Almost all of those "sketchy" companies get the information from publicly available sources. They also specifically disclaim them from being used for employment/credit type things that would make them subject to the FCRA or they follow all the rules for FCRA.
I'm not sure what "accountability" you think should apply to them. There's not usually anything you can get from BeenVerified that you could more laboriously do by contacting the various sources that they use.
The law you're referring to is the "California Computer Privacy Act" doesn't apply here. What that law does is say that if YOU provide them information, you have rights about controlling what they subsequently do with it.
It doesn't mandate they remove information they get from people OTHER than you.

