by Kevin Brasler

Last updated January 18, 2024

In October, Consumer Reports launched Permission Slip, a free app that provides a one-stop spot you can use to control which companies can collect, store, and sell your personal data. We urge everyone to use it.

As we often warn, device manufacturers, websites, browsers, search engines, and software companies relentlessly scoop up information about your private life to fuel a trillion dollar commercial surveillance industry. They track which web pages you visit and what you click; they follow your movements from site to site; they use GPS signals to record where you travel; they listen to your conversations using your devices’ microphones. Even brick-and-mortar retailers use Bluetooth and Wi-Fi beacons to signal when you pass near or enter their stores, and then track your movements.

Your recorded online life is compiled and sold or traded by thousands of companies, usually with the help of data brokers that are largely unregulated and often not required to disclose what they’ve collected or shared. And because so many companies’ databases have been breached, cybercriminals also have access to much of your info.

In the last few years, a dozen states have passed laws aimed at curtailing online data collection and sharing. But, unfortunately, even the California Consumer Financial Protection Law, the strongest of the bunch, puts the burden on consumers to opt out of allowing their data to be sold or shared, instead of by default requiring that companies respect our privacy. So it’s up to us to tell Google, Facebook, Amazon, and every other website we visit, app we use, device we buy, and so on not to invade our privacy. It’s an onerous task, and few consumers bother opting out.

Consumer ReportsPermission Slip app provides a way to tell dozens of companies to cut it out. Download and install the app, create an account with your email address and phone number, and it will present you with a list of hundreds of companies. Select one and CR tells you what type of info it collects and your options for what you want to tell it to do. Think you might have an account with one of the companies? Direct the app to send a message on your behalf to it requesting “Do Not Sell My Data” or to “Delete My Account,” and then move on to the next card/company/data broker.

Tread carefully when selecting the “Delete My Account” option. Doing so means you’ll be unsubscribed from that company’s service (goodbye, Disney+ or Netflix) and will have removed yourself from any loyalty program, losing accrued rewards points. But do opt to delete accounts you don’t use anymore; they’re a security risk.

You’ll notice that, for some companies, the only option available is to delete your account. That’s because CR in some cases has concluded companies don’t sell their customers’ personal info and therefore sending a request to not do so won’t have any impact.

Permission Slip relies heavily on rights provided by California’s privacy laws. Most companies will honor requests from consumers who live outside of California (and other states with applicable online privacy laws) who ask them to stop collecting data and to delete what they’ve already scooped up.

But, disappointingly, a few companies routinely deny requests from Permission Slip if they aren’t legally obligated to act. For example, the app warns users that any requests it sends to CVS to knock off its data-sharing program will result in automatic denials unless they live in California, Colorado, Connecticut, or Virginia—states that have laws requiring companies to honor these types of requests. CVS apparently values its customers’ data more than their wishes for privacy. Oh, and by the way: CVS’s website discloses that it scoops up a wide array of customer data, including “geolocation,” images “recorded on an in-store security camera,” “purchase history,” “health information you provide us based on your participation with certain programs,” “biometric information which may include voice recognition information, facial scans, and/or other similar biometric identifiers,” and, vaguely, “other information you provide to us.”

Permission Slip provides a dashboard showing which companies have fulfilled (or denied or failed to act upon) your requests. It can take weeks for some companies to do what they’ve been told—California’s law gives them 15 business days to do so. Because some companies send confirmation emails before taking action, keep an eye out for them.

Once you’re set up with Permission Slip, check in with it periodically; it continues to add companies to its roster so you can file additional requests. CR also has developed an auto-request feature; enable it and it will routinely direct data brokers to not sell your data.

There are other apps available that operate much like Permission Slip, but CR’s tool is free, doesn’t try to sell additional services like VPNs, and isn’t looking to farm your activity to resell it.

An important consideration when using Permission Slip is that it directs companies not to sell or trade data they’ve collected on you with others. But it doesn’t necessarily prevent companies from continuing to gather data for their own use. So while you can use the app to tell United Airlines to stop selling your data, you can’t use Permission Slip to tell Amazon, Apple, Facebook, Google, LinkedIn, and so on to stop spying on you for their own purposes. To do that, you’ll need to log in to their individual websites and toggle off options that allow them to use your data for targeted ads and more. You should also take similar steps with your cellular phone service to opt out of any data sharing. Ditto for any wearable tech and health-related apps and websites you use: They’re not necessarily required to keep your data private.

Related: Facebook Privacy Settings Checkup

Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.