Data brokers are avoiding registering in states with strong data protection laws, hiding their “delete my data” pages from Google, and even ignoring lawful data requests. Whether intentional or simply errors, the effect is a widespread undermining of people’s ability to exercise their privacy rights.
It appears that at least some data brokers are betting that most people won’t have the time, resources, or persistence to fight for their privacy — and that no authorities will make it a priority.
Data brokers don’t register with authorities
In April 2025, the Privacy Rights Clearinghouse(nowe okno) analyzed the data broker industry in the four US states that require them register — California, Oregon, Texas, and Vermont. They identified 750 data broker groups operating in the US. Considering most data brokers — companies that collect, organize, and sell personal data — operate online on a national scale, these registries should all show roughly 750 companies.
Instead, this investigation found that hundreds of data brokers that registered in one state failed to register in another, despite the legal requirement.
| California CPPA registry | Vermont registry | Oregon registry | Texas registry |
|---|---|---|---|
| 459 registered data brokers | 441 registered data brokers | 275 registered data brokers | 226 registered |
| 291 missing | 309 missing | 475 missing | 524 missing |
This also doesn’t account for data brokers that didn’t register in any state, meaning the problem is likely even greater than this table shows.
There are some potential explanations for these discrepancies (such as slightly different definitions for “data broker” in each state and the rare data broker that only works in a single state), and the Electronic Frontier Foundation, PCR’s partner in this study, points out that this study isn’t accusing any company of breaking the law. Still, this lack of clarity and transparency into the data broker sector prevents real enforcement, which makes it harder for people to exercise their legal rights.
Data brokers hide from Google
An investigation published in August 2025 by The Markup(nowe okno) found that in California, 35 of the 499 registered data brokers added noindex code to their opt-out and data deletion pages, removing them entirely from Google and Bing search results. The researchers also found that five data brokers in fact offered no opt-out page. These pages are required by law in states like California and Virginia to help people reclaim control of their data.
However, these companies know that if a webpage is invisible to Google, most people will never find it.
When asked why they noindex their pages, most data brokers either did not respond or said they were unaware their pages couldn’t be searched by Google. Two companies said they did this intentionally to avoid spam and would not change it, and four companies made their opt-out pages searchable as a result of this investigation.
Data brokers ignore data requests
Even when people are able to find the opt-out page, a study from June 2025 led by researchers at the University of California, Irvine(nowe okno) found that over 40% of data brokers fail to respond to requests, and many impose extra hurdles — sometimes even requiring people share more personal data.
The California Consumer Privacy Act (CCPA) requires all data brokers active in the state to register, and gives everyone in the state the legal right to access or delete their data. The researchers wanted to see how cumbersome or, indeed, if it was even possible for the average person to exercise these rights. Starting with the 543 registered data brokers, they immediately excluded 89, including 39 that were impossible to reach (because their website was inaccessible, they had no privacy policy or opt out page, their emails bounced back, their phone numbers were disconnected, or other non-compliant practices).
Of the 454 remaining data brokers, dozens asked for even more personally identifying information to verify the user’s identity, including IP addresses, marital status, sometimes even their Social Security Number or government ID. This raises the issue that people might have to introduce new privacy risks to exercise their privacy rights under the CCPA.
The CCPA requires data brokers respond to these requests within 45 days. Of the 454 data brokers contacts, only 234 (52%) responded in the required time frame, another 24 (5%) responded after 45 days, and 195 (43%) never responded.
Why this matters
The US still doesn’t have a national privacy law, like the EU’s GDPR or Brazil’s LGPD. In this vacuum, several states have passed their own privacy laws, attempting to give their residents the ability to take more control of their data. However, these laws are only as strong as the enforcement behind them. What these three studies show is that enforcement is weak, if it exists at all. As a result, data brokers do not take compliance seriously.
The California Consumer Privacy Act is the most comprehensive privacy law in the US, and yet even here, data brokers failed to register, hid legally required opt-out pages, and ignored lawful data requests. This is the best-case scenario in the US, and it is still difficult — if not nearly impossible — for people to exercise their legally guaranteed privacy rights.
How to take control of your privacy
Your privacy rights don’t mean much if companies can bury them behind technical tricks and bureaucratic roadblocks. These dark patterns show that without transparency, oversight, and strong enforcement, the “right to delete” risks becoming an empty promise.
And without the right to delete, you have fewer ways to limit data brokers’ reach. These companies don’t just collect your information — they feed it into all sorts of algorithms and AI-powered automated systems that can shape your life in unseen and unpredictable ways. In some cases, data brokers have even helped undermine the democratic process by making it easier to manipulate people at scale or target them with propaganda.
You can help push back by:
- Using resources like the Privacy Rights Clearinghouse data broker registry(nowe okno) to identify and contact brokers holding your data.
- Supporting legislation and enforcement actions that penalize noncompliant brokers.
- Protecting your personal information with privacy-focused tools like Proton Mail, Proton Pass, Proton VPN(nowe okno), and Proton Drive.
The more people demand their rights — and call out those who ignore them — the harder it will be for data brokers to operate in the shadows.
