Warning Signs of Data Broker Violations and How to File a Complaint
Data brokers collect and sell personal information, but violations of privacy laws create serious risks for consumers. Key warning signs include failure to respond to privacy requests, non-compliance with the Fair Credit Reporting Act (FCRA), and selling sensitive data like military status. These issues have drawn FTC scrutiny, such as 2013 warning letters to 10 out of 45 brokers tested for FCRA problems and 2026 letters citing potential breaches under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA).
Studies show substantial non-compliance: 43% of data brokers failed to respond to access requests under California's CCPA, per EFF in 2025 and Cloaked. Even among responders, only 52% met the 45-day CCPA timeframe, according to Cloaked.
Privacy-conscious consumers can act by filing complaints with the FTC via its Complaint Assistant or 1-877-FTC-HELP, which feeds into the Consumer Sentinel database, or state agencies like California's CPPA or Attorney General for CCPA issues. Spotting these signs empowers you to report violations and push for accountability.
FTC Warning Letters Highlight Data Broker Risks
Government warnings serve as clear indicators of risky data broker practices. In 2013, the FTC sent letters to ten data broker companies after a test-shopping operation. FTC staff contacted 45 companies posing as buyers, and ten appeared willing to sell consumer information without meeting FCRA requirements, such as providing permissible purpose disclosures or consumer dispute rights.
In February 2026, the FTC issued letters identifying instances where data brokers offered products or analytics with highly sensitive personal information, including military status. The agency noted that such data falls under PADFAA, effective June 2024, which carries civil penalties up to $53,088 per violation, as reported by Biometric Update.
These actions underscore how official warnings flag brokers mishandling data, helping consumers identify potential violators before engaging or filing complaints. The 2013 FTC operation showed ten of 45 tested companies with signs of FCRA violations. The 2026 letters highlight concerns with sensitive data transfers under PADFAA.
Non-Response to Privacy Requests Signals Non-Compliance
A major red flag arises when data brokers ignore requests to access or delete personal data, violating laws like CCPA. According to EFF in 2025, 43% of registered data brokers in California failed to respond at all to such requests. Cloaked reported a 43% non-response rate, with only 52% of those that responded meeting the 45-day CCPA deadline.
Non-response directly contravenes CCPA mandates for verifiable consumer requests. These rates--43% non-response per EFF (2025) and Cloaked, and 52% compliance among responders per Cloaked--point to widespread issues with access requests. Consumers facing this issue can escalate by documenting the request and lack of reply, preparing evidence for a formal complaint. If no response, the EFF notes filing with the California Privacy Protection Agency (CPPA) and California Attorney General's Office as a next step for California-registered brokers.
Should You File a Complaint? Weighing Your Options
Deciding where to file depends on the violation's nature and your location. Federal complaints through the FTC suit national issues like FCRA or PADFAA problems, while state paths target CCPA-specific failures, such as non-responses.
| Aspect | FTC Complaint Path | State Agency Path (e.g., California) |
|---|---|---|
| Scope | National; FCRA non-compliance, PADFAA sensitive data sales | State-specific; CCPA access/deletion requests |
| Process | Online Complaint Assistant or call 1-877-FTC-HELP; enters Consumer Sentinel for law enforcement | File with CPPA or Attorney General's Office |
| When to Use | FCRA violations (e.g., 10/45 brokers flagged in 2013); sensitive data under PADFAA ($53,088 penalties) | Non-response to privacy requests (43% rate per EFF 2025) |
FTC complaints build a broader enforcement picture via Consumer Sentinel, while state agencies like CPPA handle localized CCPA enforcement. Start with the path matching your evidence, and consider both if the issue spans federal and state laws. For FCRA concerns tied to the 2013 FTC findings or PADFAA sensitive data issues from 2026 letters, the FTC path aligns directly. For CCPA non-responses, as seen in the 43% rate from EFF and Cloaked studies, state agencies provide targeted recourse.
FAQ
What does it mean if a data broker doesn't respond to my privacy request?
It signals potential non-compliance with laws like CCPA, where brokers must respond to access or deletion requests. A 43% non-response rate among California brokers was noted by EFF in 2025.
How many data brokers failed FTC tests for FCRA compliance?
Of 45 companies tested in the FTC's 2013 operation, ten appeared to violate FCRA by selling information without required procedures.
What penalties can data brokers face for mishandling sensitive data?
Under PADFAA, civil penalties reach $53,088 per violation, as highlighted in the FTC's 2026 warning letters.
Where do I file an FTC complaint against a data broker?
Use the FTC's online Complaint Assistant or call 1-877-FTC-HELP; complaints enter the Consumer Sentinel database.
What are the timelines for data brokers to respond under CCPA?
Brokers must respond within 45 days, but only 52% of responders met this timeframe, per Cloaked.
Can state agencies like CPPA handle data broker complaints?
Yes, for CCPA violations like non-responses; file with CPPA or the California Attorney General's Office.
Document any privacy request and response timeline before filing. Check FTC or state agency sites for the latest forms to submit your complaint effectively.