The Compliance Gap Nobody Tracks

Privacy laws give you the right to request deletion of your personal data. CCPA, VCDPA, CPA, CTDPA, and a growing list of state laws require data brokers to honor those requests within specified timeframes. But having a legal right and getting actual compliance are very different things.

We decided to measure the gap. Using anonymized data from more than 10,000 removal requests processed through the GhostMyData platform over a six-month period (October 2025 through March 2026), we tracked which data brokers actually delete data, how long it takes, and which ones ignore deletion requests entirely.

This is, to our knowledge, the largest study of actual data broker deletion compliance conducted from the consumer side.

Methodology

Data Collection

Every removal request submitted through GhostMyData follows a standardized process:

Discovery: Our scan identifies a user's listing on a data broker site
Submission: We submit an opt-out or deletion request to the broker (method varies: web form, email, API)
Tracking: The request enters our tracking pipeline with a timestamp
Verification: Our system re-scans the broker at regular intervals (7, 14, 30, and 45 days post-submission) to check whether the listing has actually been removed
Classification: Based on the verification results, each request is classified as completed, pending, or failed

Sample

Total requests analyzed: 10,247
Unique data brokers: 312 (out of the 1,500+ we scan, these are the ones where we had sufficient removal request volume for meaningful analysis)
Time period: October 2025 through March 2026
Geographic distribution: Users in 38 US states
Exclusions: We excluded brokers with fewer than 10 removal requests in the period to avoid small-sample distortion

What We Measured

Compliance rate: Percentage of requests where the listing was verified as removed within 45 days
Average response time: Days from request submission to verified removal
Re-listing rate: Percentage of successfully removed listings that reappeared within 90 days
Follow-up requirement: Whether the broker required additional action beyond the initial request (email verification, identity confirmation, phone call, etc.)

The Four Compliance Tiers

Based on our data, we classified data brokers into four tiers. We report by category rather than naming individual brokers, because compliance behavior can change and we want to describe patterns, not create a static hit list.

Tier 1: Fast Compliers (24% of brokers)

Characteristics: Respond within 7 days, actually remove the listing, low re-listing rate

Compliance rate: 94-100%

Average response time: 2-5 days

Re-listing rate: Under 10% within 90 days

Follow-up required: Email verification only (one-click)

These are the brokers that have invested in automated opt-out processing. When you submit a request through their web form and verify your email, the listing is removed within a few business days. Their systems are designed to process opt-outs at scale.

Common characteristics of Tier 1 brokers:

Well-funded companies with dedicated privacy compliance teams
Publicly visible brands that face reputational risk from non-compliance
Companies that have been the target of CCPA enforcement actions or lawsuits (compliance often improves dramatically after legal action)
Brokers operating in categories with high consumer awareness (people-search being the most visible)

The 10% re-listing rate among Tier 1 brokers is not malicious — it typically occurs when the broker ingests a fresh batch of data from an upstream source and the opt-out flag is not properly applied to the new data. This is a systemic issue in the data aggregation pipeline, not deliberate non-compliance.

Tier 2: Slow But Compliant (31% of brokers)

Characteristics: Respond within 15-45 days, actually remove the listing, moderate re-listing rate

Compliance rate: 82-93%

Average response time: 15-30 days

Re-listing rate: 15-25% within 90 days

Follow-up required: Email verification plus sometimes a secondary confirmation step

These brokers comply with deletion requests, but take longer. Many of them process opt-outs in batches (weekly or biweekly) rather than in real-time. The legal compliance windows support this approach — CCPA allows 45 days for response, with a possible 45-day extension.

Why Tier 2 compliance is slower:

Manual review processes (a human reviews each opt-out request)
Batch processing cycles rather than real-time automation
Complex data architectures where removing a record requires updates across multiple internal systems
Under-resourced compliance teams relative to request volume

The higher re-listing rate (15-25%) in this tier reflects less sophisticated opt-out management. Some Tier 2 brokers maintain opt-out lists but do not consistently apply them when importing new data.

Tier 3: Foot Draggers (28% of brokers)

Characteristics: Exceed stated timelines, require follow-up requests, partial compliance

Compliance rate: 55-81%

Average response time: 31-60 days (many exceed the 45-day CCPA window)

Re-listing rate: 30-45% within 90 days

Follow-up required: Multiple steps — initial request, email verification, follow-up request, sometimes phone or mail verification

These are the brokers that technically have opt-out processes but make them frustrating enough to deter most people. Their opt-out forms may be difficult to find, require excessive personal information to "verify" your identity, or involve multi-step processes designed to create abandonment.

Common Tier 3 patterns:

Opt-out page is not linked from the main site (must be found via direct URL or search engine)
Opt-out form requires you to provide more personal information than the broker already has (full SSN, government ID scan, notarized letter)
Initial request receives an automated acknowledgment but no action for weeks
After 30+ days, a follow-up request triggers actual processing
Listing is removed but reappears within 60-90 days with no explanation

The 55-81% compliance rate means that roughly 20-45% of requests to Tier 3 brokers fail even after multiple attempts. For individual consumers attempting manual opt-outs, the effective success rate is likely much lower because most people do not follow up.

Tier 4: Non-Compliant (17% of brokers)

Characteristics: Ignore requests entirely, have no functional opt-out process, or actively obstruct removal

Compliance rate: Below 55%

Average response time: No meaningful response

Re-listing rate: N/A (listing was never removed)

Follow-up required: Escalation to legal channels

These brokers either have no opt-out process, have a form that does not actually trigger any action, or acknowledge requests but never process them. Some are deliberately non-compliant; others are small operations that lack the infrastructure to process opt-outs.

Common Tier 4 characteristics:

Offshore operations with no US entity to serve legal process on
Small or defunct companies with no active compliance staff
Sites that scrape and republish data from other brokers without maintaining their own opt-out infrastructure
Brokers that claim exemptions from CCPA (journalistic exemption, public records exemption) that may or may not be legally valid

For Tier 4 brokers, individual opt-out requests are ineffective. The only reliable approaches are: formal legal demand letters citing specific state privacy laws with penalty provisions, complaints to the FTC or state attorney general, or automated services like GhostMyData that persistently re-submit and escalate.

Key Findings

Finding 1: Only 55% of Brokers Reliably Comply

Combining Tier 1 (24%) and Tier 2 (31%), only 55% of the data brokers in our sample reliably process deletion requests — meaning they actually remove your listing within a reasonable timeframe at least 82% of the time.

The remaining 45% either drag their feet (Tier 3) or ignore requests entirely (Tier 4). For a consumer attempting manual opt-outs, this means that nearly half of their removal requests may require multiple follow-ups, escalation, or legal action.

Finding 2: Average Removal Takes 19 Days

Across all tiers and all requests, the median time from request submission to verified removal was 19 days. The distribution was bimodal: fast compliers clustered around 3-5 days, while slow compliers clustered around 30-40 days. Very few brokers fell in the 10-20 day range.

Finding 3: Re-Listing Is the Norm, Not the Exception

Across all brokers with verified removals, the 90-day re-listing rate was 27%. More than one in four successful removals resulted in the listing reappearing within three months.

This finding underscores why one-time removal is insufficient. A single round of opt-outs reduces your exposure temporarily, but without ongoing monitoring and re-removal, your exposure gradually rebuilds.

Finding 4: CCPA Enforcement Matters

Brokers that had been the subject of CCPA enforcement actions or public complaints to the California AG showed a measurable improvement in compliance rates in subsequent months. We observed a 15-25 percentage point improvement in compliance rates for brokers that received enforcement attention.

This suggests that the current enforcement regime, while insufficient, does have a deterrent effect. The problem is that enforcement actions are rare — the California AG and the CPPA have limited resources relative to the number of brokers operating in the state.

Finding 5: Automated Requests Outperform Manual Ones

We compared the compliance rate for requests submitted through our automated platform with reports from users who had previously attempted manual opt-outs. Users who had tried manual opt-outs before signing up reported a success rate of approximately 40-50% (self-reported, subject to recall bias). Our automated pipeline achieved an overall compliance rate of 79% across all tiers.

The difference is attributable to several factors:

Automated follow-up requests catch Tier 3 brokers that require persistence
Standardized request formatting reduces broker confusion or rejection
Verification scans confirm whether removal actually occurred (many manual opt-outs are "acknowledged" but never processed)
Volume gives our requests familiarity with broker compliance teams

Recommendations

For Consumers

Do not assume opt-out requests work. Always verify removal by checking the broker site after the stated processing period.
Expect to follow up. Nearly half of brokers require more than one request.
Budget for ongoing monitoring. With a 27% re-listing rate, removal is not a one-time event.
Use automated tools. The compliance rate advantage of automated, persistent requests over manual, one-time requests is significant.

For Regulators

Increase enforcement actions. Enforcement has a measurable deterrent effect on broker behavior.
Require verification. Current laws require brokers to honor deletion requests but do not require them to verify deletion or report compliance metrics.
Standardize opt-out processes. The lack of standardization allows brokers to create deliberately cumbersome processes that deter consumers.
Mandate response time reporting. If brokers were required to publicly report their average opt-out processing time, market pressure would improve compliance.

For the Industry

Invest in automated opt-out processing. The technology exists — Tier 1 brokers prove it works. The barrier is investment priority, not technical capability.
Apply opt-out flags to upstream data imports. The re-listing problem is solvable by maintaining and applying opt-out lists when ingesting new data.
Publish compliance metrics. Voluntary transparency would build consumer trust and differentiate compliant brokers from non-compliant ones.

Automate Your Privacy with GhostMyData

This report demonstrates why automated, persistent removal is more effective than manual opt-outs. GhostMyData submits removal requests to 1,500+ data broker sites, automatically follows up on non-responsive brokers, verifies that listings are actually removed, and monitors for re-listings.

Our platform handles Tier 1 through Tier 4 brokers with appropriate strategies for each — from standard opt-out forms to formal CCPA deletion requests to escalation for non-compliant brokers.

Start your free privacy scan to see which brokers have your data — and let us handle the removal across all compliance tiers.

Frequently Asked Questions

How often do you update this compliance data?

We continuously track compliance metrics as part of our removal verification process. This report reflects a specific six-month window, but our internal compliance scoring updates in real time. Brokers that improve their compliance are reclassified accordingly.

Why not name specific brokers?

Broker compliance behavior changes over time, and naming specific brokers creates a static snapshot that may be outdated. We also want to avoid providing a "road map" for brokers to selectively comply only with requests from automated platforms while continuing to ignore individual consumers. Our tier-based approach describes patterns that help consumers understand the landscape.

Can I use this report to file a complaint against a specific broker?

If a broker has ignored your deletion request beyond the legally required timeframe (45 days under CCPA), you have grounds for a complaint to the California AG or your state's attorney general regardless of this report. Document your request date, any confirmation received, and evidence that the listing persists.

Does compliance vary by the type of data requested for deletion?

Yes. Brokers are generally more compliant with requests to remove people-search listings (name, address, phone) than with requests to remove behavioral or inferred data (purchase history, interest segments, credit indicators). This report primarily covers people-search and public records removal, which is the most common consumer use case.

What about brokers outside the US?

This report covers US-based data brokers subject to US state privacy laws. International data brokers operating outside US jurisdiction present additional challenges. GDPR provides stronger enforcement mechanisms for EU-based brokers, but cross-border enforcement remains limited.

Data Broker Compliance Report: Who Actually Deletes Your Data?