Consumer Beware! Exploring Data Brokers' CCPA Compliance
Journal:
arXiv
Published Date:
Jun 27, 2025
Abstract
Data brokers collect and sell the personal information of millions of
individuals, often without their knowledge or consent. The California Consumer
Privacy Act (CCPA) grants consumers the legal right to request access to, or
deletion of, their data. To facilitate these requests, California maintains an
official registry of data brokers. However, the extent to which these entities
comply with the law is unclear.
This paper presents the first large-scale, systematic study of CCPA
compliance of all 543 officially registered data brokers. Data access requests
were manually submitted to each broker, followed by in-depth analyses of their
responses (or lack thereof). Above 40% failed to respond at all, in an apparent
violation of the CCPA. Data brokers that responded requested personal
information as part of their identity verification process, including details
they had not previously collected. Paradoxically, this means that exercising
one's privacy rights under CCPA introduces new privacy risks.
Our findings reveal rampant non-compliance and lack of standardization of the
data access request process. These issues highlight an urgent need for stronger
enforcement, clearer guidelines, and standardized, periodic compliance checks
to enhance consumers' privacy protections and improve data broker
accountability.
