EPIC Encourages CalPrivacy to Enact Independent Testing and Inspection Requirements for Data Broker Audits

In response to CalPrivacy’s request for input on the state’s data broker audit requirements for processing deletion requests, EPIC submitted comments on Thursday advising the agency on best practices. 

CalPrivacy should establish requirements and processes that ensure auditors independently verify brokers’ conclusions—given data brokers’ demonstrated inability to accurately self-report—and implement additional audit requirements for brokers using AI systems. 

Under the California Delete Act, data brokers must undergo audits every three years beginning in 2028. EPIC commends CalPrivacy for its work to better regulate data brokers and encourage the agency to enact stringent requirements to ensure effective audits. 

EPIC has published numerous resources highlighting how data brokers harm different communities, including one pagers focused on data-broker-fueled harm to immigrant communities, domestic violence survivors, national security, and public officials.