Let My Data Go: Data Brokers' Compliance with Opt-Out and Deletion Requests

📅 2026-07-05
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study presents the first large-scale empirical assessment of data brokers’ compliance with consumer rights requests under the California Consumer Privacy Act (CCPA), specifically focusing on opt-out and deletion requests. Employing a methodology combining synthetic identity generation, automated request submission, and systematic response tracking, the research audits all registered data brokers in California. Findings reveal pervasive shortcomings: despite apparent surface-level compliance, a significant proportion of brokers either failed to respond or imposed unlawful barriers—such as excessive identity verification demands, inconsistent processes, and undue burdens on consumers. These systemic deficiencies underscore the urgent need for enhanced regulatory enforcement and the establishment of standardized, interoperable request interfaces to ensure meaningful exercise of consumer privacy rights under the CCPA.
📝 Abstract
Data brokers are a largely American phenomenon. They collect vast amounts of personal information about most adult U.S. consumers, mainly without the latter's knowledge or consent. Accumulated data can be sold to anyone, including employers, landlords, insurance agencies, banks, governments (local, state, federal, and even foreign), as well as various malicious actors. This, in turn, enables discrimination, surveillance, identity theft, and stalking. Recent regulations -- such as the California Consumer Privacy Act (CCPA) modeled after EU's General Data Protection Regulation (GDPR) -- were introduced to bolster consumer privacy, e.g., the rights to: (1) opt-out of the sharing or selling one's personal information, (2) delete one's personal information, and (3) obtain a copy of that information. However, exercising these rights is not easy, as shown by our comprehensive study of the data broker ecosystem. We submitted both opt-out and deletion requests (using synthetic consumer identities) under the CCPA to all California-registered data brokers and investigated their responses and lack thereof. While the majority seem to be compliant, a significant fraction is not and many failed to reply to (and/or acknowledge) consumer requests. Furthermore, some data brokers require intrusive consumer identity verification in order to exercise one's opt-out rights, which is explicitly disallowed by the CCPA. There is also great disparity in the request submission process among data brokers as well as an extremely heavy (time and effort) overall consumer burden. This motivates an urgent need for streamlining and standardization of the consumer interface, stronger enforcement, and meaningful consequences for (especially sustained) non-compliance.
Problem

Research questions and friction points this paper is trying to address.

data brokers
opt-out requests
deletion requests
CCPA compliance
consumer privacy
Innovation

Methods, ideas, or system contributions that make the work stand out.

data brokers
CCPA compliance
opt-out requests
deletion requests
privacy regulation
🔎 Similar Papers
No similar papers found.