your bank or credit card account to scan your recent payments for recurring subscriptions you might want to cancel. Yorba’s currently in private beta-testing mode.

Several other companies have products that work similarly to Incogni. They include Kanary ($12 a month), Optery ($3.99 to $24.99 a month, depending on how many data brokers you want to target), and PrivacyBee ($16.42 a month).

You probably only need to sign up for one privacy helper, but there’s no real downside to using multiple services, other than subscription costs.

Try Permission Slip!

How Volunteers Are Helping

The list of data brokers and companies holding your data is unthinkably long, and it’s always changing as new players come online or get bought and sold. To help CR keep tabs on companies that fly under the radar, a cohort of volunteers recently donated some of their Facebook data to CR researchers.

More than 1,000 volunteers used Facebook’s privacy tools to download a list of companies that use Facebook to target them with ads. By combining these lists, CR was able to assemble a roster of highly active data brokers that would otherwise have been hard to find.

The researchers likened this study to a sampling well—a method commonly used to test groundwater for harmful chemicals. Engineers drill these wells at a low point where water collects, to detect toxins from a wide area.

“Facebook could be considered a low point in the surveillance marketing ecosystem—consumer data is likely to end up there eventually,” says Don Marti, a CR researcher who co-directed the project. “By collecting samples of data from Facebook, we can start to develop an understanding of the data moving through surveillance marketing programs.”

The study found evidence of widespread data collection. The average volunteer was targeted by more than 2,250 different companies, all of which had uploaded their personal information to Facebook. Many of these companies showed up repeatedly in the study: The average company targeted eight different volunteers.

Researchers are vetting the list of most active companies for inclusion in Permission Slip.

If you have a Facebook account, you can download a list of companies that have uploaded your data to Facebook, too. Some of the companies on the list may be familiar; others will probably be new to you. You can use the list to make data requests directly to companies that don’t yet appear in products like Permission Slip or Incogni.

To view the list, head to the “Access your information” section of your Facebook account settings, then choose the “Ads information” tab. There, click on Advertisers using your activity or information.

To download it—which you can do without viewing the list first—go to Facebook’s “download your information" tool at fb.com/dyi. You can choose to download every detail Facebook has on you, but that could be overwhelming. If you’re just looking for advertisers, download the files labeled “Ads information” and “Apps and websites off of Facebook.” It’ll take a while—usually a few minutes but sometimes up to a day or two—for Facebook to prepare the download. You’ll get a notification on Facebook and in your email when it’s ready to go.

If you’re interested in participating in CR’s future research, sign up here to help shape Permission Slip and make it easier to get your data back from companies and data brokers around the country.

Editor’s Note: Permission Slip was made possible in part through grant support from Omidyar Network, a nonprofit organization that works to build more inclusive and equitable societies.

Fast Company recognized this work in naming CR a 2024 Most Innovative Company. Find out more.

Kaveh Waddell

Kaveh Waddell is an investigative reporter who worked at Consumer Reports from 2020 to 2023, focusing on digital rights and environmental justice. Before that, he reported on emerging technology at Axios and covered digital privacy and surveillance at The Atlantic. Follow Kaveh on X.