HelpnetSecurity

Most data brokers won’t tell you what happened to your deletion request


Data brokers collect personal details on most adults in the United States and sell them to buyers that include employers, landlords, insurance companies, and government agencies. California gives residents a way to push back. You can ask a broker to delete your records, or to stop selling and sharing them. A team at UC Irvine decided to find out what happens when someone sends those requests to the whole California registry. The answer gives consumers little comfort.

The researchers sent deletion and opt-out requests to every reachable broker on California’s public list in the fall of 2025. That worked out to 322 deletion requests and close to 360 opt-out requests. To keep real people out of the mix, they built two made-up identities, one for each request type, each with a working email address and a plausible California address.

Silence is the common response

A broker gets 45 days to tell you what it did with a deletion request. That is a generous window. Most brokers let it run out without a word about the outcome. Around 70% never reported any result back to the consumer, so you are left guessing about whether a record got touched, or whether your request even reached a human.

Opt-outs did a little better, with close to one in four getting some kind of acknowledgment. The rule there works differently. A broker has 15 business days to stop selling or sharing your data, and it has to give you a way to confirm the opt-out went through. Close to a third of the brokers that answered blew past that deadline anyway.

Across both request types, response rates stayed low, somewhere between 26% and 38%. And these are the requests people file the most, by a wide margin.
The same group ran a companion study on data access requests using a real person’s information, and that one got a 57% response rate. So the requests consumers reach for most often are the ones drawing the least engagement.

Verification the law forbids

Opt-outs come with one firm rule. A broker cannot make you prove your identity to process one, since the whole point is to let anyone opt out with as little friction as possible. That rule gets broken a lot. Around 22% of brokers asked for identity verification on an opt-out, which the CCPA flatly disallows. A bigger group asked for more personal information than a record match would ever need, which drifts into the same territory.

The money side of this got real in early 2026. The California Privacy Protection Agency settled with Ford Motor Company, which paid $375,703 over its opt-out process. The agency pinned the penalty on “adding unnecessary friction to opt-out process.” Brokers demanding IDs and email confirmations for a simple opt-out are walking the same line.

Requests that made things worse

A few brokers did something more unsettling than going quiet. Three of them started sending marketing email to the addresses tied to the made-up identities, right after getting privacy requests from those same addresses. The CCPA says information shared during a request can serve only to fulfill that request.

One broker confirmed a deletion and stapled a sample of its consumer records to the reply. Those records held information about real people. A privacy request turned into a small data spill.

Another answered an opt-out with a webpage that read “You have already chosen to opt-in,” which gave the consumer no way to opt out and no explanation of anything.

The catch with invented identities

There’s a catch worth sitting with. The identities were made up, so no broker actually had records on them. And a broker with nothing to delete has nothing to confirm. What the study really captures is the process side of things: did brokers write back, did they write back on time, and did they ask only for what the law allows. Whether your real data would have vanished is a separate question, and the researchers are upfront about not answering it.

That gap matters if you think of data brokers as an attack surface. Their records feed open-source intelligence, social engineering, and doxxing, and they hand bulk location and identity data to buyers that include federal agencies. So the one legal lever we have for shrinking that surface hands back a confirmation page for a person who never existed. That tells a security team almost nothing about whether the real data is still sitting there.

What changes in August

California has a new tool that might move these numbers. The Deletion Request and Opt-out Platform, known as DROP, opened its consumer portal in early 2026, and it lets residents file one request that covers every registered broker. Brokers have to start checking the platform and acting on the piled-up requests in August 2026. Everyone outside California is still stuck going broker by broker, or paying a removal service to do it for them.



Source link