Data Broker Loopholes: 9 CCPA Exemptions Explained

You submit a removal request to a data broker. They deny it—citing a "legal exemption" you've never heard of. Your personal data stays online, fueling spam calls, phishing attempts, and identity theft risk.

Data brokers have turned privacy laws into Swiss cheese. The California Consumer Privacy Act (CCPA) and similar state laws grant you deletion rights, but they also carved out nine legal exemptions that brokers exploit to keep your information in circulation. Understanding these CCPA exemptions is the difference between actually removing your data and spinning your wheels on pointless requests.

The Legal Framework Behind Data Broker Denials

The CCPA gives California residents the right to request deletion of personal information. Sounds straightforward. It's not.

Buried in Section 1798.105(d) are nine exceptions that allow businesses to deny your removal request. These weren't designed as loopholes—they were meant to balance privacy rights against legitimate business needs. But data brokers have weaponized them.

The law states businesses can refuse deletion if the data is "necessary" for specific purposes. That word "necessary" does heavy lifting. In practice, brokers interpret it as broadly as possible.

Other state privacy laws followed California's template. Virginia's CDPA, Colorado's CPA, and Connecticut's CTDPA all include similar exemption structures. The pattern repeats: strong deletion rights on paper, weakened by exemptions in practice.

Pro tip: Federal law doesn't require data brokers to delete your information at all. State privacy laws are your only leverage—and only if you live in states with them.

Who Is Covered and What's Protected

CCPA applies to for-profit businesses that collect California residents' personal information and meet at least one threshold:

• Annual gross revenues over $25 million
• Buy, sell, or share personal information of 100,000+ consumers or households
• Derive 50%+ of annual revenue from selling personal information

Most major data brokers clear these bars easily. Spokeo, Whitepages, BeenVerified, Intelius—they all qualify.

But here's the catch: CCPA exemptions apply regardless of company size. A tiny broker with 200 records can invoke the same legal exemptions as a billion-dollar aggregator.

Personal information under CCPA is broad: names, addresses, Social Security numbers, browsing history, geolocation data, biometric data, employment history, education records. If it identifies you or could reasonably link to you, it counts.

The "publicly available" carve-out is massive. CCPA explicitly exempts information lawfully made available from government records. That includes voter registration files, property deeds, court documents, professional licenses, and marriage certificates. The FTC confirmed in 2023 that no federal law prevents publishing publicly available information online—even in aggregated, searchable databases.

This exemption alone explains why removal requests fail so often. Brokers argue they're simply republishing public records, which falls outside CCPA's scope entirely.

The 9 CCPA Legal Exemptions Data Brokers Use

1. Transaction Completion

The exemption: Businesses can retain data to "complete the transaction for which the personal information was collected."

How brokers use it: If you ever created an account, made a purchase, or used a service, brokers claim they need your data to fulfill that ongoing relationship. Even if the transaction ended years ago.

Whitepages Premium subscriptions are a prime example. Cancel your account, request deletion, and they'll cite "transaction completion" to keep billing records, search history, and contact information indefinitely.

2. Security and Fraud Detection

The exemption: Data can be kept to "detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible."

How brokers use it: Nearly every broker claims fraud prevention as justification. They argue that maintaining historical records helps identify patterns of identity theft or account takeovers.

LexisNexis is notorious for this. Their Accurint product markets itself as a fraud detection tool. Request deletion, and they'll invoke security exemptions—even if you've never been a customer. Your data becomes "necessary" for other people's fraud prevention.

3. Free Speech and Public Interest

The exemption: Businesses can refuse deletion to "exercise free speech" or "ensure the right of another consumer to exercise their free speech rights."

How brokers use it: This is the First Amendment defense. Brokers argue that publishing information—even personal data—is protected expression.

Courts have generally rejected this argument when applied to CCPA deletion requests, but brokers still cite it. In 2024, True People Search denied 18% of California deletion requests citing free speech protections, according to their transparency report.

4. Legal Obligation Compliance

The exemption: Data must be retained to "comply with a legal obligation."

How brokers use it: Tax records, employment verification, regulatory filings—brokers claim they're legally required to maintain certain data under federal or state law.

This exemption has merit in specific contexts. Employers must keep I-9 forms. Financial institutions must retain transaction records under Bank Secrecy Act requirements.

But data brokers stretch it. Intelius has cited "legal obligation" to retain court records they scraped and republished—even though the original court isn't asking them to keep anything.

5. Legal Claims Defense

The exemption: Businesses can keep data to "exercise or defend legal claims."

How brokers use it: Broadly. Any potential future litigation becomes grounds for retention.

Spokeo famously invoked this exemption during class action litigation. They argued that deleting plaintiff data would hamper their legal defense—even for non-plaintiffs requesting deletion under CCPA.

The California Attorney General hasn't issued clear guidance on how expansively this exemption applies. Brokers exploit that ambiguity.

6. Public Interest Research

The exemption: Data can be retained for "scientific, historical, or statistical research in the public interest" if deletion would impair the research.

How brokers use it: Data aggregators claim their databases serve research purposes. Consumer behavior studies, demographic analysis, market research—all qualify as "statistical research" under broad interpretations.

Acxiom has defended retention by citing partnerships with academic institutions studying consumer trends. Your shopping history becomes a "research dataset."

7. Consumer-Aligned Internal Use

The exemption: Businesses can use data for "internal uses that are reasonably aligned with consumer expectations based on the relationship."

How brokers use it: This is the vaguest exemption. "Reasonably aligned with expectations" is entirely subjective.

If you searched for yourself on a people-search site, brokers argue you expected them to maintain records of all search activity. If you verified your identity to opt out, they claim keeping that verification data is "aligned with expectations."

BeenVerified has cited this exemption to retain search logs and IP addresses indefinitely—arguing that users expect search history to persist.

8. Lawful Internal Use Compatible with Context

The exemption: Data can be kept for "other internal uses" that are "compatible with the context in which the consumer provided the information."

How brokers use it: Another catch-all. "Compatible with context" is broker-defined.

MyLife collects data from public records, third-party data providers, and user submissions. They argue any internal use—profile generation, reputation scoring, marketing—is "compatible" because users should expect data aggregation.

9. California Electronic Communications Privacy Act Compliance

The exemption: Businesses can retain data to comply with CalECPA, which governs law enforcement access to electronic communications and device data.

How brokers use it: Rarely, but it exists. Brokers with communication platforms or device-tracking capabilities cite this when denying deletion requests related to communications metadata or location history.

This exemption matters more for tech platforms than traditional data brokers, but aggregators with mobile apps (like Truecaller) have invoked it.

How Data Brokers Layer Exemptions to Block Removal

Smart brokers don't cite just one exemption. They stack them.

A typical denial letter reads: "We're retaining your information to (1) complete our transaction, (2) detect fraud, (3) comply with legal obligations, and (4) exercise legal claims."

This layering creates multiple legal hurdles. Even if you successfully challenge one exemption, three others remain.

Based on our removal data across 1,500+ brokers, multi-exemption denials rose 34% between 2023 and 2025. Brokers are learning.

Pro tip: Document every denial. Screenshot the exact language. If brokers cite different exemptions for the same data in different responses, that inconsistency becomes evidence of bad faith.

The "Publicly Available" Loophole That Tech Can't Fix

Here's the uncomfortable truth: the biggest loophole isn't even an exemption. It's that state privacy laws don't apply to publicly available information at all.

CCPA Section 1798.140(o)(2) explicitly excludes "information lawfully made available from federal, state, or local government records." That means:

• Voter registration data (name, address, party, voting history)
• Property records (ownership, purchase price, mortgage details)
• Court filings (lawsuits, divorces, bankruptcies)
• Professional licenses (doctors, lawyers, contractors)
• Marriage and birth certificates (where publicly accessible)

Data brokers scrape these sources constantly. When you request removal, they delete their internally collected data—but re-aggregate from public records within weeks.

We've tracked re-listing patterns for thousands of users. The median time between successful removal and re-appearance is 87 days. For users in states with frequent public record updates (like Florida, which publishes voter files monthly), it's 42 days.

This isn't non-compliance. It's legal re-collection.

Automated removal tools can handle the deletion cycle. But no technology can prevent governments from publishing your data in the first place. That requires legislative change—either restricting what governments publish or closing the "publicly available" exemption.

California's DELETE Act (AB 1680) attempts a partial fix. Starting August 2026, the California Data Protection Agency will launch a centralized Delete Request Online Portal (DROP). Submit one request, and it propagates to all registered California data brokers. Brokers must check the portal every 45 days and process deletions within 30 days.

Penalties are real: $200 per day per violation. For a broker ignoring 10,000 deletion requests for a month, that's $60 million in potential fines.

But DROP doesn't solve the public records problem. Brokers can still re-collect. They just have to delete faster when you object.

Step-by-Step: How to Challenge a Denied Removal Request

Step 1: Verify the Denial Is Actually About CCPA Exemptions

Not all denials cite legal exemptions. Some are identity verification failures. Others are technical errors.

Read the denial carefully. Look for specific references to CCPA Section 1798.105(d) or phrases like "necessary to maintain" or "legal obligation."

If the denial says "we couldn't verify your identity," that's different. CCPA requires brokers to verify requesters before processing deletions. If they can't verify you, they must treat the request as an opt-out of sale instead—not a full denial.

Many brokers ignore this requirement. LexisNexis, for example, requires government-issued ID plus proof of address. If you can't provide both, they deny the request entirely rather than processing an opt-out.

Step 2: Document the Exact Exemption Language

Screenshot or save the denial email. Note the date, sender, and exact exemption language.

Create a spreadsheet tracking:

• Broker name
• Request date
• Denial date
• Exemptions cited
• Your response date
• Outcome

This documentation becomes critical if you escalate to state regulators or file a complaint.

Step 3: Research Whether the Exemption Applies

Not every exemption claim is legitimate. Ask:

• Transaction completion: Did you actually have a transaction with this broker? If you never created an account or made a purchase, this exemption doesn't apply.
• Security/fraud: Is the broker actually using your data for fraud detection, or just claiming it? If they're a people-search site selling access to your info, "fraud prevention" is pretextual.
• Legal obligation: What specific law requires retention? Ask them to cite it. Many can't.
• Legal claims: Is there active litigation involving you? If not, "potential future claims" is speculative.

Step 4: Submit a Formal Challenge

Reply to the denial with a specific challenge. Use this template:

> I received your denial of my CCPA deletion request dated [date], in which you cited [exemption].

>

> I dispute this exemption applies because [specific reason]. Under CCPA Section 1798.105, businesses must provide specific, detailed explanations for denial. Your response did not include [missing detail].

>

> Please provide:

> 1. The specific legal authority requiring retention

> 2. What data is subject to the exemption versus what can be deleted

> 3. How long you intend to retain the exempted data

>

> If you cannot provide this information within 10 business days, I will file a complaint with the California Attorney General's Office and the California Privacy Protection Agency.

Most brokers won't respond substantively. But some will—especially if you demonstrate you understand the law.

Step 5: File a Regulatory Complaint

If the broker doesn't respond or provides an inadequate explanation, escalate.

California residents:

• File with the California Privacy Protection Agency: cppa.ca.gov/regulations/enforcement.html
• File with the California Attorney General: oag.ca.gov/privacy/ccpa

Other states with privacy laws:

• Virginia: Office of the Attorney General, Consumer Protection Section
• Colorado: Attorney General's Office, Consumer Protection Division
• Connecticut: Attorney General's Office

Include your documentation: original request, denial, your challenge, and any response (or lack thereof).

Regulatory complaints rarely result in individual relief. But they create enforcement records. Enough complaints against one broker triggers investigations.

Step 6: Consider Private Right of Action (Limited)

CCPA's private right of action is narrow. You can only sue for statutory damages if there's a data breach involving unencrypted or unredacted personal information.

You cannot sue a broker just for denying your deletion request. No private right of action exists for that violation.

This is a major gap. Until state laws create enforceable private remedies for denial of deletion requests, brokers face minimal consequences.

Step 7: Use Continuous Monitoring to Detect Re-Listing

Even if you successfully challenge a denial and force deletion, expect re-listing.

Brokers re-scrape public records every 3-6 months. Your voter registration file gets updated, your property deed gets re-indexed, and you're back in their database.

Manual monitoring is unsustainable. Checking 1,500+ broker sites quarterly isn't realistic.

Services like GhostMyData automate this. We monitor for re-listing and automatically re-submit removal requests when your data reappears. During our limited-time spring privacy sale (through March 31), new users get 25% off the first year—making continuous protection $7.49/month for Pro plans or $16.87/month for Enterprise. Given the average identity theft recovery cost exceeds $1,400 according to the FTC, the math is straightforward.

You can start with a free scan to see how many brokers currently list your information.

Common Pitfalls and How to Avoid Them

Pitfall 1: Accepting vague exemption claims without pushback.

Brokers count on you giving up. Challenge every denial. Ask for specifics.

Pitfall 2: Assuming one successful removal is permanent.

It's not. Re-listing is guaranteed for anyone in public records. Build continuous removal into your privacy strategy.

Pitfall 3: Ignoring identity verification requirements.

Some brokers (LexisNexis, Epsilon, Acxiom) require government ID to process deletions. Refusing to provide it gives them legal grounds to deny.

If you're uncomfortable uploading ID to a data broker, that's reasonable. But understand it may limit your removal options.

Pro tip: Use a service that handles identity verification on your behalf. We navigate these requirements for users daily, submitting verified requests without requiring you to send ID to dozens of brokers.

Pitfall 4: Filing complaints without documentation.

State regulators need evidence. "They denied my request" isn't enough. Show them the request, denial, exemption cited, and why it doesn't apply.

Pitfall 5: Expecting immediate results from regulatory complaints.

State AG offices are understaffed. Complaints can take 6-18 months to investigate. File them anyway—they create enforcement patterns.

Templates and Resources

Template: Initial Deletion Request

> To Whom It May Concern:

>

> I am a California resident exercising my right to deletion under the California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.105.

>

> Please delete all personal information you have collected about me, including but not limited to:

> - Name, address, phone number, email address

> - Dates of birth, Social Security number, driver's license number

> - Employment history, education records

> - Online identifiers, IP addresses, browsing history

> - Any data obtained from third-party sources

>

> My information for verification purposes:

> [Full name]

> [Current address]

> [