This is the first in a series of posts about the implementation of the California Consumer Privacy Act (CCPA).
As someone who works in cybersecurity and privacy and who lives in California, I’ve been closely tracking CCPA since it was passed. The state statute, protecting consumers’ rights to access, request deletion of, and opt out of the sale of their personal information, went live in January. At the time, I conducted what I thought of as an initial experiment, to see what would happen when I requested my own data—which companies were prepared to send it, how much they would send, and how promptly they would respond. I approached Verizon, Facebook, Comcast, Google, LinkedIn, Ring, Amazon, YouTube, and Intuit, as well as some data brokers that are registered with the state, among others.
Almost across the board, I was asked to confirm my identity, which is a reasonable and expected security request. But a leading facial recognition technology company actually prompted me to upload a new photo of my face as part of my submission which seemed counterintuitive—they needed me to give them more of my PII before they would show me what they’d already collected? If I wasn’t in their database already, I was now.
By law, companies have 45 days to acknowledge receipt of the request and deliver the data. The most responsive companies sent an automatic email response acknowledging receipt of my request followed by dozens of spreadsheets within the following days. Others came back with responses weeks later, and a few even squeaked in just before the 45 day window closed. The least responsive simply never replied. Most concerning was that the data brokers were entirely unresponsive to my requests.
Another interesting finding was the widely varying formats for data delivery. The letter of the law states “The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily usable format that allows the consumer to transmit this information to another entity without hindrance.” But this language does not address the consumer’s ability to access or review their own data. It just says that the data has to be in a format that can be easily passed along to someone else. I’m not sure what was intended there, but it doesn’t seem to be a consumer-focused stipulation. A quick note is that LinkedIn offered a user-friendly privacy dashboard for reviewing the data instantaneously, but this wasn’t the case across the board. One company prompted me to download a third-party software application in order to see the data. Another company only returned the data in a JSON file, with which I was unfamiliar. After talking to my development team here at NetDiligence, I learned that it is a format commonly used to transfer large amounts of data but it was not easy to open or access. If this law is truly about consumers, the data needs to be easily accessed, period.
I did learn some lessons in this practice run. I learned that if you change your privacy settings after you have accessed your data, as I did on a few platforms, you can no longer view the old data that the company once held—meaning it’s no longer viewable on their privacy platform. But how do I know they deleted it from their servers or files? I did not formally request to delete it, it’s just not there for me to view anymore.
In terms of the content itself, it was a fascinating exploration into how these companies gather, store, sort, and use our data. While they all collect the same basic information, their data holdings can include anything from prospective religious beliefs to whether you are likely to use technical support to all the search terms you’ve entered on their platform. Some other interesting categorization data included the predictable “Ad Targeting,” but also “Causes You Care About,” “Analytics and Inferences, and more.
It’s safe to say that those companies who have most successfully prepared for the implementation of CCPA data requests had already done so for Europe’s GDPR regulation. These organizations have had some time to test out their process, gather feedback from consumers, and learn from early mistakes. Just as we saw with GDPR, there are likely dozens of lawsuits that will be filed at midnight when enforcement kicks in on July 1. As such, I will be revisiting this issue to see how companies have changed or adapted their handling of privacy data between now and then.