This study exposes systemic noncompliance among data brokers under the California Consumer Privacy Act (CCPA): exercising the right to access personal data often fails to enhance transparency and instead introduces new privacy risks—particularly through excessive identity verification requirements. We conduct the first large-scale empirical assessment of all 543 data brokers officially registered in California, manually submitting access requests and systematically coding response behaviors. Results reveal that over 40% of brokers failed to respond; among responders, the majority requested sensitive identity information not originally collected from consumers—violating CCPA’s minimization and proportionality principles. These findings confirm a substantial enforcement gap in CCPA implementation. To address this, we propose a scalable, standardized compliance auditing framework grounded in empirical evidence. This framework supports regulatory oversight and industry-wide process standardization, offering both methodological rigor and actionable policy insights for strengthening privacy governance.

Data brokers collect and sell the personal information of millions of individuals, often without their knowledge or consent. The California Consumer Privacy Act (CCPA) grants consumers the legal right to request access to, or deletion of, their data. To facilitate these requests, California maintains an official registry of data brokers. However, the extent to which these entities comply with the law is unclear. This paper presents the first large-scale, systematic study of CCPA compliance of all 543 officially registered data brokers. Data access requests were manually submitted to each broker, followed by in-depth analyses of their responses (or lack thereof). Above 40% failed to respond at all, in an apparent violation of the CCPA. Data brokers that responded requested personal information as part of their identity verification process, including details they had not previously collected. Paradoxically, this means that exercising one's privacy rights under CCPA introduces new privacy risks. Our findings reveal rampant non-compliance and lack of standardization of the data access request process. These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers' privacy protections and improve data broker accountability.