Data Broker CCPA Compliance Issues
September 25, 2025
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s highlight some data broker compliance issues under the California Consumer Privacy Act (as amended) (CCPA) in light of a new study on data broker privacy compliance published by researchers at UC Irvine.
UC Irvine Study
UC Irvine’s study, which bills itself as the “first large-scale systematic study of CCPA compliance of all 543 registered data brokers” registered with California's Privacy Protection Agency. It narrowly focuses on consumer privacy rights across California’s entire data broker ecosystem. While it doesn’t capture the full picture (more on that below), it provides some interesting data about rampant CCPA noncompliance by data brokers. Rather than recount all of the details, please click on the following link for the full study:
https://arxiv.org/pdf/2506.21914
And the following is a link to a good summary of the study:
Our Thoughts
The Missing B2B Dimension: While the UC Irvine study provides valuable documentation of consumer-facing CCPA compliance failures, it overlooks a critical dimension of data broker operations: business-to-business contractual relationships and the extensive CCPA requirements governing data transfers between businesses and their service providers, contractors, and third parties.
Recall that under CCPA, businesses must ensure that contracts with data brokers include specific provisions:
+ Obligating compliance with applicable CCPA obligations;
+ Granting businesses rights to monitor compliance; and
+ Requiring notification when brokers can no longer meet their legal obligations.
Without solid contractual frameworks, businesses aren’t able to fulfill their own CCPA duties, particularly in responding to consumer rights requests and ensuring lawful data processing throughout their supply chains.
Contractual Documentation Challenges: In our practice, we have observed that rather than providing clear, comprehensive agreement terms, many data brokers present potential customers with either barebone order forms, or order forms that contain embedded links to additional terms of service, data processing addenda, privacy policies, supplemental policies, and tangential terms. Often those documents contain even more links to more terms, which, taken together make it nearly impossible to understand the actual contractual obligations and data handling practices. This fragmented documentation approach obscures critical details about data sourcing, processing limitations, and compliance responsibilities.
Warranty Disclaimers and Liability Shifts: Widespread deficiencies in data broker contract terms also systematically undermine CCPA compliance. Many data brokers disclaim all warranties, offering their services “AS-IS” without any representation or warranty regarding data accuracy, effectively providing no transparency into their data acquisition methods or the legal basis for processing.
Beyond these warranty disclaimers, data brokers routinely attempt to shift liability for all legal compliance (privacy, marketing, and otherwise) entirely onto their customers. We have even encountered contracts where data brokers disclaim all responsibility for their own sub-processors' compliance with privacy laws—a provision that directly conflicts with the CCPA’s requirements.
Asymmetric Risk Allocation: The liability imbalance of these contracts is further compounded by asymmetric risk allocation: data brokers typically cap their own liability at minimal amounts (often a fee refund or less) while requiring customers to assume unlimited liability and provide broad indemnification to the data brokers for privacy law violations. This structure inverts incentives since the data brokers have the greatest control over data sourcing, processing, and compliance, yet they bear the least financial risk for violations. Customers, therefore, assume the massive liabilities associated with privacy violations committed by their brokers.
The Impossible Compliance Situation: Overall, these contracts create an impossible situation for the contracting businesses: The businesses must ensure compliance for data processing activities (because that is what the CCPA requires), but their data broker vendors refuse to provide assurances about fundamental legal requirements, such as whether consumer consents were obtained, data retention limits are observed, or deletion requests can even be honored. Effectively, these contractual gaps prevent businesses from meeting their CCPA obligations to “take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business' obligations under the CCPA.”
The B2B Data Assumption Problem: This situation is further complicated by widespread misconceptions about data regulatory scope. Many American businesses operate under the assumption that business-to-business contact information and similar data remain largely unconstrained by privacy laws. While this assumption had some historical basis, California's B2B exemptions under CCPA expired on January 1, 2023, bringing business contact data within the law's scope. More fundamentally, however, data broker contracts typically provide no meaningful assurance about the nature, source, or regulatory status of the data being provided.
Without clear contractual representations, businesses cannot determine whether they are receiving legitimate B2B contact information or tainted, consumer-personal data subject to the full spectrum of privacy protections. A dataset marketed as "business contacts" could contain consumer email addresses, residential information, or other personal data that triggers comprehensive privacy obligations. This uncertainty creates legal risk for businesses that may unknowingly process consumer data without proper state privacy law safeguards, while data brokers insulate themselves from liability through the very contractual deficiencies that enable such violations in the first place.
AI, Algorithmic Opacity, and CCPA Transparency Requirements: The compliance challenges are further compounded by data brokers' increasing reliance on opaque artificial intelligence systems.
California's recently finalized its Automated Decision-Making Technology (ADMT) regulations, effective January 1, 2027, requiring businesses to provide consumers with "plain language explanations" of how AI systems process their data and make decisions affecting them. However, many data brokers utilize AI systems that operate as "black boxes"—systems whose decision-making processes are not (or cannot) be meaningfully explained. Moreover, data brokers typically refuse to acknowledge, describe, or provide any transparency about their AI systems in their B2B contracts. This contractual silence creates a deliberate information asymmetry where businesses must comply with CCPA transparency requirements while their data broker vendors refuse to provide the basic information necessary to meet those obligations.
Moving Forward: Future research should examine B2B contractual relationships, alongside data brokers’ operations, to understand how data broker contract terms facilitate or impede CCPA compliance across the broader data ecosystem.
Meanwhile, businesses should continue to insist upon transparency, legality, and enforceability in their contracts to acquire personal data, including business contact data, and if a hopeful vendor will not or cannot provide the requisite contractual terms, their would-be customers should pass them by, keep looking for a compliant vendor, and understand that, at least in the short term, it may be a fruitless search.
--
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.