CCPA ENFORCEMENT GAP REPORT

Everyone reports volume.
No one cryptographically verifies it.

We analyzed every major company that publishes CCPA transparency metrics. They report how many deletion requests they received and how fast they responded. Not one can cryptographically verify the data was actually removed.

30+
Companies publishing CCPA metrics
2.1M+
Deletion requests processed in 2024
22 days
Avg. response time across all companies
0
Companies with cryptographic verification
🔓

The Enforcement Gap

CCPA Requirement: Report deletion request volumes and response times.
CCPA Does NOT Require: Cryptographically prove deletions actually happened.
The Result: Self-reported metrics. Zero independent verification. Companies self-report — and users have zero cryptographic proof their data is gone. That's the gap Adworth's State-Persistence Monitor and Invisibility Ledger are designed to close.

Company
Know Requests
Delete Requests
Denied
Avg. Days
Verified?
Google
Big Tech
3M+ (self-svc)
15M+ (self-svc)
21
None
Meta
Big Tech
2.76%
1
None
Apple
Big Tech
Highest
<1
None
Amazon
Big Tech
Highest
26.5
None
Microsoft
Big Tech
16
<1
None
Airbnb
Travel
31,971
138,864
18.2
None
Slack
SaaS
None
Capital One
Finance
High*
None
TransUnion
Data Broker
None
Walmart
Retail
47,445
6,194
None
Square
FinTech
None
LinkedIn
Big Tech
None
TikTok
Social Media
None
Adworth℠
Consent Infrastructure
Instant
✓ Crypto

* GLBA-exempt institutions typically deny more requests. — = data not broken out in published report. Self-svc = includes self-service tool usage, not CCPA-specific requests only. All data from publicly available 2024 CCPA transparency reports.

Data Source & Methodology

All figures are sourced from publicly available CCPA transparency reports published by each company, covering calendar year 2024 (January 1 – December 31, 2024). The CCPA metrics reporting obligation applies to businesses that process personal information of 10 million or more California residents annually, as required by California Civil Code § 1798.185(a)(7). Companies are required to publish these metrics by July 1 each year. Some companies report California-specific data; others report all U.S. requests. Where companies include self-service tool usage alongside CCPA-specific requests, this is noted. “Verified?” indicates whether the company provides any cryptographic or independently auditable proof that deletion was executed — not merely that a request was acknowledged.

Disclaimer: Adworth℠ LLC is not affiliated with any company listed on this page. All data is sourced from publicly available CCPA transparency reports that companies are required to publish under California Civil Code § 1798.185(a)(7). “Verified?” reflects whether the company provides cryptographic or independently auditable proof of deletion execution — not whether the company complied with CCPA response requirements. This page is for informational and research purposes only and does not constitute legal advice.

Key Findings

What the reports don’t tell you

Every company below passed the compliance checkbox. None of them can prove your data is actually gone.

🗑️
0%

Verification Rate

Not a single company provides cryptographic proof that data was actually removed. “Complied with” means they acknowledged the request — not that they can prove it was executed.

⚠️
Thousands

Denials on Vague Grounds

Across all reporting companies, denials citing "other grounds" or unclear justifications are common. No independent audit exists to verify these claims industry-wide.

🔑
5 Systems

Adworth’s Answer

The State-Persistence Monitor, Invisibility Ledger, Consent API, Governance Engine, and Removal Payload Engine — five patent-pending systems that make verification automatic and cryptographic.

The Solution

Deletion claims are self-reported.
We make them cryptographically verifiable.

Regulators don't accept "we trust them." They want proof. We provide it — mathematically.

Join the Waitlist →