You Have Data Rights: So Why Are They So Hard To Exercise?

In our main article today, Public Interest Technologist and Senior Product Manager for Permission Slip at Consumer Reports, Sukhi Gulati-Gilbert, breaks down why data rights are so hard to use, how companies make opting out a nightmare, and what privacy tools can do to help consumers take back control.

But first...

The Importance of Women in Technology and Combating Digital Misogyny at UN's CSW69

The 69th session of the UN Commission on the Status of Women (CSW69) is underway, marking the 30th anniversary of the Beijing Declaration. This year, technology is at the forefront of discussions, with a strong focus on digital misogyny and the importance of women's participation in the digital economy.

At the start of the session, 193 UN member states adopted a Political Declaration addressing modern challenges to gender equality, including access to STEM education for women, equitable participation in the digital economy, and improved gender-specific data collection to inform policy. As part of these discussions, UN Secretary-General António Guterres highlighted the role of emerging technologies, including artificial intelligence, in perpetuating violence and abuse against women.

Events Highlighting Digital Rights and Gender Equity

CSW69 is hosting a range of official sessions and fringe events tackling these issues head-on, bringing together feminists, digital rights advocates, and policymakers. Upcoming events include:

• OVOF ARTivism for Change: creative space highlighting the intersection of art and activism, featuring film screenings, workshops, and discussions – March 13, 11:30 ET https://docs.google.com/forms/d/e/1FAIpQLSf56tMsAnhikfiPFLl_UDAKaCq1XYt9GIh8nEOthGgNIlacLg/viewform 
• Feminist Internet eXchange: FPIs in the midst of our current political realities – March 14, 10:00 ET  https://limesurvey.apc.org/index.php/475677 
• Sterling Starlets Burlesque – A queer, trans, and femme-affirming burlesque show celebrating gender diversity. March 16, 20:00 ET https://www.eventbrite.com/e/sterling-starlets-burlesque-the-commission-edition-tickets-1265831729779?aff=oddtdtcreator 
• Lecturas feministas de las violencias digitales en contra de defensoras de derechos humanos. La ausencia de respuestas efectivas 30 años después de Beijing – March 17, 10:30 ET. https://limesurvey.apc.org/index.php/281746 
• Seeking just futures: Reflecting on criminalisation and gender justice at Beijing +30 - March 18, 8:30 ET https://limesurvey.apc.org/index.php/264929 
• AI for Social Equality – March 18, 8:30 ET https://limesurvey.apc.org/index.php/292655 

This Week's Links

Internet Governance

• Trump's reshuffling of U.S. foreign aid threatens global internet freedom, impacting digital rights initiatives. https://dgap.org/en/research/publications/trumps-reshuffling-us-foreign-aid-endangers-internet-freedom
• Bluesky’s spring 2025 protocol roadmap, detailing decentralization efforts. https://docs.bsky.app/blog/2025-protocol-roadmap-spring
• Openness and interoperability at MWC: The push for open digital ecosystems. https://www.ianbrown.tech/2025/03/07/openness-and-interoperability-at-mwc/
• This joint ITU and OHCHR workshop explored tech standards and human rights. Scroll to the bottom to find links to a live recording and summary of the outcomes. https://www.itu.int/en/ITU-T/Workshops-and-Seminars/2024/1021/Pages/default.aspx

Digital Rights

• ICE surveillance contractor monitoring over 200 sites: What it means for digital privacy. https://www.404media.co/the-200-sites-an-ice-surveillance-contractor-is-monitoring/?ref=daily-stories-newsletter
• At RightsCon Taipei, activists reckoned with a US retreat from promoting digital rights. https://www-technologyreview-com.cdn.ampproject.org/c/s/www.technologyreview.com/2025/03/04/1112773/at-rightscon-in-taipei-activists-reckon-with-a-us-retreat-from-promoting-digital-rights/amp/
• Open Rights Group urges UK citizens to contact MPs to save independent websites, and exempt them from the Online Safety Act. https://action.openrightsgroup.org/save-our-sites-write-your-mp
• Looking at Beijing+30: Adapting gender equality efforts for the modern technological landscape. https://www.apc.org/en/blog/looking-beijing30-adapting-our-approach-gender-equality-todays-technological-landscape

Technology and Society

• Internet Exchange’s Mallory Knodel at MWC 2025 discusses AI under Trump https://www.youtube.com/watch?v=lOnv229DyCA
• The New Yorker updates its style guide, dropping “Web site,” “in-box,” and “Internet” in favor of “website,” “inbox,” and “internet.” Breathe easy—its use of em dashes remains unchanged. https://www.nytimes.com/2025/03/12/style/new-yorker-style-guide.html
• WITNESS on tomorrow’s great digital divide: How AI and automation could deepen societal inequalities. https://blog.witness.org/2025/03/tomorrows-great-digital-divide/
• The Silicon Valley Consensus fuels an AI infrastructure arms race driven by tech giants, financiers, and energy firms, overbuilding and overinvesting in a speculative bubble that prioritizes profit and power over real innovation. https://thetechbubble.substack.com/p/the-silicon-valley-consensus-and
• "Into the Driver’s Seat With Social Media Content Feeds" by Laura Edelson, Frances Haugen and Damon McCoy uses vehicles as an analogy for a proposed classification framework for algorithmic feeds. https://knightcolumbia.org/content/into-the-drivers-seat-with-social-media-content-feeds?_preview_=10f930d9bc
• The Department of Homeland Security has cut funding for the Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC), a program run by the Center for Internet Security (CIS) that supported state and local election cybersecurity. CIS can still assist through the broader Multi-State Information Sharing & Analysis Center (MS-ISAC), reports investigative journalist Kim Zetter on LinkedIn. https://www.linkedin.com/posts/kim-zetter-journalist-author-countdown-to-zero-day_ei-isac-activity-7303803267992420353-O_Jw?rcm=ACoAACWJ_HIBp2ruf2wVpyUwySkAKakbPfg5KLw
• U.S. satellite company Maxar cuts off Ukraine's access to satellite imagery. https://www.politico.eu/article/us-satellite-company-maxar-cuts-off-ukraine-access-imagery-report-says/
• "Seeding Change" documents the journey of community networks in South Africa. https://www.apc.org/en/blog/seeding-change-journey-community-networks-towards-sustainability-south-africa

Upcoming Events

• The Global AI Standards Summit: Addressing governance and best practices. March 17-18, London and Online https://www.aistandardshub.org/global-summit
• APC at the 69th Session of the Commission on the Status of Women: Advocating for gender and tech policies. March 6-19 https://www.apc.org/en/news/apc-69th-session-commission-status-women
• Better Feeds report launch webinar: A discussion on algorithmic governance. March 25, 11:00am EDT https://kgi.georgetown.edu/events/better-feeds-report-launch-webinar
• People's Book Takoma hosts Paul Greenberg for a discussion on democracy and elections. March 26, 6:30pm, Takoma Park, MD https://peoplesbooktakoma.com/event/paul-greenberg-for-a-third-term

Careers, Contribution and Funding Opportunities

• Join the Data Governance in Africa Research Fund to shape data governance and data policies in African countries. https://d4dhub.eu/news/data-governance-in-africa-research-fund
• Call for applications: The African School on Internet Governance (AfriSIG) 2025. https://afrisig.org/call-for-applications-to-the-african-school-on-internet-governance-afrisig-2025
• Open roles at LACNIC, Latin American and Caribbean Internet Addresses Registry https://www.lacnic.net/628/2/lacnic/job-opportunities
• Pew Research Center hiring a Research Associate, Internet & Technology. https://pewtrusts.wd5.myworkdayjobs.com/en-US/CenterExternal/job/Washington-DC-Pew-Research-Center/Research-Assistant--Internet—Technology_R002807
• Public Citizen seeks applicants for a Technology Accountability Advocate https://publiccitizen.applytojob.com/apply/jobs/details/o4C0zkJHZH
• Women on Web is looking for dedicated and diverse individuals to join their Board of Directors. https://www.linkedin.com/posts/womenonweb_women-on-web-is-looking-for-dedicated-and-activity-7296112075234304002-9AoJ?rcm=ACoAACWJ_HIBp2ruf2wVpyUwySkAKakbPfg5KLw
• Call for Contributions: The Coming Age of Tech Trillionaires and the Challenge to Democracy. Tech Policy Press seeks contributions for a special series by Friday, April 25th, at Noon Eastern Time. Submissions will be considered on a rolling basis. https://www.techpolicy.press/call-for-contributions-the-coming-age-of-tech-trillionaires-and-the-challenge-to-democracy

What did we miss? Please send us a reply or write to editor@exchangepoint.tech.

Realizing the Promise of Data Rights

By Sukhi Gulati-Gilbert, Public Interest Technologist and Senior Product Manager for Permission Slip at Consumer Reports. Views are her own and not indicative of Consumer Reports’ position.

Much of today’s internet is powered by a massive and opaque exchange of personal data. In the time it takes to load a web page, advertisers have likely already auctioned off your attention. Advertisers determine the value of ad space based on what they know about the viewer. Individual profiles for this purpose are aggregated from sources ranging from public property records to retail transactions and, of course, internet activity. This data is often collected without meaningful user consent and can be used in ways that are sensitive and invasive. Recently, the FTC took action against data brokers for using consumer location data to unlawfully sell inferences about medical conditions and religious beliefs. When every click contributes to an inscrutable sea of personal data, it can be overwhelming to take back control. 

State privacy laws in the United States have started to address dangers of the data economy by granting residents data rights. However, these rights are often difficult and frustrating to exercise. Improving digital privacy rights requires stronger legislation, new technical systems, and consumers making their voice heard. Until then, privacy tooling can help bridge the gap between data rights in law and protecting consumer privacy in practice.

The Current State of Data Rights Requests

Inconsistently Protected
In the United States, existing data rights are mostly enshrined in state-level legislation. Nineteen states so far have signed some form of digital privacy rights into law. The seminal piece of U.S. privacy legislation was the California Consumer Privacy Act (CCPA), which went into effect in 2020. The law grants residents an array of data rights. Perhaps most notably: the right to access what personal data companies are collecting, the right to request deletion of that data, and the right to opt out of the data being sold or shared. Though state laws vary in their protections, all nineteen contain some form of access, deletion and opt out rights. It is encouraging to see more states adopting privacy laws, although many Americans continue to lack any protected data rights. 

Onerous to Execute
Unfortunately, simply having privacy rights is not enough if consumers cannot execute those rights effectively and easily. Accounts of individuals sending out rights requests have revealed the process to be incredibly confusing. To start, individuals must identify how to submit a data rights request - a process which varies by company. A 2020 Consumer Reports study found that on 42.5% of sites tested, at least one in three testers were unable to find a “Do Not Sell” link. Once the link (or alternate submission method) has been located, it can still feel tedious or even deliberately difficult. An example is the common data broker practice of requiring users to find their information on the site in order to submit the opt-out request. Once the user begins searching for themselves, they are often asked follow up questions like: “Has this individual ever lived in New York?” “Are they under 30?” Going through a multi-step search significantly lengthens the time it takes to submit a data rights request and puts the burden of locating relevant information on the consumer instead of on the data broker. To make matters worse, consumers may answer the questions truthfully without realizing that doing so risks exposing even more personal data to the company. 

Even in the case where companies have created an easy or intuitive data rights request process, the volume of requests for an individual to send is high. There are hundreds of data brokers in California's data broker registry and many companies in addition to data brokers that consumers may have shared data with. An individual could end up managing requests with hundreds of entities to effectively reduce their digital footprint. 

Lacking Assurance
A now infamous leaked Facebook memo explained, “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.” For years before privacy regulation came into effect, systems were designed to maximize data collection, not to protect user privacy. Retrofitting them for privacy compliance is difficult and expensive, making it entirely possible that companies claiming to fulfill data rights requests have not truly deleted or protected user data. Currently, those exercising their data rights do not receive any verifiable proof that their request has been fulfilled or that the data they submitted with the requests was not used for purposes other than fulfilling their request. The process requires taking on good faith that a company has complied when they say they have, even though we know that the problem can often be technically intractable. 

An Interim Solution: Privacy Tooling

Given how onerous it can be to send out data rights requests manually, privacy automation tools have emerged to help consumers. Many state laws include a provision that allows individuals to delegate a third party - referred to as an “authorized agent” -  to submit requests on their behalf. An authorized agent could be an individual, an organization, or an automated tool. Agents can be a powerful force to simplify the user experience by allowing consumers to interface with one agent rather than dealing with multiple companies individually. Permission Slip by Consumer Reports is one of a few applications leveraging this concept to make it easier for consumers to exercise their data rights. Authorized agents in the market vary in their approach but the value proposition is similar: they take on the tedious task of sending out data rights requests and tracking their progress so users don’t have to. These tools also enable collective action. At Consumer Reports, for example, we follow up with companies that fail to respond to requests at scale and may even file complaints with enforcement agencies. 

Authorized agents are one set of tools working to make privacy more accessible, but they aren’t the only ones. Global Privacy Control is a browser tool users can configure to proactively signal to websites that they do not want their data sold or shared. There are also state-led efforts to simplify user interfaces. Recently, California’s DELETE Act went into effect, requiring the state to create a system that lets residents delete their data from all registered data brokers with a single request. 

Moving Forward: Making Data Rights More Effective

Reducing the consumer burden of exercising data rights is important, but we should also continue to iterate on data rights by making them more consistent, standard and effective. Everyone has a part to play:

For Policymakers: 

• Standardize Data Rights Requests: Data rights requests should be standardized so that they can be submitted via an API. This will enable both the public and private sectors to create one-stop tools for consumers to submit data rights requests that are more intuitive and usable than what companies have incentive to create. 

For Technologists: 

• Invest in Data Traceability: Decades of innovation have gone into creating systems that are optimized for extracting value from user data. To catch up, we’ll have to create usable, open source systems that make it easy for companies to incorporate data traceability. Without reliable and transparent understanding of data flows, we cannot achieve verifiable assurance that rights have been effectively exercised.

For Consumers:

• Send Out Data Rights Requests: However imperfect, submitting requests can dramatically reduce your digital footprint and exert real demands on companies with potential to spur increased investment in privacy programs. Given how long the process can take, you may consider employing an authorized agent to help or prioritizing requests to the worst offenders. 
• File Complaints: If your state has a privacy law and a company is not replying to your data rights requests, file a complaint with your state’s attorney general.

Of course, we should also not lose sight of a world beyond data privacy rights. While they can help us mitigate the harm when surveillance is the default, we should continue to advocate for reimagined systems and business models where privacy is the default instead. In the meantime, the emergence of data rights for Americans is a step in the right direction. Let’s make the most of them.