In one of the first analysis to date regarding adoption of the California Consumer Privacy Act (“CCPA”), Consumer Reports has exposed what many in the industry already knew: many companies are not complying with one of the central tenets of CCPA’s requirements. These noncompliant practices can cause consumer frustration as well as exposure to significant financial penalties for companies both within and outside of California.

What Was This Study About?

In May and June 2020, Consumer Reports conducted a study to examine whether CCPA is working as intended for consumers. The study focused on the Do Not Sell My Personal Information (“DNS”) provision in the CCPA, which gives consumers the right to opt out of the sale of their personal information to third parties through a “clear and conspicuous link” on the company’s homepage. As part of the study, 543 California residents made DNS requests to 214 data broker companies, and study participants reported their experiences through a survey.

What Did The Study Find?

Even given the somewhat limited scope of the study (and its focus specifically on data broker companies, who should be out in front of any data privacy regulation), Consumer Reports showed that companies are struggling to comply with DNS, which is a primary component of CCPA, and novel in its implementation (Europe’s GDPR does not have a similar DNS requirement). Primary takeaways for the study included:

1) Consumers struggled to locate the required DNS links to opt out of the sale of their information

a. For 42.5% of sites tested testers were unable to find a DNS link

2) Many data brokers’ opt-out processes are so challenging that they substantially impaired consumers’ ability to opt out

a. Some DNS processes involved multiple, complicated steps to opt out, including downloading third-party software

b. Some data brokers asked consumers to submit documentation such as a government ID number, a photo of their government ID, or a selfie

c. Some data brokers confused consumers by requiring them to accept cookies just to access the site

3) Consumers were often forced to wade through confusing and intimidating disclosures to opt out

a. Some consumers spent an hour or more on a request

b. At least 14% of the time, burdensome or broken DNS processes prevented consumers from exercising their rights under the CCPA

c. At least…

Read The Full Article

Check Also

Privacy Isn’t Dead. Far From It.

Welcome!  The fact that you’re reading this means that you probably care deeply about…