pith. sign in

arxiv: 2605.21376 · v1 · pith:2DTRRYBBnew · submitted 2026-05-20 · 💻 cs.CY

Privacy Without Remedy: An Assessment of Data Broker Compliance with California Privacy Law

Anna-Maria Gueorguieva , Jennifer King , Apoorva Panidapu , Daniel E Ho This is my paper

Pith reviewed 2026-05-21 03:28 UTC · model grok-4.3

classification 💻 cs.CY
keywords data brokersCCPADelete Actconsumer privacycompliance audittransparency requirementsrequest frictionCalifornia law
0
0 comments X

The pith

Only 9% of registered California data brokers fully comply with transparency requirements under the Delete Act.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper measures how data brokers respond to California's CCPA and the 2023 Delete Act, which mandates registration with the state and annual reporting of consumer request metrics. It reports that full compliance with transparency rules is rare, with many brokers showing no consumer requests at all and wide variation in reported volumes. An audit of request processes for 250 brokers reveals that nearly half block consumers from exercising all legal rights while most add friction such as complex forms or unclear instructions. These shortfalls trace to brokers making their own compliance choices, weak enforcement, and unclear rules. The findings indicate that legal privacy rights on paper often fail to deliver practical control over personal data.

Core claim

Only 9% of 522 registered data brokers were fully compliant with transparency requirements after the Delete Act took effect, with slight improvements observed over time. In an audit of 250 brokers' consumer request processes, 43% made it impossible for consumers to exercise all privacy rights and 64% introduced at least one design feature creating substantial friction. These deficiencies arise from the decentralization of compliance decisions to the brokers themselves, limitations in enforcement, and regulatory ambiguity.

What carries the argument

The audit of consumer rights request processes combined with analysis of self-reported metrics from the 522 registered data brokers under the Delete Act.

If this is right

  • Consumers encounter concrete barriers when trying to delete or access their data held by most brokers.
  • Reported request volumes vary widely, with many brokers claiming zero interactions despite legal obligations.
  • Decentralized compliance leads to inconsistent protection across the data broker industry.
  • Regulatory ambiguity allows design choices that reduce the effectiveness of consumer rights.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar compliance gaps likely exist in other states that rely on self-reported registration without routine audits.
  • Requiring a single standardized request portal could reduce the friction documented in the audit.
  • Public dashboards comparing broker compliance scores might pressure companies to improve processes over time.

Load-bearing premise

The sample of 250 audited data brokers and their self-reported metrics accurately reflect the practices of all registered brokers without systematic bias from non-response or selective reporting.

What would settle it

A full independent audit of all 522 registered brokers' websites and request interfaces that finds over 80% allow consumers to complete deletion, access, and opt-out requests without any friction or impossibility would contradict the reported compliance rates.

Figures

Figures reproduced from arXiv: 2605.21376 by Anna-Maria Gueorguieva, Apoorva Panidapu, Daniel E Ho, Jennifer King.

Figure 1
Figure 1. Figure 1: Percentage of data brokers reporting all request types [PITH_FULL_IMAGE:figures/full_fig_p008_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Distribution of nonzero absolute differences in total request counts by request type, using many-to-one broker [PITH_FULL_IMAGE:figures/full_fig_p031_3.png] view at source ↗
read the original abstract

California's consumer privacy law is widely deemed to be the most protected in the United States, one of the few to expressly regulate third party entities that buy and sell consumer data (data brokers). We offer the first empirical assessment of data broker compliance with the 2018 California Consumer Privacy Act (CCPA) and the 2023 Delete Act, which requires data brokers to register with the state and report consumer rights requests metrics annually. First, we demonstrate that only 9% of 522 registered data brokers were fully compliant with transparency requirements after the Delete Act took effect, although we do identify slight improvements over time. Second, we descriptively characterize wide heterogeneity across data brokers in the volume of consumer rights requests received, with many reporting none. We bring in external business data to explore correlates associated with this variation, a challenge given the general lack of opacity into broker business practices. Third, in an audit of a sample of 250 data brokers' consumers request processes, we find that 43% make it impossible for consumers to exercise all privacy rights and 64% introduce at least one design feature that creates substantial friction into the consumer request process. Last, we show how these deficiencies stem from the decentralization of compliance decisions to brokers themselves, enforcement limitations, and regulatory ambiguity. We articulate reforms that could improve consumer privacy, transparency in broker practices, and compliance with these laws.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript presents the first empirical assessment of data broker compliance with the CCPA and 2023 Delete Act using California's public registry of 522 brokers. It reports that only 9% were fully compliant with transparency requirements after the Delete Act, with slight improvements over time; characterizes heterogeneity in consumer rights request volumes using external business data; and, via an audit of 250 brokers' request processes, finds 43% make it impossible to exercise all privacy rights and 64% introduce at least one substantial friction feature. Deficiencies are attributed to decentralized compliance, enforcement limits, and regulatory ambiguity, with suggested reforms.

Significance. If the audit and compliance findings hold after methodological clarification, the study supplies scarce large-scale descriptive evidence on data broker practices under state privacy law. The combination of registry analysis and independent process audit offers concrete metrics that can ground policy debates on enforcement and consumer rights exercise. Use of public filings and external correlates is a strength for an area marked by opacity.

major comments (3)
  1. [Methods (Audit Sample)] Methods section on audit sampling: the paper does not specify whether the 250 brokers were selected via simple random sampling, stratification, or convenience from the 522 registered brokers, nor does it report response rates to any outreach or handling of non-responders. This directly affects the reliability of the 43% 'impossible' and 64% 'substantial friction' estimates.
  2. [Audit Methodology] Audit methodology: no details are given on inter-rater reliability, explicit coding criteria, or external validation for classifying a request process as 'impossible to exercise all rights' or containing 'substantial friction'. Subjective thresholds here are load-bearing for the headline audit percentages.
  3. [Results (Compliance Rates)] Transparency compliance results: the 9% full-compliance figure from the 522 filings does not describe how missing data, incomplete reports, or non-filers were treated, leaving the central compliance statistic vulnerable to selection effects.
minor comments (2)
  1. [Abstract] The abstract states 'slight improvements over time' without a supporting statistic or figure reference; adding one would improve clarity.
  2. [Discussion] Discussion of regulatory ambiguity would benefit from pinpoint citations to specific Delete Act or CCPA provisions rather than general references.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive comments on our manuscript. We have revised the paper to address the methodological clarifications requested and provide point-by-point responses below.

read point-by-point responses

  1. Referee: Methods section on audit sampling: the paper does not specify whether the 250 brokers were selected via simple random sampling, stratification, or convenience from the 522 registered brokers, nor does it report response rates to any outreach or handling of non-responders. This directly affects the reliability of the 43% 'impossible' and 64% 'substantial friction' estimates.

    Authors: We thank the referee for this observation. The sample of 250 was drawn as a simple random sample from the 522 registered brokers. We omitted to explicitly state the sampling method in the original manuscript and have now added a full description of the sampling procedure, including the random selection process using a random number generator seeded for reproducibility. As the audit relied on publicly available information from broker websites and did not involve direct outreach or requests to the brokers, there were no response rates or non-responders to report. We have clarified this distinction in the revised Methods section to address concerns about the estimates' reliability. revision: yes

  2. Referee: Audit methodology: no details are given on inter-rater reliability, explicit coding criteria, or external validation for classifying a request process as 'impossible to exercise all rights' or containing 'substantial friction'. Subjective thresholds here are load-bearing for the headline audit percentages.

    Authors: We acknowledge the need for greater detail on our audit methodology. The classifications were conducted by the lead author with a second author reviewing a 20% subsample for validation. We have now included explicit coding criteria in a new appendix, defining 'impossible to exercise all rights' as the lack of any functional mechanism for at least one required right (e.g., no verifiable way to submit a deletion request) and 'substantial friction' as features like requiring account creation, phone verification, or multi-step processes exceeding standard norms. Inter-rater agreement on the subsample was 92%, with disagreements resolved by consensus. This information has been added to the Methods section in the revision. revision: yes

  3. Referee: Transparency compliance results: the 9% full-compliance figure from the 522 filings does not describe how missing data, incomplete reports, or non-filers were treated, leaving the central compliance statistic vulnerable to selection effects.

    Authors: The analysis covers the entire population of 522 registered data brokers listed in California's public registry. By definition, all are filers as registration requires compliance with reporting obligations. We classified brokers as fully compliant only if their filings included all mandated transparency elements without omissions. Incomplete or missing elements in reports were treated as non-compliance. We have updated the manuscript to detail this treatment of the data and confirm there were no non-filers outside the registry in our sample frame. revision: yes

Circularity Check

0 steps flagged

Empirical compliance audit with no circular derivations or self-referential reductions

full rationale

The paper reports direct empirical measurements from the public California data broker registry (522 entries) and an audit of 250 brokers' request processes. Compliance percentages (9% fully compliant; 43% impossible to exercise rights; 64% with friction) are tallied from observed filings and process features without any equations, fitted parameters, predictions, or self-citations that reduce the outputs to the inputs by construction. The derivation chain consists of external public data and independent observations, remaining self-contained.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

This is a descriptive empirical compliance audit relying on public state registries and direct website testing; it introduces no mathematical free parameters or new theoretical entities.

axioms (2)
  • domain assumption The California Attorney General's registered data broker list is complete and up-to-date.
    The study begins with the official registry of 522 brokers as the population frame.
  • domain assumption Self-reported annual metrics on consumer rights requests accurately reflect actual volumes received.
    Descriptive characterization of heterogeneity uses these reported figures without external validation.

pith-pipeline@v0.9.0 · 5789 in / 1279 out tokens · 52470 ms · 2026-05-21T03:28:08.439741+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

56 extracted references · 56 canonical work pages

  1. [1]

    Kadri, and Chinmayi Sharma

    Sam Adler, Thomas E. Kadri, and Chinmayi Sharma. 2025. Brokered Violence: Safety for Sale in the Free Marketplace of Data. https://www.lawfaremedia.org/article/brokered-violence--safety-for-sale-in-the-free-marketplace-of-data

    work page 2025

  2. [2]

    Administrative Office of the U.S. Courts. 2022. Congress Passes the Daniel Anderl Judicial Security and Privacy Act. https://www. uscourts.gov/data-news/judiciary-news/2022/12/16/congress-passes-daniel-anderl-judicial-security-and-privacy-act

    work page 2022

  3. [3]

    California Privacy Protection Agency. 2025. CalPrivacy Issues Enforcement Advisory Highlighting Data Broker Registration. https: //cppa.ca.gov/announcements/2025/20251217.html

    work page 2025

  4. [4]

    California Privacy Protection Agency. 2026. CalPrivacy Brings New Round of Enforcement Actions Against Data Brokers. https: //cppa.ca.gov/announcements/2026/20260108.html

    work page 2026

  5. [5]

    California Privacy Protection Agency. 2026. CalPrivacy Inviting Preliminary Comments Reducing Friction in Exercise of Privacy Rights & Opt-Out Preference Signals. https://mailchi.mp/3db686fe2cd1/calprivacy-inviting-preliminary-comments-reducing-friction-in- exercise-of-privacy-rights-opt-out-preference-signals?e=3ac5ff2cdb

    work page 2026

  6. [6]

    2024.Data Privacy Protection

    Micah Altman, Aloni Cohen, and Kobbi Nissim. 2024.Data Privacy Protection. Technical Report. Association for Computing Machinery Technology Policy Council

    work page 2024

  7. [7]

    Inferences Drawn

    Jordan M. Blanke. 2020. Protection for “Inferences Drawn": A Comparison between the General Data Protection Regulation and the California Consumer Privacy Act.Global Privacy Law Review2 (2020), 81–95. doi:10.2139/ssrn.3518164

    work page doi:10.2139/ssrn.3518164 2020

  8. [8]

    Bloomberg Law. 2025. Which states have consumer data privacy laws? https://pro.bloomberglaw.com/insights/privacy/state-privacy- legislation-tracker/#states-with-comprehensive-data-privacy-laws

    work page 2025

  9. [9]

    Michelle Boorstein, Marisa Iati, and Annys Shin. 2021. Top U.S. Catholic official resigns after cellphone data used to track him on Grindr and to gay bars. https://www.washingtonpost.com/religion/2021/07/20/bishop-misconduct-resign-burrill/

    work page 2021

  10. [10]

    Michelle Boorstein and Heather Kelly. 2023. Catholic group spent millions on app data that tracked gay priests. https://www. washingtonpost.com/dc-md-va/2023/03/09/catholics-gay-priests-grindr-data-bishops/

    work page 2023

  11. [11]

    Jedidiah Bracy. 2023. California Governor Signs CA Delete Act into Law. https://iapp.org/news/a/california-governor-signs-ca-delete- act-into-law

    work page 2023

  12. [12]

    California Privacy Protection Agency. 2025. Enforcement Update. https://cppa.ca.gov/meetings/materials/20250926_item4.pdf Presen- tation by Michael Macko, Deputy Director of Enforcement

    work page arXiv 2025

  13. [13]

    California Privacy Protection Agency. 2026. Delete Request and Opt-out Platform (DROP). https://privacy.ca.gov/drop/

    work page 2026

  14. [14]

    Julio Casal. 2024. Verifying the National Public Data Breach: The Largest Social Security Number Exposure In History. https: //constella.ai/verifying-the-national-public-data-breach/

    work page 2024

  15. [15]

    Kaminski, and William McGeveran

    Anupam Chander, Margot E. Kaminski, and William McGeveran. 2021. Catalyzing Privacy Law.Minnesota Law Review105 (2021), 1733–1795. doi:10.24926/265535.4205

    work page doi:10.24926/265535.4205 2021

  16. [16]

    Jan Charatan and Eleanor Birrell. 2024. Two Steps Forward and One Step Back: The Right to Opt-out of Sale under CPRA. InProceedings on Privacy Enhancing Technologies 2024(2), 91–105. Privacy Enhancing Technologies Symposium, 91–105. doi:10.56553/popets-2024-0042

    work page doi:10.56553/popets-2024-0042 2024

  17. [17]

    McDonald, and Norman Sadeh

    Rex Chen, Fei Fang, Thomas Norton, Aleecia M. McDonald, and Norman Sadeh. 2021. Fighting the Fog: Evaluating the Clarity of Privacy Disclosures in the Age of CCPA. InWPES ’21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society Pages 73 -

    work page 2021

  18. [18]

    doi:10.1145/3463676.3485601

    work page doi:10.1145/3463676.3485601

  19. [19]

    Danielle Keats Citron and Frank Pasquale. 2014. The Scored Society: Due Process for Automated Predictions.Washington Law Review, Vol. 89(2014)

    work page 2014

  20. [20]

    Nicholas Confessore. 2018. The Unlikely Activists Who Took On Silicon Valley — and Won. https://www.nytimes.com/2018/08/14/ magazine/facebook-google-privacy-data.html

    work page 2018

  21. [21]

    Joseph Cox. 2022. Data Broker Is Selling Location Data of People Who Visit Abortion Clinics. https://www.vice.com/en/article/location- data-abortion-clinics-safegraph-planned-parenthood/

    work page 2022

  22. [22]

    Matthew Crain. 2017. The limits of transparency: Data brokers and commodification.New Media and Society, Sage Journals(2017). doi:10.1177/1461444816657096

    work page doi:10.1177/1461444816657096 2017

  23. [23]

    Wil Day and Jeremy Tanner. 2025. Nebraska sues GM, OnStar over alleged sale of driver data recorded by vehicle tech. https: //thehill.com/policy/transportation/5391008-nebraska-gm-onstar-driver-data-vehicle-tech/

    work page arXiv 2025

  24. [24]

    Mitra Ebadolahi, Natasha Duarte, and Tairan Zhang. 2023. Comments to the CFPB on data brokers. https://www.upturn.org/work/ comments-to-the-cfpb-on-data-brokers/ Privacy Without Remedy FAccT ’26, June 25–28, 2026, Montreal, QC, Canada

    work page 2023

  25. [25]

    Caitriona Fitzgerald, Kara Williams, R. J. Cross, and Ellen Hengesbach. 2025. The State of Privacy: How state “privacy” laws fail to protect privacy and what they can do better. https://epic.org/wp-content/uploads/2025/04/EPIC-PIRG-State-of-Privacy-2025.pdf

    work page 2025

  26. [26]

    Marissa Kumar Gerchick, Ro Encarnación, Cole Tanigawa-Lau, Lena Armstrong, Ana Gutiérrez, and Danaé Metaxa. 2025. Auditing the Audits: Lessons for Algorithmic Accountability from Local Law 144’s Bias Audits. InProceedings of the 2025 ACM Conference on Fairness, Accountability, and Transparency (FAccT ’25). Association for Computing Machinery, New York, NY...

    work page doi:10.1145/3715275 2025

  27. [27]

    Hana Habib, Yixin Zou, Yaxing Yao, Alessandro Acquisti, Lorrie Cranor, Joel Reidenberg, Norman Sadeh, and Florian Schaub. 2021. Toggles, Dollar Signs, and Triangles: How to (In)Effectively Convey Privacy Choices with Icons and Link Texts. InCHI ’21: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems Article No.: 63, Pages 1 - 25....

    work page doi:10.1145/3411764.3445387 2021

  28. [28]

    Henry Hosseini, Christine Utz, Martin Degeling, and Thomas Hupperich. 2024. A Bilingual Longitudinal Analysis of Privacy Policies Measuring the Impacts of the GDPR and the CCPA/CPRA. InProceedings on Privacy Enhancing Technologies 2024(2), 434–463. doi:10. 56553/popets-2024-0058

    work page 2024

  29. [29]

    Hunton Andrews Kurth LLP. 2018. Privacy Advocacy Organization Files GDPR Complaints Against Data Brokers. https://www.hunton. com/privacy-and-cybersecurity-law-blog/privacy-advocacy-organization-files-gdpr-complaints-data-brokers. Privacy & Cybersecurity Law Blog

    work page 2018

  30. [30]

    Apple Inc. 2025. If an app asks to track your activity. https://support.apple.com/en-us/102420

    work page 2025

  31. [31]

    International Association of Privacy Professionals. 2024. Private Rights of Action in U.S. Privacy Legislation. https://iapp.org/resources/ article/private-rights-of-action-us-privacy-legislation

    work page 2024

  32. [32]

    International Association of Privacy Professionals. 2026. U.S. State Privacy Legislation Tracker. https://iapp.org/media/pdf/resource_ center/State_Comp_Privacy_Law_Chart.pdf Updated periodically

    work page 2026

  33. [33]

    Ash Johnson. 2024. Privacy Bill Faceoff: Comparing the APRA and ADPPA. https://itif.org/publications/2024/04/10/privacy-bill-faceoff- comparing-the-apra-and-adppa/

    work page 2024

  34. [34]

    2020.California Consumer Privacy Act: Are Consumers’ Digital Rights Protected?Technical Report

    Maureen Mahoney. 2020.California Consumer Privacy Act: Are Consumers’ Digital Rights Protected?Technical Report. Consumer Reports Digital Lab

    work page 2020

  35. [35]

    New York State Office of the Comptroller. 2025. DiNapoli: New Yorkers Deserve a Transparent Hiring Process When Artificial Intelligence Is Used To Vet Their Job Applications. https://www.osc.ny.gov/press/releases/2025/12/dinapoli-new-yorkers-deserve-transparent- hiring-process-when-artificial-intelligence-used-vet-their

    work page 2025

  36. [36]

    California Privacy Protection Agency Newsroom. 2026. Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Process. https://privacy.ca.gov/2026/03/ford-to-change-practices-pay-fine-for-adding-unnecessary-friction-to-opt-out-process/

    work page 2026

  37. [37]

    Alfred Ng. 2025. Alleged shooter found Minnesota lawmakers’ addresses online, court docs say

    work page 2025

  38. [38]

    Sean O’Connor, Ryan Nurwono, Aden Siebel, and Eleanor Birrell. 2021. (Un)clear and (In)conspicuous: The Right to Opt-out of Sale under CCPA. InWPES ’21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society Pages 59 - 72. doi:10.1145/3463676.3485598

    work page doi:10.1145/3463676.3485598 2021

  39. [39]

    Ohlhausen, Joshua D

    Edith Ramirez, Julie Brill, Maureen K. Ohlhausen, Joshua D. Wright, and Terrel McSweeny. 2014. Data Brokers: A Call for Transparency and Accountability. https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal- trade-commission-may-2014/140527databrokerreport.pdf

    work page 2014

  40. [40]

    Yanyan Ren. 2019. The First GDPR Fine Imposed by the Government of Poland. https://cs.brown.edu/courses/csci2390/2019/assign/ gdpr/yren17-bisnode.pdf. Course paper, CSCI 2390

    work page 2019

  41. [41]

    Hannah Ruschemeier. 2023. Data Brokers and European Digital Legislation.European Data Protection Law Review9, 1 (2023), 27–38. doi:10.21552/edpl/2023/1/7

    work page doi:10.21552/edpl/2023/1/7 2023

  42. [42]

    Hannah Ruschemeier. 2024. In the Shadows: Data Brokers and the Limits of the GDPR. doi:10.59704/71aec5e22416a84d

    work page doi:10.59704/71aec5e22416a84d 2024

  43. [43]

    Justin Sherman, Hayley Barton, Aden Klein, Brady Kruse, and Anushka Srinivasan. 2023. Data Brokers and the Sale of Data on U.S. Military Personnel. https://techpolicy.sanford.duke.edu/wp-content/uploads/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale- of-Data-on-US-Military-Personnel.pdf

    work page 2023

  44. [44]

    2022.The Impact of Visibility on the Right to Opt-out of Sale under CCPA

    Aden Siebel and Eleanor Birrell. 2022.The Impact of Visibility on the Right to Opt-out of Sale under CCPA. doi:10.48550/arXiv.2206.10545

    work page doi:10.48550/arxiv.2206.10545 2022

  45. [45]

    State of California Department of Justice Office of the Attorney General. 2023. Final Statement of Reasons: Update of Initial Statement of Reasons. https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-fsor.pdf

    work page 2023

  46. [46]

    Kejsi Take, Jordyn Young, Rasika Bhalerao, Kevin Gallagher, Andrea Forte, Damon McCoy, and Rachel Greenstadt. 2024. What to Expect When You’re Accessing: An Exploration of User Privacy Rights in People Search Websites. InProceedings on Privacy Enhancing Technologies 2024(4), 311–326

    work page 2024

  47. [47]

    Van Hong Tran, Aarushi Mehrotra, Marshini Chetty, Nick Feamster, Jens Frankenreiter, and Lior Strahilevitz. 2024. Measuring Compliance with the California Consumer Privacy Act Over Space and Time. InProceedings of the 2024 CHI Conference on Human Factors in Computing Systems. doi:10.1145/3613904.364259

    work page doi:10.1145/3613904.364259 2024

  48. [48]

    Van Hong Tran, Aarushi Mehrotra, Ranya Sharma, Marshini Chetty, Nick Feamster, Jens Frankenreiter, and Lior Strahilevitz. 2025. Dark Patterns in the Opt-Out Process and Compliance with the California Consumer Privacy Act (CCPA). InProceedings of the 2025 CHI FAccT ’26, June 25–28, 2026, Montreal, QC, Canada Gueorguieva, King, Panidapu, and Ho Conference o...

    work page doi:10.1145/3706598.3714138 2025

  49. [49]

    Mario Trujillo and Hayley Tsukayama. 2025. Why Are Hundreds of Data Brokers Not Registering with States? https://www.eff.org/ deeplinks/2025/06/why-are-hundreds-data-brokers-not-registering-states

    work page 2025

  50. [50]

    Tobias Urban, Dennis Tatang, Martin Degeling, Thorsten Holz, and Norbert Pohlmann. 2020. Measuring the Impact of the GDPR on Data Sharing in Ad Networks. InASIA CCS ’20: Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. doi:10.1145/3320269.3372194

    work page doi:10.1145/3320269.3372194 2020

  51. [51]

    Senate Committee on Commerce, Science, and Transportation

    U.S. Senate Committee on Commerce, Science, and Transportation . 2013. What Information Do Data Brokers Have on Consumers, and How Do They Use It? https://www.commerce.senate.gov/2013/12/what-information-do-data-brokers-have-on-consumers-and-how- do-they-use-it#:~:text=The%20committee’s%20report%20on%20the%20data%20broker,Americans%20into%20categories%20b...

    work page 2013

  52. [52]

    Elina van Kempen, Isita Bagayatkar, Pavel Frolikov, Chloe Georgiou, and Gene Tsudik. 2025. Consumer Beware! Exploring Data Brokers’ CCPA Compliance. doi:10.48550/arXiv.2506.21914

    work page doi:10.48550/arxiv.2506.21914 2025

  53. [53]

    Redmiles, Alan Mislove, Oana Goga, Michelle Mazurek, and Krishna P

    Giridhari Venkatadri, Piotr Sapiezynski, Elissa M. Redmiles, Alan Mislove, Oana Goga, Michelle Mazurek, and Krishna P. Gummadi

    work page

  54. [54]

    InAssociation for Computing Machinery In The World Wide Web Conference (WWW ’19)

    Auditing Offline Data Brokers via Facebook’s Advertising Platform. InAssociation for Computing Machinery In The World Wide Web Conference (WWW ’19). doi:10.1145/3308558.3313666

    work page doi:10.1145/3308558.3313666

  55. [55]

    right to know what broker is selling/sharing

    Lucas Wright, Roxana Mika Muenster, Briana Vecchione, Tianyao Qu, Pika (Senhuang) Cai, Alan Smith, Comm 2450 Student Investigators, Jacob Metcalf, and J. Nathan Matias. 2024. Null Compliance: NYC Local Law 144 and the challenges of algorithm accountability. In FAccT ’24: Proceedings of the 2024 ACM Conference on Fairness, Accountability, and Transparency....

    work page doi:10.1145/3630106.3658998 2024

  56. [56]

    missing-only differences

    This comparison allows us to assess whether centralized reporting improves the availability of request metrics and whether the numbers reported across sources are internally consistent. We matched brokers by exact name, normalized name, DBA, and known aliases, yielding 457 matched brokers with the 2025 dataset. Because the two sources may differ in report...

    work page 2025