CCPA ENFORCEMENT GAP REPORT
We analyzed every major company that publishes CCPA transparency metrics. They report how many deletion requests they received and how fast they responded. Not one can cryptographically verify the data was actually removed.
* GLBA-exempt institutions typically deny more requests. — = data not broken out in published report. Self-svc = includes self-service tool usage, not CCPA-specific requests only. All data from publicly available 2024 CCPA transparency reports.
All figures are sourced from publicly available CCPA transparency reports published by each company, covering calendar year 2024 (January 1 – December 31, 2024). The CCPA metrics reporting obligation applies to businesses that process personal information of 10 million or more California residents annually, as required by California Civil Code § 1798.185(a)(7). Companies are required to publish these metrics by July 1 each year. Some companies report California-specific data; others report all U.S. requests. Where companies include self-service tool usage alongside CCPA-specific requests, this is noted. “Verified?” indicates whether the company provides any cryptographic or independently auditable proof that deletion was executed — not merely that a request was acknowledged.
Aggregate statistics methodology. The top-of-page figures (“30+ Companies publishing CCPA metrics,” “2.1M+ Deletion requests processed in 2024,” and “22 days Avg. response time across all companies”) are computed from the universe of large CCPA-reporting entities surveyed for this analysis — including but not limited to the companies shown in the table above. The deletion-request and response-time aggregates sum reported volumes and weight response times by request count where companies disclose both. Where a company reports a range rather than a point estimate, the midpoint is used. The complete underlying spreadsheet, including every company sampled, the source URL for each report, and the calculations behind the aggregates, is available on request — contact with subject line “CCPA Gap Methodology.”
Disclaimer: Adworth℠ LLC is not affiliated with any company listed on this page. All data is sourced from publicly available CCPA transparency reports that companies are required to publish under California Civil Code § 1798.185(a)(7). “Verified?” reflects whether the company provides cryptographic or independently auditable proof of deletion execution — not whether the company complied with CCPA response requirements. This page is for informational and research purposes only and does not constitute legal advice.
Key Findings
Every company below passed the compliance checkbox. None of them can prove your data is actually gone.
Not a single company provides cryptographic proof that data was actually removed. “Complied with” means they acknowledged the request — not that they can prove it was executed.
Across all reporting companies, denials citing "other grounds" or unclear justifications are common. No independent audit exists to verify these claims industry-wide.
The State-Persistence Monitor, Invisibility Ledger, Consent API, Governance Engine, and Removal Payload Engine — five patent-pending systems that make verification automatic and cryptographic.
The Solution
Regulators don't accept "we trust them." They want proof. We provide it — mathematically.
Join the Waitlist →