CR Webinar Recap: Dude, Where’s My Data?

On January 27, 2025 Consumer Reports (CR), in collaboration with the National Cyber Alliance (NCA) and Cloaked, hosted a webinar titled “Dude, Where’s My Data”, one of four webinars presented during Data Privacy Week. This discussion, led by Cliff Steinhauer, Director of Information Security and Engagement at NCA, Sumeet Chugani, General Counsel at Cloaked, and Sukhi Gulati Gilbert, Product Manager for CR’s Permission Slip, delved into the world of consumer data  — explaining what type of data companies are collecting about us, and what happens to it once we hand that data over.  

A Familiar Scenario: Rewards Programs   

The conversation kicked off with a familiar scenario: You’re at your favorite coffee shop and decide to join their rewards program—after all, who doesn’t want a free coffee after ten visits? You hand over your phone number, birthday, and email without a second thought. What’s the harm?

The panel explained there’s a catch. Oftentimes, you’re not just sharing your data with the coffee shop—you’re sharing it with the third-party vendor running your coffee shop’s rewards program. And that vendor’s business model isn’t about tracking your coffee count; it’s about collecting, selling, and exchanging your data. Even if the coffee shop itself isn’t selling your information, their third-party partner often is. Once your data is sold, it spreads far and wide, landing in places you never intended it to. The panel went on to explain that there’s a chain of events happening behind the scenes in the data world—one we rarely see. 

Pulling Back the Curtain: Data Brokers, Consumer Rights & Company Compliance

An audience member raised an interesting question: “Haven’t we always shared our personal data? Phonebooks and white pages listed names and addresses—so what’s different now?” Sukhi explained:

“The digital counterparts of the analog phonebooks still exist, but what’s different now is the ease of access and amount of data available about you. It’s more than just your number, email and address — that’s likely just what your data is keyed under. Your profile now looks like an overview of places you’ve visited, the items you’ve purchased, inferences of your health information, what party you voted for etc. So yes, while the phonebook always existed, we see a data exchange that is supercharged in the digital age”. 

The panel continued to pull back the curtain on the world of data collection— speaking to the role of data brokers, consumer data rights, and the responsibility of companies to keep consumer data safe. 

Data Brokers

Data brokers are companies that make their money from buying, exchanging and selling data. They operate in the shadows, oftentimes trading consumer data for profit. A recent FTC case exposed how two brokers collected sensitive location data—placing digital “geo-fences” around hospitals and places of worship, then using that data to understand personal details like religious beliefs or medical conditions of consumers. This data was then sold to countless third parties, increasing consumer vulnerability, and validating how truly supercharged the world of data exchange is in the digital age. 

Consumer Data Rights

The panel then brought the audience a bit more hope, explaining three key rights consumers have in the world of data privacy:

    1. The right to know what data companies have on you (called access requests)
    2. The right to opt out of data sales (called opt-out requests)
    3. The right to request deletion of your data (called deletion requests)

But the panel continued to explain that because there is no federal privacy legislation, these rights are protected by state laws. That means whether companies have the requirement to honor these rights depends on the state you live in.

Company Compliance

The panel explained that what companies are required to do depends on the data they collect and the consumer protection laws in their state. Some industries, like healthcare, have strong privacy regulations under HIPAA, but those protections don’t apply when you sign up for a rewards program or buy a product online.

If your state doesn’t have strong data privacy laws, companies have no legal obligation to honor your data rights. The unfortunate reality for consumers is the responsibility to protect themselves online oftentimes falls to them. Sumeet explained: 

“As the digital world evolves, the methods of data collection and exploitation rises. It’s now going to be incumbent on the individual to think “how do I protect myself in this digital world.” It’s game time for consumers as we see a rise in AI and tech overall.” 

How Consumers Can Protect Themselves

So, it’s game time for consumers — but the question remains, what can you do? The panel recommends focusing on two key strategies: data minimization and data deletion. 

You can minimize the data you share by:

  • Providing fake data when possible 
  • Freezing your credit to prevent unauthorized access 
  • Using a private relay email address (e.g., Apple’s Hide My Email)
  • Using ad blockers to disrupt real-time data exchanges (like Privacy Badger

Lastly, you can delete your data with tools like Permission Slip. Sukhi explains:

“Even if you don’t have legal protections in your state, submitting deletion requests puts pressure on companies. The short-term solution is data minimization and deletion where possible. The long-term solution is creating a marketplace that incentivizes companies to respect consumer data. The more you signal that privacy matters—rewarding companies that handle data responsibly—the more you can influence change.”

You can check out the full recording of our webinar here. CR, alongside the NCA, continue to advocate for stronger consumer privacy protections and provide tools and resources that empower individuals. From NCA’s Data Privacy Week to CR’s Permission Slip, we’re working to help consumers take back control of their personal information.

Get the latest on Innovation at Consumer Reports

Sign up to stay informed

We care about the protection of your data. Read our Privacy Policy