Data brokers collect and sell the personal information of millions of individuals, often without their knowledge or consent. The California Consumer Privacy Act (CCPA) grants consumers the legal right to request access to, or deletion of, their data. To facilitate these requests, California maintains an official registry of data brokers. However, the extent to which these entities comply with the law is unclear. This paper presents the first large-scale, systematic study of CCPA compliance of all 543 officially registered data brokers. Data access requests were manually submitted to each broker, followed by in-depth analyses of their responses (or lack thereof). Above 40% failed to respond at all, in an apparent violation of the CCPA. Data brokers that responded requested personal information as part of their identity verification process, including details they had not previously collected. Paradoxically, this means that exercising one's privacy rights under CCPA introduces new privacy risks. Our findings reveal rampant non-compliance and lack of standardization of the data access request process. These issues highlight an urgent need for stronger enforcement, clearer guidelines, and standardized, periodic compliance checks to enhance consumers' privacy protections and improve data broker accountability.

翻译：数据经纪商在未经个人知情或同意的情况下，收集并出售数百万人的个人信息。《加州消费者隐私法案》（CCPA）赋予消费者合法权利，可要求访问或删除其数据。为便利此类请求，加州建立了数据经纪商的官方注册库。然而，这些实体对法律的遵守程度尚不明确。本文首次对全部543家官方注册数据经纪商的CCPA合规性进行了大规模系统性研究。通过人工向每家经纪商提交数据访问请求，并对其回应（或无回应）进行深入分析。超过40%的经纪商完全未予回应，明显违反了CCPA。回应请求的数据经纪商在身份验证过程中要求提供个人信息，包括其先前未收集的详细信息。矛盾的是，这意味着行使CCPA赋予的隐私权反而会引入新的隐私风险。我们的研究揭示了数据访问请求流程中普遍存在的违规行为和标准化缺失。这些问题凸显了加强执法力度、制定更清晰指南以及实施标准化定期合规审查的紧迫性，以增强消费者隐私保护并提升数据经纪商的责任担当。