Consumer Beware! Exploring Data Brokers' CCPA Compliance
- URL: http://arxiv.org/abs/2506.21914v1
- Date: Fri, 27 Jun 2025 04:57:32 GMT
- Title: Consumer Beware! Exploring Data Brokers' CCPA Compliance
- Authors: Elina van Kempen, Isita Bagayatkar, Pavel Frolikov, Chloe Georgiou, Gene Tsudik,
- Abstract summary: The California Consumer Privacy Act (CCPA) grants consumers the legal right to request access to, or deletion of, their data.<n>To facilitate these requests, California maintains an official registry of data brokers.<n>This paper presents the first large-scale, systematic study of CCPA compliance of all 543 officially registered data brokers.
- Score: 8.562189001930745
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Data brokers collect and sell the personal information of millions of individuals, often without their knowledge or consent. The California Consumer Privacy Act (CCPA) grants consumers the legal right to request access to, or deletion of, their data. To facilitate these requests, California maintains an official registry of data brokers. However, the extent to which these entities comply with the law is unclear. This paper presents the first large-scale, systematic study of CCPA compliance of all 543 officially registered data brokers. Data access requests were manually submitted to each broker, followed by in-depth analyses of their responses (or lack thereof). Above 40% failed to respond at all, in an apparent violation of the CCPA. Data brokers that responded requested personal information as part of their identity verification process, including details they had not previously collected. Paradoxically, this means that exercising one's privacy rights under CCPA introduces new privacy risks. Our findings reveal rampant non-compliance and lack of standardization of the data access request process. These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers' privacy protections and improve data broker accountability.
Related papers
- Buyer-Initiated Auction Mechanism for Data Redemption in Machine Unlearning [10.43572220941666]
rapid growth of artificial intelligence (AI) has raised privacy concerns.<n>Leading regulations like California Consumer Privacy Act (CCPA)<n>We propose buyer-initiated auction mechanism for data redemption.
arXiv Detail & Related papers (2025-03-29T07:44:34Z) - Measuring Compliance with the California Consumer Privacy Act Over Space and Time [7.971611687303297]
The California Consumer Privacy Act (CCPA) mandates that online businesses offer consumers the option to opt out of the sale and sharing of personal information.
Our study automatically tracks the presence of the opt-out link longitudinally across multiple states after the California Privacy Rights Act (CPRA) went into effect.
We find a number of websites that implement the opt-out link early and across all examined states but also find a significant number of CCPA-subject websites that fail to offer any opt-out methods even when CCPA is in effect.
arXiv Detail & Related papers (2024-03-25T21:57:31Z) - Protecting User Privacy in Online Settings via Supervised Learning [69.38374877559423]
We design an intelligent approach to online privacy protection that leverages supervised learning.
By detecting and blocking data collection that might infringe on a user's privacy, we can restore a degree of digital privacy to the user.
arXiv Detail & Related papers (2023-04-06T05:20:16Z) - Lessons in VCR Repair: Compliance of Android App Developers with the
California Consumer Privacy Act (CCPA) [4.429726534947266]
The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights.
Our research investigated the extent to which Android app developers comply with the provisions of the CCPA.
We compare the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies.
arXiv Detail & Related papers (2023-04-03T13:02:49Z) - Certified Data Removal in Sum-Product Networks [78.27542864367821]
Deleting the collected data is often insufficient to guarantee data privacy.
UnlearnSPN is an algorithm that removes the influence of single data points from a trained sum-product network.
arXiv Detail & Related papers (2022-10-04T08:22:37Z) - Fighting the Fog: Evaluating the Clarity of Privacy Disclosures in the
Age of CCPA [29.56312492076473]
Vagueness and ambiguity in privacy policies threaten the ability of consumers to make informed choices about how businesses collect, use, and share personal information.
The California Consumer Privacy Act (CCPA) of 2018 was intended to provide Californian consumers with more control by mandating that businesses clearly disclose their data practices.
Our results suggest that CCPA's mandates for privacy disclosures, as currently implemented, have not yet yielded the level of clarity they were designed to deliver.
arXiv Detail & Related papers (2021-09-28T15:40:57Z) - Preference-Based Privacy Trading [19.23266277956912]
We propose a design of regulated efficient/bounded inefficient economic mechanisms for oligopoly data trading markets using a novel preference function bidding approach on a simplified sellers-broker market.
Our methodology preserves the heterogeneous privacy preservation constraints (at a grouped consumer, i.e., app, level) upto certain compromise levels, and at the same time satisfies information demand (via the broker) of agencies.
arXiv Detail & Related papers (2020-12-10T07:03:10Z) - Second layer data governance for permissioned blockchains: the privacy
management challenge [58.720142291102135]
In pandemic situations, such as the COVID-19 and Ebola outbreak, the action related to sharing health data is crucial to avoid the massive infection and decrease the number of deaths.
In this sense, permissioned blockchain technology emerges to empower users to get their rights providing data ownership, transparency, and security through an immutable, unified, and distributed database ruled by smart contracts.
arXiv Detail & Related papers (2020-10-22T13:19:38Z) - PCAL: A Privacy-preserving Intelligent Credit Risk Modeling Framework
Based on Adversarial Learning [111.19576084222345]
This paper proposes a framework of Privacy-preserving Credit risk modeling based on Adversarial Learning (PCAL)
PCAL aims to mask the private information inside the original dataset, while maintaining the important utility information for the target prediction task performance.
Results indicate that PCAL can learn an effective, privacy-free representation from user data, providing a solid foundation towards privacy-preserving machine learning for credit risk analysis.
arXiv Detail & Related papers (2020-10-06T07:04:59Z) - A vision for global privacy bridges: Technical and legal measures for
international data markets [77.34726150561087]
Despite data protection laws and an acknowledged right to privacy, trading personal information has become a business equated with "trading oil"
An open conflict is arising between business demands for data and a desire for privacy.
We propose and test a vision of a personal information market with privacy.
arXiv Detail & Related papers (2020-05-13T13:55:50Z) - GDPR: When the Right to Access Personal Data Becomes a Threat [63.732639864601914]
We examine more than 300 data controllers performing for each of them a request to access personal data.
We find that 50.4% of the data controllers that handled the request, have flaws in the procedure of identifying the users.
With the undesired and surprising result that, in its present deployment, has actually decreased the privacy of the users of web services.
arXiv Detail & Related papers (2020-05-04T22:01:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.