Warning Signs Data Broker Complaint: Spot Non-Compliance and File Effectively in 2026
Data brokers often ignore deletion or access requests, with studies showing 43% of California-registered brokers failing to respond to access requests in 2025, according to the EFF. Other research indicates 41.2% email response rates and just 36.3% completion rates for requests, with 95% not deleting personal identifiable information. These red flags signal potential violations of laws like CCPA and PADFA.
If you face non-response, consumers can file complaints with the FTC at ftc.gov or by calling 1-877-FTC-HELP. California residents have additional options through the CPPA, Attorney General, and the DROP platform, launched January 1, 2026, with processing starting August 1. This guide outlines warning signs, timelines, and filing steps to help privacy-conscious US consumers, especially in California, enforce their rights under federal and state privacy laws.
Warning Signs of Data Broker Violations and How to File a Complaint in 2026
Common red flags of data broker non-compliance include ignored deletion or access requests, with 43% of California-registered brokers failing to respond to access requests in 2025 per EFF research. Additional indicators from an arXiv study show 41.2% email response rates, 0% phone responses, 36.3% request completions using email and name, and 95% failing to delete or respond regarding large amounts of PII. Note metric variances: the EFF's 43% non-response focuses on California-registered brokers, while the arXiv's 41.2% response rate reflects broader testing methods and scopes.
Consumers spotting these issues can file complaints via federal and state paths. Use the FTC at ftc.gov/complaint or 1-877-FTC-HELP for PADFA-related ignored requests nationwide. California residents should also report to the CPPA and Attorney General per EFF guidance, and leverage the DROP platform (launched January 1, 2026; processing from August 1) for deletions under CCPA. This intro previews detailed warning signs, timelines, step-by-step filing, and path selection to empower enforcement in 2026.
Top Warning Signs Your Data Broker Isn't Complying with Privacy Laws
Spotting non-compliance early empowers consumers to act. One clear indicator is when data brokers ignore deletion or access requests entirely. For instance, 43% of California-registered data brokers failed to respond to access requests in 2025, per EFF research. This ties directly to CCPA requirements, where businesses must handle such consumer rights requests.
Another sign is partial or failed fulfillment. An arXiv study found 41.2% of brokers responded to emails but none to phone calls, with only 36.3% completing requests using email and name details. Notably, 95% either did not respond or failed to delete large amounts of PII previously. Response rates vary across studies--43% non-response in the California-focused EFF analysis versus 41.2% response in the broader arXiv testing--highlighting differences in scope (CA-registered vs. general) and methods.
Brokers registered in California but operating nationally often show these patterns under CCPA scrutiny. Low engagement on these requests suggests failures in processes meant to protect consumer data, prompting complaints to enforcement bodies like the FTC, CPPA, or state AGs. Consumers should track their own requests against these benchmarks, recognizing the CA-heavy bias in some metrics.
Key Timelines Data Brokers Must Follow--and What Happens When They Don't
Data brokers face strict deadlines for handling consumer requests, and missing them triggers enforcement. Under PADFA, as noted in FTC warning letters to 13 brokers, companies must acknowledge complaints within 30 days and investigate without undue delay. Failure invites scrutiny, with potential penalties reaching $53,088 per violation.
CCPA sets response windows of up to 45 days for deletion or access requests, extendable to 90 days in complex cases. California's DROP platform, launched January 1, 2026, requires brokers to process deletions starting August 1, 2026, aligning with these timelines (Privacy Rights Clearinghouse).
Non-compliance escalates issues. The FTC's Data Broker Enforcement Strike Force, launched late 2025, targets unregistered brokers, while ignored requests lead to consumer complaints. Consumers should track these deadlines: no acknowledgment in 30 days under PADFA or no response in 45-90 days under CCPA signals a violation worth reporting. Data brokers risk enforcement actions, while consumers drive accountability by filing promptly.
How to File a Complaint Against a Non-Responsive Data Broker
Consumers play a key role in enforcement by filing reports. Start with the FTC for federal issues: visit ftc.gov/complaint or call 1-877-FTC-HELP (TTY available). Provide details like the broker's name, your request date, and evidence of non-response.
For California-specific ignored requests, EFF recommends filing with the California Privacy Protection Agency (CPPA) and Attorney General's Office via their respective websites. Include screenshots of your request and any broker communications.
From 2026, use California's DROP platform for deletion requests--launched January 1, with processing from August 1. Submit through the platform, then monitor for the 45-90 day CCPA response window.
Brokers must acknowledge within 30 days under PADFA and act promptly, but your filing initiates investigation. Keep records of all steps, as multiple paths may apply based on location and issue. Consumers file and report; brokers handle responses and face penalties for delays.
Choosing the Right Complaint Path for Your Data Broker Issue
Decide your path by residency, issue type, and scope. California residents benefit from state tools like CPPA, AG, and DROP for CCPA/PADFA issues, especially ignored deletions (e.g., 43% ignore rate per EFF 2025). National consumers lean toward FTC for broader PADFA enforcement. Factors include timelines (FTC's 30-day acknowledgment versus CCPA's 45-90 days) and channels. Note CA-heavy options and metric variances like 43% ignore rates in California studies versus 41.2% responses in broader arXiv data.
| Agency/Path | Timeline | Penalty Example | Best For | Response Channel |
|---|---|---|---|---|
| FTC (PADFA) | 30-day acknowledgment; investigate without undue delay | $53,088 per violation | National issues, ignored requests | ftc.gov/complaint or 1-877-FTC-HELP |
| CPPA/CA AG (CCPA) | 45-90 days response | Varies by enforcement | California residents, access/deletion ignores (43% rate) | State agency websites |
| CA DROP Platform | Processing from Aug 1, 2026; 45-90 days CCPA | Ties to CCPA penalties | CA deletion requests | DROP platform site |
This table notes CA bias; FTC suits wider US reach. File based on your location--e.g., FTC for any US consumer facing PADFA ignores, CPPA/AG/DROP for CA CCPA specifics.
FAQ
What should I do if a data broker ignores my deletion request?
File a complaint with the FTC at ftc.gov or 1-877-FTC-HELP. California residents should also report to CPPA and the Attorney General, and use the DROP platform from August 1, 2026.
How long does a data broker have to respond under CCPA?
Up to 45 days, extendable to 90 days for complex requests.
Can I file an FTC complaint against any data broker?
Yes, use ftc.gov/complaint or 1-877-FTC-HELP for PADFA-related issues like ignored requests, regardless of location.
What are the penalties for data brokers violating PADFA?
Up to $53,088 per violation, as referenced in FTC warning letters.
Is California's DROP platform available for all consumers in 2026?
Launched January 1, 2026, with deletion processing starting August 1 for California-covered data brokers; open to eligible CA consumers.
Why do studies show such low response rates from data brokers?
Research like EFF's 2025 finding of 43% non-response in California and an arXiv study with 41.2% email responses and 36.3% completions point to compliance gaps, varying by method and scope.
Track your requests and file promptly if timelines pass without action. Consult ftc.gov or state sites for updates in 2026.