Quick overview

Merchants collect and monetize customer data constantly: purchase histories, browsing signals, device IDs, and marketing profiles. If a merchant sells or shares that data, many consumers have legal protections that let them find out what’s been collected, stop certain sales or sharing, request deletion or correction, and challenge discriminatory treatment. The landscape differs by jurisdiction—Europe’s GDPR provides broad, enforceable rights, and U.S. protections currently come mostly from state laws (e.g., California’s CCPA/CPRA) and federal enforcement by agencies like the FTC.

Sources and enforcement to check first: the Federal Trade Commission (FTC) for unfair or deceptive practices (https://www.ftc.gov/), the California Attorney General’s CCPA/CPRA resources (https://oag.ca.gov/privacy/ccpa), and the GDPR text and guidance in the EU (https://gdpr-info.eu/).

In my practice as a financial educator, I regularly help clients exercise opt-outs and deletion requests. Small, timely actions—reading a merchant’s privacy policy, saving records of requests, and using browser privacy tools—often prevent further unwanted sharing.

Key rights consumers can expect (common across major laws)

  • Right to Know / Access: Request a business disclose the categories and specific pieces of personal information it collected about you, the purposes for collection, and the identities of third parties with whom it has shared or sold the data (see CCPA/CPRA and GDPR).
  • Right to Delete: Ask the business to delete personal information it holds, subject to statutory exceptions (e.g., completing a transaction, legal obligations, fraud prevention).
  • Right to Opt-Out of Sale/Sharing: Direct a business not to sell or share your personal information for targeted advertising or other commercial uses. Many U.S. privacy laws require a clear, conspicuous opt-out mechanism (e.g., “Do Not Sell or Share My Personal Information”).
  • Right to Correction: Request inaccuracies be corrected, especially where your data informs credit, pricing, or financial decisions.
  • Right to Portability: Obtain a copy of your data in a commonly used format, which can help you move to a competing service.
  • Right to Non‑Discrimination: Exercise privacy rights without suffering adverse treatment, such as price hikes or service denial, in many statutes.

Note: The specific scope of each right varies. For example, the GDPR’s rights are broad and apply across controllers and processors in the EU, while U.S. state laws operate with different terms and applicability thresholds.

How to exercise these rights: step-by-step

  1. Identify whether the merchant is covered by privacy law. In the U.S., companies meeting thresholds (e.g., California’s CCPA thresholds: over $25M annual revenue, or handling 50,000+ consumers/households/devices, or deriving 50%+ revenue from selling personal information) are subject to CCPA/CPRA. Smaller businesses may still follow similar practices voluntarily.
  2. Find the merchant’s privacy notice. Look for “Do Not Sell or Share My Personal Information,” data subject request methods, or a privacy portal. If unclear, contact customer service and document the interaction.
  3. Submit a request using the merchant’s preferred channel (web form, email, postal mail, or phone). Provide only the minimum information needed for identity verification.
  4. Preserve proof. Save copies/screenshots of requests, confirmation messages, and any correspondences.
  5. Track statutory deadlines. Under CCPA/CPRA a business typically must respond within 45 days (extendable by 45 days with notice); under GDPR, controllers generally have one month to respond.
  6. If the business denies your request, ask for the specific legal basis. If unsatisfied, escalate to the applicable regulator (state AG, California Privacy Protection Agency for CPRA issues, or the FTC for unfair/deceptive acts). See our guide to filing complaints for practical next steps (internal resource: “Filing a Complaint with the CFPB, FTC, and State AGs: A Quick Guide” https://finhelp.io/glossary/filing-a-complaint-with-the-cfpb-ftc-and-state-ags-a-quick-guide/).

Evidence, identity verification, and best practices

  • Verification: Companies commonly require proof to avoid fraudulent requests. They may ask for account info, recent transactions, or partial SSN. Provide only what’s necessary. If you’re uncomfortable, ask for alternative verification methods.
  • Logs: Keep records (screenshots, request IDs, emails). These are useful if you need to escalate or show non-compliance.
  • Narrow requests: If you’re worried about over-sharing personal details when verifying identity, ask the company what minimal items they need and whether they offer in-person or certified channels.

Common exceptions and limitations to expect

  • Business needs and legal obligations: Companies can refuse deletion if they must retain data for tax, warranty, legal compliance, or to complete a transaction.
  • B2B and employee data: Many state laws carve out certain business-to-business communications or workplace records.
  • Small businesses: Not all privacy statutes apply to every business; check the law’s thresholds and local regulations.
  • Security breaches vs. sale: If data is exposed in a breach, CCPA provides a private right of action in narrow circumstances for certain types of personal information. Otherwise, enforcement is often by regulators.

If you believe your data was sold without proper notice or consent

  1. Document what happened: grab purchase receipts, account screenshots, or any suspicious emails.
  2. Send a verified consumer request to the merchant asking for details of any sale or disclosure and for deletion or opt-out where applicable.
  3. File complaints: use the FTC complaint portal (https://www.ftc.gov/), your state attorney general, or industry-specific regulators. For CPRA/CCPA issues in California, the California Attorney General provides guidance and the California Privacy Protection Agency enforces certain provisions (https://oag.ca.gov/privacy/ccpa).
  4. Consider legal counsel for complex cases (e.g., large-scale unauthorized disclosures or where significant financial harm occurred).

Practical tools and quick protections

  • Use browser privacy controls and opt-out tools for targeted ads (e.g., “Global Privacy Control” signals).
  • Limit data shared at signup. Use guest checkouts or single-use email addresses when possible.
  • Read the privacy settings in apps and disable unnecessary tracking; review app permissions.
  • Practice basic cybersecurity: strong passwords, unique passwords per site, and two-factor authentication—see our guide to personal cybersecurity for financial safety for practical steps (https://finhelp.io/glossary/personal-cybersecurity-for-financial-safety/).

Sample request templates

Opt‑out (Do Not Sell/Share) example (short):
“Subject: Do Not Sell or Share My Personal Information
Please consider this a formal request under applicable privacy law to opt me out of the sale or sharing of my personal information. Account/email: [your account/email]. Please confirm within the required statutory timeframe and provide a record of any disclosures made in the past 12 months.”

Deletion request example (short):
“Subject: Request to Delete Personal Information
Please delete all personal information you maintain about me to the extent allowed under law. Account/email: [your account/email]. If you deny any part of this request, please provide the legal exception relied upon.”

Keep copies and send via the merchant’s preferred channel.

Common misconceptions

  • Unsubscribe = Opt-out of sale: Unsubscribing from marketing does not always stop data sales or sharing for advertising. The opt-out for sale/sharing is distinct.
  • One law covers everything: As of 2025, there is no single comprehensive federal privacy law in the U.S.; protections come from a patchwork of state laws, sectoral rules, and the FTC’s authority.
  • Deletion is always possible: Businesses may lawfully retain data for limited reasons.

When to get professional help

If a large-scale leak of your sensitive personal data occurs, if a merchant refuses to honor clear statutory rights, or if you incur financial harm tied to an unlawful sale or disclosure, consult an attorney experienced in privacy law. For compliance or business owners, consult counsel before relying on exemptions.

Related FinHelp resources

Professional disclaimer: This article is educational and not legal advice. Privacy laws change; for legal action or complex situations, consult a qualified attorney. Sources referenced include the Federal Trade Commission (https://www.ftc.gov/), the California Attorney General’s CCPA/CPRA guidance (https://oag.ca.gov/privacy/ccpa), and the GDPR (https://gdpr-info.eu/).