Skip to main content
Industry Insights
7 min read

How Data Broker Compliance Is Actually Measured (2026)

Everyone claims their opt-outs work. Almost nobody publishes how they measured it. Here's how a 2026 Stanford study and a Deloitte audit of Incogni actually measured data broker compliance, and what a rigorous study needs to include.

Rahul Kandoriya
Written byRahul Kandoriya·Last updated July 4, 2026
How Data Broker Compliance Is Actually Measured (2026)
How Data Broker Compliance Is Actually Measured (2026)

Everyone in the data-removal industry claims their opt-outs "work." Almost nobody publishes how they measured that. This post looks at the two most rigorous public methodologies for measuring data broker compliance to date, an academic audit and a third-party commercial audit, and what a genuinely useful compliance study needs to include.

Key Takeaways

  • A June 2026 Stanford study published at the ACM FAccT conference used a two-part methodology: a document review of all 522 California-registered data brokers' privacy policies, plus a functional audit of 250 brokers by actually submitting consumer rights requests and tracking what happened.
  • That functional audit found 43% of brokers made it technically impossible to execute all statutory privacy rights, and 64% introduced at least one substantial "dark pattern" friction point into the request process.
  • Only about 9% of the 522 registered brokers were found fully compliant with California's mandatory transparency-reporting requirements as of the July 2025 deadline — a compliance-rate finding, not a removal-success finding.
  • Incogni's opt-out methodology, covering 420+ data brokers, was independently audited by Deloitte in August 2025 using an ISAE 3000 limited-assurance framework — a meaningfully different (and more externally credible) approach than a company self-reporting its own numbers.
  • A February 2026 U.S. Senate Joint Economic Committee investigation found that some brokers (naming IQVIA and Findem specifically) use technical obstruction, like "noindex" tags that hide opt-out pages from search engines, that a naive compliance measurement would miss entirely unless it specifically looked for it.

Why "Did They Comply?" Is Harder to Measure Than It Sounds

A data broker can be "compliant" in multiple different, non-overlapping ways:

  1. It has a legally required opt-out mechanism that exists somewhere on its site.
  2. That mechanism is actually discoverable — not hidden behind a noindex tag, not requiring you to already have an account, not buried three redirects deep.
  3. Submitting a request through that mechanism is technically possible without hitting a broken form, an infinite CAPTCHA loop, or a dead email address.
  4. The company actually acts on the request within the legally required window.
  5. The data doesn't reappear shortly afterward from re-ingested public records or a refreshed commercial feed.

Most public "which removal service is best" comparisons only ever look at claim #1, whether an opt-out mechanism exists at all. The two studies below are notable because they went further.


The Stanford Method: Document Review + Functional Audit

A Stanford University research team published a study at the 2026 ACM Conference on Fairness, Accountability, and Transparency (FAccT '26) that used a genuinely two-pronged approach.

Part one: transparency-reporting document review. The researchers manually reviewed the privacy policies of all 522 data brokers registered in California, checking whether each one met the mandatory transparency-reporting requirement, public disclosure of the volume and fulfillment rate of consumer requests, by its July 2025 deadline. Only about 9% were found fully compliant with this reporting obligation. That's a finding about paperwork transparency, not about whether opt-outs actually worked, an important distinction, since a broker can fail to file a transparency report while still honoring individual removal requests, or vice versa.

Part two: functional audit. This is the more interesting half. The researchers didn't just read policies, they actually submitted consumer rights requests to a randomized sample of 250 data brokers and tracked what happened using measures for "dark patterns" and artificial friction. The results: 43% of brokers made it technically impossible to execute all statutory privacy rights, and 64% introduced at least one substantial design friction point into the process, extra verification steps, confusing multi-page flows, or requirements not actually mandated by law.

This is the methodology that matters if you're trying to measure real-world removal difficulty rather than paper compliance: you have to actually try to opt out, not just check whether an opt-out policy exists.


The Third-Party Audit Method: Deloitte and Incogni

A different, complementary approach to credibility is an independent commercial audit. In August 2025, Deloitte conducted an assurance engagement (under the ISAE 3000 limited-assurance standard, the same general framework used for other non-financial assurance work) covering Incogni's operational claims: the number of data brokers covered (420+), the frequency of its removal-request cycles, and completed-removal volume.

The distinction that matters here: this is not Incogni self-reporting its own numbers and calling it audited. An ISAE 3000 engagement means an external firm examined the underlying process and evidence and issued its own assurance opinion. That's a meaningfully stronger credibility signal than an internal claim, though it's still narrower in scope than the Stanford study, it verifies that Incogni's *process* operates as described, not that removals stick permanently across every one of those 420+ brokers over time.


What a Naive Measurement Misses: Deliberate Obstruction

Neither "does an opt-out exist" nor "how fast did they respond" catches everything. A February 2026 U.S. Senate Joint Economic Committee (JEC) report, released under Ranking Member Maggie Hassan, found that at least two data brokers, IQVIA and Findem, used "noindex" HTML tags on their own required opt-out pages: code that tells search engines not to index the page, making it effectively invisible to anyone trying to find it through a normal search, even though the page technically exists and the company can point to it as evidence of compliance.

Findem's own disclosures, per the JEC report, showed the company failed to process 80% of the privacy requests it received, citing "insufficient data" as the reason given.

This is the kind of finding that only shows up if a study specifically checks for technical obstruction, deliberately hidden pages, unresponsive infrastructure, high undocumented rejection rates, rather than just measuring "time from request to response" for the requests that got through.


What a Rigorous Compliance Study Needs

Taking the strongest elements of both approaches above, a genuinely useful data broker compliance study should include:

  1. A functional audit, not just a policy review — actually submit requests and track what happens, the way the Stanford team did, rather than only reading privacy policies.
  2. A large enough, randomized sample to avoid cherry-picking the easiest or hardest brokers — the Stanford audit's 250-broker sample size is a reasonable benchmark.
  3. Independent verification of the underlying process, the way Deloitte's ISAE 3000 engagement validated Incogni's operational claims, rather than a company grading its own homework.
  4. An explicit check for obstruction tactics — noindex tags, broken forms, unresponsive email addresses, undocumented high rejection rates — not just response-time averages.
  5. A reappearance check over time, since a successful removal that silently comes back in 60–90 days (documented extensively in our own data reappearance research) isn't a real removal.

Frequently Asked Questions

What percentage of data brokers actually comply with opt-out requests?

There isn't one clean industry-wide number, compliance depends heavily on what's being measured. A 2026 Stanford study found only about 9% of California-registered brokers were fully compliant with mandatory transparency-reporting requirements, while its separate functional audit found 43% of brokers made it technically impossible to exercise all statutory privacy rights and 64% had significant friction in the process.

Is Incogni's opt-out process independently verified?

Yes, in part. Deloitte conducted an ISAE 3000 assurance engagement in August 2025 covering Incogni's broker coverage (420+), removal-request cadence, and completed-removal volume. This is a stronger credibility signal than a self-reported claim, though it verifies the process rather than guaranteeing permanent removal from every broker.

How do data brokers hide their opt-out pages from being found?

A February 2026 Senate Joint Economic Committee report found that brokers IQVIA and Findem used "noindex" HTML code on their own required opt-out pages, code that prevents search engines from indexing the page, making the mechanism technically present but practically undiscoverable through a normal search.

Why do removed profiles come back after a successful opt-out?

Most data brokers continuously re-ingest from public records and commercial data feeds. A successful removal today doesn't prevent a broker from rebuilding your profile from a new court filing, address change, or purchased dataset weeks or months later. See our data reappearance research for typical reappearance windows by broker type.


Related Guides

Take back your privacy today

Remove your personal information from data brokers and platforms in seconds.

Remove Your Personal Data Now

From $7.00 one-time · 546 data brokers · No subscription