Tsudik’s Group uncovers data brokers’ CCPA compliance issues
ProperData researchers at the University of California, Irvine recently investigated US data brokers’ compliance with the California Consumer Privacy Act (CCPA) and found a pattern of noncompliance with the CCPA’s requirements regarding consumer requests to access and/or delete personal information.
The research project is led by Elina van Kempen (pictured on the left), who is a PhD student in Computer Science advised by Prof. Gene Tsudik. The research team also includes Isita Bagayatkar, Pavel Frolikov, and Chloe Georgiou.
Over a period of seven months from late 2024 to early 2025, the researchers submitted consumer requests to data brokers registered with the CCPA and received responses from only 57 percent. Furthermore, 43 percent of the data brokers failed to reply, which is an apparent violation of the CCPA. The researchers found a complete lack of standardization in identity verifications procedures, which complicates and lengthens the request submission process. The study reveals a privacy paradox: when consumers attempt to submit data requests and verify their identity, they are asked to provide multiple pieces of personal information to data brokers. However, these brokers may not have previously possessed this information or may ignore the request entirely.
Their findings are reported in the paper “Consumer Beware! Exploring Data Brokers’ CCPA Compliance” and highlighted in the UCI News. See also coverage by news outlets (e.g., Daily Journal, Worldlawyersforum, centraloctimes) and beyond.