The Reality of CCPA Compliance: What a UC Irvine Study Reveals About Data Broker Non-Compliance

A groundbreaking study exposes widespread violations and the "privacy paradox" plaguing consumer rights

When a UC Irvine PhD student decided to exercise her basic consumer rights under the California Consumer Privacy Act (CCPA), she unknowingly embarked on what would become the most comprehensive study of data broker compliance ever conducted. Her findings paint a sobering picture of privacy law enforcement in 2025—and reveal why the "Privacy Era" remains frustratingly elusive for ordinary consumers.

The Scope of the Investigation

The study, conducted by researchers at UC Irvine, represents an unprecedented examination of CCPA compliance across the entire ecosystem of registered data brokers. Unlike previous research that focused on popular websites or small samples, this investigation systematically tested all 543 data brokers officially registered with California's Privacy Protection Agency.

Take Control of Your Personal Data with Incogni

Introduction In the digital age, personal data has become a valuable commodity. Data brokers often collect and sell your personal information without your informed consent. This practice can invade privacy, potential scams, identity theft, and even financial repercussions. But there’s a solution - Incogni. What is Incogni? Incogni is a

Security Affiliates MarketingSecurity Affiliates

The methodology was straightforward: submit data access requests to every registered broker and analyze their responses. What emerged was a detailed map of how privacy rights work—or fail to work—in practice.

The Stark Numbers Behind Non-Compliance

The results reveal rampant non-compliance across the data broker industry:

Response Failures:

• 43% of companies never responded to data access requests—a clear violation of CCPA requirements
• Only 52% responded within the mandated 45-day timeframe
• 8 websites were completely inaccessible during the study period
• 7 brokers had no privacy policy at all

Operational Barriers:

• 19 forms couldn't be submitted due to technical issues
• Companies required an average of 79 seconds just to locate and submit a request
• 53% of web forms were protected by CAPTCHAs, creating additional friction

These numbers are particularly concerning given recent enforcement actions. The California Privacy Protection Agency (CPPA) has been actively pursuing data brokers who fail to register, with recent settlements including $35,400 and $34,400 fines for companies that ignored registration requirements.

California Consumer Privacy Act (CCPA)

Introduction The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of California, United States. The bill was passed by the California State Legislature and signed into law by Jerry Brown, the Governor of California, on June 28, 2018, and

Compliance Hub WikiCompliance Hub

The Privacy Paradox: When Exercising Rights Creates New Risks

Perhaps the study's most troubling finding is what researchers call the "privacy paradox"—exercising your privacy rights under CCPA actually introduces new privacy vulnerabilities.

To request their data, consumers must provide personal information to companies that may not have had it before. As one data broker explicitly told the researcher: "We never had this information until receiving it in your email below."

The verification burden includes:

• 95% of brokers requested email addresses and names
• 42% demanded home addresses
• 23% required phone numbers
• 45 brokers asked for sensitive information including Social Security numbers, government IDs, or biometric data like selfies

Most concerningly, six brokers requested full SSNs, and four of them never responded—raising serious questions about who now has access to this sensitive information.

GDPR Compliance Guide: Updated for 2025

This definitive 2025 guide compares the compliance requirements, enforcement mechanisms, and implementation strategies for CCPA, GDPR, and LGPD. Discover practical approaches for building unified privacy programs that address cross-regulation requirements while minimizing duplicative efforts.

Compliance Hub WikiCompliance Hub

Current Enforcement Reality in 2025

The UC Irvine findings align with escalating enforcement activity. Beginning January 1, 2028, data brokers must undergo mandatory third-party audits every three years, signaling California's intent to strengthen oversight.

Recent enforcement demonstrates the financial stakes:

In February 2025, the CPPA reached a settlement requiring Background Alert to shut down operations through 2028 or face a $50,000 fine. This marked the first time a data broker was ordered to cease operations entirely.

In March 2025, a vehicle manufacturer paid $632,500 for requiring consumers to provide more information than necessary when exercising CCPA rights—directly validating the study's findings about excessive verification requirements.

The annual registration fee for data brokers jumped from $400 to $6,600 in 2025, funding the development of California's DELETE Request and Opt-Out Platform (DROP), designed to streamline consumer rights requests.

Take Control of Your Personal Data with Incogni

Introduction In the digital age, personal data has become a valuable commodity. Data brokers often collect and sell your personal information without your informed consent. This practice can invade privacy, potential scams, identity theft, and even financial repercussions. But there’s a solution - Incogni. What is Incogni? Incogni is a

Security Affiliates MarketingSecurity Affiliates

What the Study Reveals About Data Collection

Among the 22 data brokers that actually provided personal information, the findings were eye-opening:

Types of data shared:

• Credit reports and insurance information (highly sensitive)
• Behavioral inference data for advertising
• Public LinkedIn profile copies
• Information directly from the verification request itself

The security paradox: Two brokers handling the most sensitive data used postal mail for delivery—a more secure method than the digital channels used by others.

Privacy leakage: Alarmingly, one broker shared a third party's sensitive information, including 7 out of 8 characters of someone else's driver's license number—a clear CCPA violation.

Adapting to Global Regulatory Complexity: How Companies and Compliance Leaders Navigate Privacy Laws Like GDPR, CCPA, LGPD, and PIPL

As the digital age continues to expand, so do the regulations that govern how personal data is collected, processed, and stored. Privacy laws like the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, Lei Geral de Proteção de Dados

Compliance Hub WikiCompliance Hub

Why Compliance Remains Elusive

The study reveals several systemic issues preventing effective compliance:

Lack of Standardization:

• Each broker uses different verification processes
• No standard format for data delivery
• Inconsistent interpretation of CCPA requirements

Regulatory Gaps:

• Organizations have until June 2025 to align with finalized rules
• Daily fines of $200 accumulate for violations, but enforcement remains inconsistent

Technical Barriers:

• 32 brokers required technical knowledge to obtain verification information like cookie IDs or mobile advertising identifiers
• Form-based requests showed higher compliance rates (71%) than email requests (42%)

In Addition to COPPA and KOSA for Child Safety Bills

In the digital era, the safety of children on the internet has become a paramount concern, prompting significant legislative and policy-driven conversations. The recent move by the US Senate Judiciary Committee to summon top tech CEOs for a hearing on their platforms’ child safety measures highlights the urgency and complexity

Compliance Hub WikiCompliance Hub

The Path Forward: Recommendations for Stakeholders

For Policymakers:

• Mandate standardized verification processes with maximum information requirements
• Increase random compliance audits
• Create a centralized grievance system for consumer complaints

For Data Brokers:

• Implement CCPA compliance as a baseline business requirement
• Provide direct links to request forms in registry listings
• Train staff to handle privacy requests properly

For Consumers:

• Exercise caution when submitting verification information
• File official complaints with the CPPA when encountering non-compliance
• Understand that exercising privacy rights may require sharing additional personal information

The Privacy Dilemma: Data Brokers, Cambridge Analytica, and Photo Metadata Exploitation

In the digital era, the privacy of personal data, especially photos and videos uploaded to the cloud or social media platforms, has become a pressing concern. The role of data brokers and intelligence companies like Cambridge Analytica in using these data points highlights a significant privacy issue. Privacy Concerns in

My Privacy BlogMy Privacy Blog

Looking Ahead: The Enforcement Acceleration

The CPPA has intensified enforcement activities in 2025, demonstrating a strong commitment to holding businesses accountable. Recent actions against companies for "dark patterns" and improper opt-out processing signal a broader crackdown on privacy violations.

2025 could be a pivotal year for California privacy law, as multiple sets of regulations may be finalized throughout the year, potentially addressing many of the compliance gaps identified in the UC Irvine study.

The Bottom Line

The UC Irvine study provides the first comprehensive evidence of what privacy advocates have long suspected: despite years of privacy legislation, consumer rights remain largely theoretical for many Americans. 43% of registered data brokers simply ignore the law, while compliant companies often create burdensome processes that discourage legitimate requests.

This research arrives at a critical moment. As California strengthens its privacy framework and businesses face evolving challenges with new enforcement strategies taking shape, understanding these compliance failures becomes essential for meaningful reform.

The study's most important contribution may be its documentation of the "privacy paradox"—that exercising privacy rights can create new vulnerabilities. Until this fundamental contradiction is resolved through standardized, minimal verification processes, California's privacy protections will remain incomplete.

Digital Ghosts: A Complete OPSEC Guide to Protecting Your Personal Information Online

How to minimize your digital footprint and protect your personal information from data brokers, social engineers, and malicious actors In an era where our digital lives are increasingly intertwined with our physical existence, protecting personal information online has evolved from a luxury to a necessity. Every click, search, purchase, and

My Privacy BlogMy Privacy Blog

For compliance professionals, the message is clear: the current system is broken, enforcement is accelerating, and the cost of non-compliance—both financial and reputational—continues to rise. The question isn't whether to comply with CCPA requirements, but how quickly organizations can implement systems that respect consumer rights without creating additional privacy risks.

The full UC Irvine study provides detailed technical analysis and recommendations for all stakeholders in the privacy ecosystem. As enforcement actions multiply and regulations evolve, this research serves as both a wake-up call and a roadmap for meaningful privacy protection.

Personal Protection: The “Gray Man” Theory

When civil unrest escalates, as seen during the 2020 Minnesota riots, individuals and businesses can find themselves in situations where traditional emergency resources become overwhelmed and authorities are unable to provide timely assistance. This reality underscores the critical importance of self-protection and proactive preparedness. The “Gray Man Theory” is a

Secure IoT HouseSecure IoT House