Stanford study reveals 91% of data brokers flout California privacy law

A new empirical study from Stanford researchers (Gueorguieva et al., 2026) provides the first comprehensive assessment of data broker compliance with California's consumer privacy laws, including the 2018 CCPA and the 2023 Delete Act. The study audited all 522 registered data brokers and found that only 9% were fully compliant with transparency requirements, despite California's reputation for having the strongest consumer privacy protections in the US. The researchers also discovered wide heterogeneity in how brokers handle consumer rights requests, with many reporting zero requests received annually.

In a detailed audit of 250 brokers' consumer request processes, the team found that 43% made it impossible for consumers to exercise all their privacy rights, while 64% introduced at least one design feature creating substantial friction—such as requiring uploaded IDs, demanding excessive documentation, or hiding the request portal. The authors attribute these systematic failures to three root causes: the decentralization of compliance decisions to individual brokers, weak enforcement mechanisms, and regulatory ambiguity. They propose concrete reforms including centralized compliance frameworks, clearer enforcement guidelines, and mandatory transparency reporting to close the gap between privacy law on paper and privacy in practice.