Touted as a “huge leap forward” for advocates of data privacy, the California Consumer Privacy Act (CCPA), the first comprehensive American data privacy law, became enforceable on July 1, 2020.
Recently, on November 3, 2020, a second law was passed, the California Privacy Rights Act of 2020 (CPRA) or Proposition 24, also known as CCPA 2.0. Among other things, the CPRA provides additional rights and establishes a new privacy agency to enforce the statute. However, the majority of these changes will not be implemented until January 1, 2023.
In the meantime, we’re watching how the CCPA is being implemented and what can be learned before the CPRA goes into effect. The CCPA established new consumer rights, including:
1) the right to know what data companies are gathering on them.
2) the right to have their data deleted, and
3) the right to opt out from companies selling their data to third parties.
Consumer Reports recently conducted a study on the last right, the right to opt out.
Consumer Reports Study on the Right to Opt Out of Sale
Consumer Reports (CR) observed that: many companies attempted to weaken the CCPA during the 2019 legislative session, some dragged their feet, and some (such as Facebook and Google) claimed that the CCPA did not apply to their data sharing practices.
Interested in how the CCPA was working out, CR conducted a study focusing on consumer exercise of the opt-out right. In May and June 2020, CR asked 543 California residents to make “Do Not Sell” requests to 214 data brokers listed on California’s data broker registry. Each data broker received three requests, totaling 642 requests. Below is a list of the obstacles the testers faced when exercising their opt-out rights.
“Do Not Sell” (DNS) Link Difficult to Find or Non-Existent
The CCPA requires companies to provide consumers with at least two ways for requesting their right to opt out, including a “clear and conspicuous link” to opt out on their homepage.
Another data broker, Freckle I.O.T. Ltd./PlaceIQ, placed a banner on the bottom of their screen with the option to “allow cookies” and if the tester did not agree to allow cookies, then the DNS link remained out of sight.
Complicated Steps to Opt Out, Including Downloading Software and Setting Up an Account
Most of the data brokers required testers to fill out a form with contact information, but some of the companies asked consumers to provide an advertising ID which they could get only if they downloaded a third party app. Not only would that requirement deter a lot of people, but people without smartphones cannot opt out because this process cannot be completed on a computer.
In addition, at least one data broker required the tester to set up an account in order to opt out, in violation of the CCPA.
Required to Provide Personal Information Like a Selfie
Some companies such as Megaphone LLC require consumers to give an IP address (which many people don’t know how to access). Others asked for a government identification card, a selfie, or answers to security questions such as past addresses.
The CR study observed that while this verification information might be appropriate for requests to access or delete, it’s not necessary for an opt-out request. Instead, such requirements become an obstacle to consumers who wish to opt out. In fact, seven percent of the testers gave up on their opt-out request because they did not feel comfortable providing additional information.
Forced Consumers to Accept Cookies
The study also found that many times the data broker made the consumer accept cookies as part of the opt-out process. In fact, 66 of the 214 data brokers tested had such a requirement. The consumer was often confused because the data broker did not clearly convey that the cookie was to be used for the sole purpose of enabling the opt-out.
Potential Abuse of the Process
At least one data broker, X-Mode, used the information the consumer provided for the opt-out process to send them a marketing email. Another tester said that they received more robocalls after they submitted their opt-out request.
Unclear if the Opt-Out Request Was Successful
Almost half of the time (46 percent), consumers were uncertain of the status of their request. A mere 18% received affirmative responses that their data would not be sold. Other responses ranged from nothing at all, to a statement that the request would be implemented within a certain time frame such as two weeks or 90 days (which violates the CCPA’s 15 business day window), or even, a statement that the company is not subject to the CCPA even though they are registered as a data broker in California.
Time Consuming Process\Long, Confusing Disclosures
Testers reported that some of the data brokers required them to read through long, unnecessarily wordy, technical, legalistic explanations and instructions as part of the opt-out process. While the majority of testers spent less than 15 minutes on each opt-out request or more commonly, less than 5 minutes, some reported that it took them an hour or more to complete the request.
But even if the process was direct and quick, imagine having to go through that with the hundreds or thousands of companies that have your data. No matter how you look at it, the exercise of the consumer’s right to opt out is currently onerous and burdensome.
How Can DDP Make This Process Easier for You?
The CR study highlights the difficulties of enforcing consumer rights under the CCPA. Ultimately, more than half of the time, the testers who responded were dissatisfied with the opt-out process. While the CCPA is good in theory, the reality is that individual consumers are completely outgunned against tech companies and data brokers.
There are currently more than 400 registered data brokers in California who are collecting and selling your data. If you have the time and energy to opt out from each and every one of them, you can go to DoNotSell.org and try submitting opt out requests. Hopefully, you will fare better than the CR testers now that the CCPA has become enforceable.
Another option is joining DDP and allowing our team to fight on your behalf. Your data is your property and should not be sold without your consent. We will help you opt out en masse and if you choose to share your data, we will help you fight to receive a proper data dividend. Rather than filling out 400+ forms, join DDP and spread the word!