The Monopoly Report
Posts
The Dilemma of the DSAR DMV

The Dilemma of the DSAR DMV

Honoring user choice shouldn't be so hard

Alan Chapell
March 18, 2026

I’m Alan Chapell. Over the past 20+ years, I’ve been outside privacy counsel to hundreds of digital media companies, and I write a monthly syndicated report called The Chapell Regulatory Insider. I’m also a regulatory analyst for The Monopoly Report.

The latest Monopoly Report podcast! This week, I welcome Tony Katsur of IAB Techlab. Tony and I talk about the current state of the agentic ads space as well as AI content marketplaces.

When making a DSAR request feels like an afternoon renewing your driver’s license at the DMV

Editor’s Note: I was all set to do a quick recap of my fireside chat last week at Marketecture Live with FTC Commissioner Mark Meador. And then Allison Schiff from AdExchanger beat me to it with her fantastic take on the session. I can’t top what Allison wrote, so I’ll just share that I’m delighted to have Allison as my guest on the Monopoly Report podcast next week.

I accidentally signed up with a DSAR authorized agent

In early February, I started seeing deletion requests from an “authorized agent” called the Data Broker Buster, a new tool offered by a cybersecurity firm called CIS Labs. As you may know, an authorized agent is a company that makes data deletion and opt-out requests (DSARs) on behalf of data subjects.

I noticed that requests coming from Data Broker Buster routinely cited both the CCPA and the GDPR as obligating the data broker to honor their deletion and opt-out requests. But I also noticed that none of the requests they facilitated were coming from data subjects who were located in either Europe or California. So, I wanted to have a closer look at Data Broker Buster.

To that end, I began the process to sign-up for the Data Broker Buster via the pseudonym “Billy Martin” – a tribute to the late manager of the NY Yankees.

I was more curious to see how much CIS Labs would charge for its service. So, I provided my personal information (well, Billy’s personal info) as a test and hit “complete,” thinking that I’d next be taken to a payment screen.

Bless their heart, it turns out that Data Broker Buster is a free service. So my hitting the “complete” button didn’t take me to a payment screen. Rather, hitting complete started the process where “Billy Martin” sent out deletion and opt-out requests (DSARs) to 700+ data brokers.

And over the next couple of weeks, I started receiving responses.

My take on many of these responses? To quote one of my favorite cartoon characters from the ‘80s: “Ack! Thppt!” The responses were all over the map, and many of them were really, really bad. It’s almost as if certain data brokers managed to recreate the experience of renewing my driver’s license at the DMV. (Hence, the picture.)

How to get fined by CalPrivacy in one easy step

I typically try to keep things high level and strategic over here at The Monopoly Report newsletter. But these types of issues strike me as both prevalent and problematic enough that it was worth mentioning on these pages.

Having a crappy process for honoring DSAR requests is not only a way to get your company in hot water with regulators, but it also undermines the credibility of industry leaders when we interact with those policymakers. For example, I can’t earnestly complain to Tom Kemp at CalPrivacy that authorized agents are not playing fair with adtech companies when so many adtechs don’t seem to have their DSAR houses in order.

And regulators might be the least of their problems:

How many of these data brokers have executed contracts promising to honor DSARs in good faith?
How many of them have attested to such compliance as part of an agency RFP process?

Folks: That’s a lot of liability being assumed in connection to something that very clearly isn’t a collective priority.

The most trusted name in privacy and regulatory in the digital media space for over 20 years. Click the ad to request a trial subscription.

What are some of the issues?

I want to note that the adtech community represents almost one-third of the California registered data brokers (depending on how many of the location graph companies count as adtechs). That’s not the majority of the data brokers, but it’s also not nothing. Anyway, see below for a partial list:

DSAR responses that don’t use actual English sentences.
Responses that impose arbitrary or incorrect restrictions on who gets to make DSAR requests or the timelines for making them.
Responses indicating that a data subject’s request didn't honor section 125.5(a)(4) of the data broker’s privacy policy, without the courtesy of providing a link to the privacy policy or explaining the violation.
Requesting information that shouldn’t be necessary to process the DSAR or information that was previously provided.

I recognize that most adtech companies don’t process identifiable personal data. There are certainly challenges to honoring DSARs. BlueKai tried to do it 15 year ago. It wasn’t perfect, but it’s a shame that nobody’s come up with a better iteration in all those years.

Making Enforcement Easy

I often refer to “broken taillight” offenses – the type of things that regulators can spot from a mile away and prompt them to “pull your company over” for a closer look. Going through this exercise took me less than an hour, and I lost count at 50 data brokers that would merit a closer look just based on the data brokers’ responses.

Sooner or later, the CalPrivacy folks or other state privacy regulators (or maybe the FTC) will start looking at these responses with a critical eye. And in my view, they won’t have much trouble finding violations.

It’s not that difficult to fix

In my travels, I’ve learned that there are certain things that are broken because the problem is too difficult. There are some things that are broken due to neglect.

The fix here is straightforward: Have someone outside your legal and privacy team submit a request through your own DSAR process. Then read the response you receive. If it confuses you, it will confuse a regulator. And then fix it!

All this requires is someone giving a damn.

_________________________________________________________________________

If there’s an area that you want to see covered on these pages, if you agree/disagree with something I’ve written, if you want to tell me you dig my music, or if you just want to yell at me, please reach out to me on LinkedIn or in the comments below.

Miami, get ready. We’re bringing the heat.

For the third straight year, Marketecture Media is heading back to POSSIBLE, and we’re showing up bigger, louder, and more dialed in than ever.

We’re coming to capture the moments that matter by filming powerful conversations and creating the kind of content that keeps the industry talking long after the Miami sun sets.

This year we’re recording high-impact interviews on site, hosting curated gatherings with the right people in the room, and yes, the AdTechGod event is back!

If you want to plug into the energy and partner with us at POSSIBLE, drop your info in the form in the comments.

Reply

or to participate.