Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Consumer Beware! Exploring Data Brokers' CCPA Compliance

Elina van Kempen, Isita Bagayatkar, Pavel Frolikov, Chloe Georgiou, Gene Tsudik

TL;DR

This study systematically evaluates CCPA compliance across all 543 California-registered data brokers by submitting Verifiable Consumer Requests (VCRs) to assess burden, verification, response timelines, and data delivery. Using a single researcher, the work documents substantial non-compliance, with roughly half of brokers failing to respond and many responses providing little or no PI about the requester. Among those that did respond, data delivery varied, including cases of sensitive PI exposure and even third-party leakage, revealing privacy risks intrinsic to the VCR process. The findings highlight significant enforcement gaps, a lack of standardization in VCR procedures, and a privacy paradox where exercising rights can paradoxically increase exposure risk, underscoring the need for standardized processes, stronger oversight, and clearer consumer remedies.

Abstract

Data brokers collect and sell the personal information of millions of individuals, often without their knowledge or consent. The California Consumer Privacy Act (CCPA) grants consumers the legal right to request access to, or deletion of, their data. To facilitate these requests, California maintains an official registry of data brokers. However, the extent to which these entities comply with the law is unclear. This paper presents the first large-scale, systematic study of CCPA compliance of all 543 officially registered data brokers. Data access requests were manually submitted to each broker, followed by in-depth analyses of their responses (or lack thereof). Above 40% failed to respond at all, in an apparent violation of the CCPA. Data brokers that responded requested personal information as part of their identity verification process, including details they had not previously collected. Paradoxically, this means that exercising one's privacy rights under CCPA introduces new privacy risks. Our findings reveal rampant non-compliance and lack of standardization of the data access request process. These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers' privacy protections and improve data broker accountability.

Consumer Beware! Exploring Data Brokers' CCPA Compliance

TL;DR

This study systematically evaluates CCPA compliance across all 543 California-registered data brokers by submitting Verifiable Consumer Requests (VCRs) to assess burden, verification, response timelines, and data delivery. Using a single researcher, the work documents substantial non-compliance, with roughly half of brokers failing to respond and many responses providing little or no PI about the requester. Among those that did respond, data delivery varied, including cases of sensitive PI exposure and even third-party leakage, revealing privacy risks intrinsic to the VCR process. The findings highlight significant enforcement gaps, a lack of standardization in VCR procedures, and a privacy paradox where exercising rights can paradoxically increase exposure risk, underscoring the need for standardized processes, stronger oversight, and clearer consumer remedies.

Abstract

Data brokers collect and sell the personal information of millions of individuals, often without their knowledge or consent. The California Consumer Privacy Act (CCPA) grants consumers the legal right to request access to, or deletion of, their data. To facilitate these requests, California maintains an official registry of data brokers. However, the extent to which these entities comply with the law is unclear. This paper presents the first large-scale, systematic study of CCPA compliance of all 543 officially registered data brokers. Data access requests were manually submitted to each broker, followed by in-depth analyses of their responses (or lack thereof). Above 40% failed to respond at all, in an apparent violation of the CCPA. Data brokers that responded requested personal information as part of their identity verification process, including details they had not previously collected. Paradoxically, this means that exercising one's privacy rights under CCPA introduces new privacy risks. Our findings reveal rampant non-compliance and lack of standardization of the data access request process. These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers' privacy protections and improve data broker accountability.

Paper Structure

This paper contains 28 sections, 9 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Research Questions
  3. Study Overview
  4. Organization
  5. Related Work
  6. Background: CCPA and Data Broker Registration
  7. $\bm{\mathcal{DBR}\mathsf{s}}$ Location
  8. Methodology
  9. Study Design
  10. Ethical considerations
  11. Results
  12. RQ1: Submitting VCRs
  13. RQ1: Identity Verification Process
  14. RQ2: $\bm{\mathcal{DBR}}$ responses
  15. RQ3: PI received from $\bm{\mathcal{DBR}\mathsf{s}}$
  16. ...and 13 more sections

Figures (9)

  • Figure 1: Map of US $\sf{\mathcal{DBR}s}$.
  • Figure 2: VCR submission methods.
  • Figure 3: Time needed to submit VCRs.
  • Figure 4: Questions from a questionnaire in a form-VCR.
  • Figure 5: Distribution of answer categories received from $\sf{\mathcal{DBR}s}$.
  • ...and 4 more figures