Opting Out May Not Prevent Websites From Collecting Your Data

Sebastian Zimmeck
3 min readJul 17, 2021
Image credit Social Ninja.

If you do not want websites to track you online, you could try opting out. Many websites provide opt out mechanisms. In fact, depending on where you are located, websites are required to provide such However, there are many problems with the existing mechanisms. For one, they are often based on cookies that can be easily deleted by accident. Opting out is also unnecessarily burdensome because the opt out process has to repeated generally for every browser and every website you visit. In short, the current opt out regime is essentially unworkable. Though, setting aside these problems for the moment, there is another important point. Even if you manage to opt out from tracking on a website, ad networks may still be able to collect your data.

Capture of web traffic on webmd.com showing my ZIP code and US Privacy String.

I recently did a little experiment. I visited various websites in my browser and captured the web traffic with Fiddler Everywhere. Among the handful of sites I visited was also webmd.com. Ads on websites are often served by third party ad networks. That is what happened on webmd.com as well. As shown in the screenshot above, WebMD made an ad call to DoubleClick, a subsidiary of Google. It contains two noteworthy pieces of information. First, it has the Interactive Advertising Bureau’s US Privacy String. The parameter usps=1YYY confirms that I have opted out of tracking. Specifically, the Y in the third position means that I am opted out of the sale of personal information per the California Consumer Privacy Act, which is applicable to me as I am currently in San Francisco. Indeed, the first thing I did when I started browsing webmd.com was to click on the “Do Not Sell My Personal Information” link at the bottom of the page enabling the opt out. This opt out was then passed on to DoubleClick. However, this is where it gets tricky.

Despite my opt out, the ad call contains another parameter, my ZIP code dzip=94110. A ZIP code is considered personal information that is covered by my opt out under the California Consumer Privacy Act. So, why did WebMD share it with DoubleClick? The answer is that this is how the ad ecosystem currently works. It is the standard operating procedure of many websites to make normal ad calls, append opt out flags, such as the US Privacy String, and leave it to the downstream providers to respect the opt outs by not recording personal information of opted out users. In other words, personal information of opted out users may still be received by ad networks, only they are not allowed to use it anymore. Opting out in those cases is based on an honor system, and that is not a great state of affairs in the context of online advertising.

What to do? Well, the solution is to not pass along any personal information of opted out users to ad networks. There are quite a number of websites who have already implemented this best practice, and here is hoping that it will become the new standard over time. This handling of users’ opt out requests would not only benefit users but also ad networks. They would gain more trust because information that they cannot use would not reach them in the first place.

If you liked this post, you can learn more about online privacy at the privacy-tech-lab. You can also reach the author via email (szimmeck@wesleyan.edu) or follow on Twitter.



Sebastian Zimmeck

Assistant Professor of Computer Science, Wesleyan University