Privacy Without Remedy: An Assessment of Data Broker Compliance with California Privacy Law

TL;DR

This paper empirically assesses data broker compliance with California privacy laws, revealing low transparency, significant barriers for consumers, and highlighting regulatory challenges and potential reforms.

Contribution

It provides the first empirical evaluation of data broker compliance with CCPA and Delete Act, identifying compliance gaps and proposing policy improvements.

Findings

Only 9% of data brokers fully comply with transparency requirements.

Many brokers report no consumer rights requests, indicating opacity.

A significant portion of brokers hinder consumer exercise of privacy rights.

Abstract

California's consumer privacy law is widely deemed to be the most protected in the United States, one of the few to expressly regulate third party entities that buy and sell consumer data (data brokers). We offer the first empirical assessment of data broker compliance with the 2018 California Consumer Privacy Act (CCPA) and the 2023 Delete Act, which requires data brokers to register with the state and report consumer rights requests metrics annually. First, we demonstrate that only 9% of 522 registered data brokers were fully compliant with transparency requirements after the Delete Act took effect, although we do identify slight improvements over time. Second, we descriptively characterize wide heterogeneity across data brokers in the volume of consumer rights requests received, with many reporting none. We bring in external business data to explore correlates associated with this variation, a challenge given the general lack of opacity into broker business practices. Third, in an audit of a sample of 250 data brokers' consumers request processes, we find that 43% make it impossible for consumers to exercise all privacy rights and 64% introduce at least one design feature that creates substantial friction into the consumer request process. Last, we show how these deficiencies stem from the decentralization of compliance decisions to brokers themselves, enforcement limitations, and regulatory ambiguity. We articulate reforms that could improve consumer privacy, transparency in broker practices, and compliance with these laws.