UC Irvine Study Exposes CCPA‑Noncompliant Data Brokers

University of California, Irvine computer scientists are concerned with how easily personal information is collected and sold and, in most cases, without the consumers’ knowledge or consent.

Researchers reviewed 543 state-registered data brokers and found violations of the California Consumer Privacy (CCP) Act in a recently published study. Read the California CCP Act here.

“What surprised me most was the overall percentage of non-CCPA-compliant brokers, and even more so, the 15 percent who actually acknowledged receiving a consumer request and then never replied,” UC Irvine distinguished professor of computer science Gene Tsudik said.

That group represents 35 percent of the brokers who failed to respond altogether. The CCP Act empowers residents with the right to request information about their data and demand its deletion.

In addition to being a professor, Tsudik is also one of the study’s authors along with Elina Marie Van Kempen.

“General consumer privacy is at stake,” Van Kempen and Tsudik told OrangeCountyLawyers.com

Although the CCP Act requires a prompt and proper response when a consumer desires the erasure of their data, the research team found there are practices in which consumers are required to provide additional personal information in order to verify their identity, which exposes them to more privacy risk.

“One big problem is that a broker who has no prior record (or incomplete record) for a given consumer can wind up learning NEW personal information during the VCR process,” Tsudik and Van Kempen said. “This is very much undesirable, clearly.”

What is a Verifiable Consumer Request?

“VCR” is an industry reference to verifiable consumer requests.

To protect themselves during VCRs, consumers can inform data brokers that it’s against the law to require more personal data to verify their accounts depending on the specific type of personal information that’s requested.

Tsudik and Van Kempen admit, however, that this part of the CCP Act is quite hazy and that enforcement has a price.

“We can only conjecture,” they said. “Compliance isn’t free and probably isn’t cheap. A broker needs to establish a process, hire and/or train personnel.”

Further, the CCP Act does not standardize the details of the consumer-broker interface.

“That lack of uniformity is part of the problem,” Tsudik and Van Kempen added.

He further advises concerned consumers to use the California Privacy Protection (CPP) agency’s Delete Request and Opt-Out Platform (DROP) to either demand deletion or an opt-out alternative or both.

The platform then interfaces with all registered brokers to process the request.

Since the study’s release last year, Tsudik and Van Kempen said the CPP agency has paid attention and even chatted with the researchers about their findings however neither the governor nor the attorney general have taken a direct interest in the violations.

“The CPP agency has become more active and has fined quite a few more web providers, some of which are data brokers,” the two researchers said.

For example, just last week, the CPP board fined the Ford Motor Company some $375,000 due to their improper opt-out process.

In its March 5 ruling, the CPP board said Ford should have processed consumers’ requests to opt-out with the information consumers provided through Ford’s consumer privacy rights form.

“Each time Ford required a consumer to submit a verifiable consumer request to exercise the right to opt-out, Ford violated section 7026(d) of the regulations,” the stipulated final order states.

While some law firms have reached out to the Irvine scientists and they have discussed the issues with them, Tsudik and Van Kempen said when the attorneys requested very finely granular information, they were unable to provide it due to University of California rules.

*Photo Credit: Generative photo created with ChatGPT