Hundreds of registered data brokers ignore user requests around personal data

There are few laws at the state or federal level to constrain data brokerage, the process by which companies collect and sell bulk data on people they’ve never met or done business with.

States at the forefront of regulating the industry, like California, currently require hundreds of companies to register with the government and provide consumers with the means to opt out of collection or request deletion of their data.

Now, a study from the University of California, Irvine shows that many registered brokers may be ignoring these requirements, and experts tell CyberScoop that state regulators should strengthen their enforcement of current privacy laws.

In the study, researchers exercised their rights under the California Consumer Privacy Act by contacting all registered data brokers and requesting details about the data the companies had collected on them. Of the 543 companies contacted, 40% failed to respond in any way, showing “rampant non-compliance” among the registered brokers.

“Our findings reveal rampant non-compliance and lack of standardization of the data access request process,” wrote authors Elina van Kempen, Isita Bagayatkar, Pavel Frolikov, Chloe Georgiou and Gene Tsudik. “These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers’ privacy protections and improve data broker accountability.”

In addition to brokers that didn’t respond, those that did often created numerous hurdles for people trying to access their data. There was no standard process for submitting such  requests: some companies required a phone call, others an email, and others asked users to fill out an online form.

The study measured six types of friction in these requests: individual burden, identity verification challenges, response time, response quality, the data collected, and the privacy issues related to the requests.

 One key finding was that inconsistent identity procedures across brokers are confusing and “taxing” to the average consumer, forcing them to navigate a patchwork of different requirements. 

Many brokers that collect and sell personal data require strict identity verification for consumer data requests, which helps prevent unauthorized access.

On the other hand, the study’s authors say this creates an “unintended privacy paradox” for consumers looking to limit the exposure of their personal data by engaging with brokers directly, as they must often provide additional forms of personal and personally identifiable information along the way.

“Paradoxically, this means that exercising one’s privacy rights under CCPA introduces new privacy risks,” the authors wrote.

The study, which focused solely on companies registered as data brokers in California, may actually understate the problem, as other research has shown that many data brokers don’t carry their disclosures across state lines. 

Justin Sherman, a privacy expert and scholar-in-residence at the Electronic Privacy Information Center, told CyberScoop that many brokers seem to hold an odd commitment to privacy principles in one particular instance: verifying the identity of people who object to having a third-party company collect and use their personal information.

“It is beyond irony that there are data brokers who will sell to basically anybody and … yet when someone is saying, ‘I don’t consent to you having collected my data behind my back,’ everything is all of a sudden, ‘how are we going to verify?’ and ‘how are we going to do ‘Know Your Customer’” rules, Sherman said. “It’s talking out of both sides of your mouth. They know that if you create some friction, then people are less likely to cancel.”

Additionally, Sherman noted that for opt-out rights to be effective, “the consumer has to be able to easily exercise them.” A process that forces them to personally contact hundreds of different companies without a standardized process for doing so, he argued, is a recipe for frustration and dark patterns.

He added “there’s no gray area” about how registered brokers are obligated to handle such requests.

“I think the law is very clear. The law says: accept the requests and respond, or reject the requests and respond with the exception you’re setting,” Sherman said, something hundreds of registered brokers failed to do, according to the study.

The California Privacy Protection Agency did not respond to questions from CyberScoop about the UC Irvine study or its own research on data broker noncompliance under the CCPA.