The California Privacy Protection Agency (PPA) hosted a “Pre-Rulemaking Stakeholder Session” from May 4-6th. The stakeholder session provided an opportunity for stakeholders to speak on topics relevant to the upcoming rulemaking. Topics ranged from Automated Decision Making, Data Minimization and Purpose Limitations, Dark Patterns, Consumers’ Rights to Opt-out, Cybersecurity Audits and Risk Assessments and Audits Performed by the Agency.
I spoke on my suggestions regarding a Consumers’ Rights to Opt-Out. Below is my testimony and some screenshots of the slides I used during my talk:
I am a Silicon Valley-based entrepreneur who has co-founded multiple tech companies. I am also heavily involved in privacy advocacy, including being a volunteer Policy Advisor for Californians for Consumer Privacy and leading the campaign marketing efforts in 2020 to pass California Proposition 24 — the California Privacy Rights Act (CPRA). I have also proposed SB 1059, a bill to enhance the California Data Broker registry law.
So, let’s talk about a Consumers’ Rights to Opt-Out.
A recent survey by Consumer Action and Consumer Federation of America found that many consumers have not exercised their rights under the CCPA to see and delete the personal information collected about them and to request that their information not be sold. The top reason given for not exercising these rights was not knowing about them.
But what happens if you do exercise your rights and try to opt-out? Consumer Reports did a comprehensive study in which 543 California residents made opt-out and delete requests to 234 data brokers listed in the California Attorney General’s data broker registry. The survey found the following:
- “Consumers struggled to locate the required links to opt out of the sale of their information.”
- “Many data brokers’ opt-out processes are so onerous that they have substantially impaired consumers’ ability to opt out.”
- “Some Do Not Sell processes involved multiple, complicated steps to opt out, including downloading third-party software.”
- “Consumers were often forced to wade through confusing and intimidating disclosures to opt out.”
- “About 52% of the time, the tester was “somewhat dissatisfied” or “very dissatisfied” with the opt-out processes.
Speaking of data brokers, they are companies that we don’t have a direct relationship with. In effect they operate in the shadows, so even if consumers wanted to exercise their privacy rights to opt-out, they don’t know who to contact. California has a data broker registry, but only 10% of the 4000 data brokers have registered.
So, we have three problems as it relates to a consumers’ rights to opt out:
#1 consumers don’t know they have the right to opt-opt
#2 many businesses make it difficult for consumers to opt out
#3 data brokers are not registering with the state of California
Here are my suggestions to address each one
First, I would urge the PPA to be aggressive doing Public Service Announcements to educate Californians about their privacy rights. The reality is that the PPA has a $10 million per year budget. Because staffing is going slow and steady and enforcement does not begin until the middle of 2023, I would estimate that the PPA has unused budget of at least $7 million this Fiscal Year and will have unused budget of $5 million next fiscal year. The PPA has the money, and should spend it on public awareness, as Prop 24 says in Section 1798.99.40 (e) that the PPA quote shall “Provide guidance to consumers regarding their rights under this title.” unquote
Second, Californians should be encouraged via PSAs to report businesses that are making it difficult for them to opt-opt. The Cal AG has in fact created reporting tool called the Consumer Privacy Interactive Tool that provides the ability for Californians to report CCPA violations by businesses, but it is limited to drafting notices to businesses that do not post an easy-to-find “Do not Sell My Personal Information” link on their website.
This tool should be greatly enhanced to include reporting of businesses not respecting optouts. It should also act as the “call to action” in the PSAs to empower Californians to flag that their privacy rights are being violated.
Finally, Californians should have visibility into those businesses with whom they have no direct relationship with that may be selling and/or sharing our personal data that includes our precise geolocation. After AB 1202 passed in 2020 to establish the California Data Broker Registry, the California DOJ estimated that over 4000 data brokers exist and at least 1000 would register, but two years later only approximately 400 have registered. We as Californians are thus deprived of the sunlight into these shadow companies that are selling and sharing our personal data.
That is why I support SB 1059, which would increase data broker registrations and require data brokers provide clear instructions on opt-out, and also transfers the regulation and registration over data brokers to the PPA. I know the PPA can’t weigh in on proposed legislation, but I urge the PPA to look more closely at the practices of data brokers, especially considering recent headlines regarding the egregious use of our location data. Location is considered under the CPRA as sensitive personal information, so I urge you to look at what you can do from a regulatory perspective to limit the use of sensitive personal info including location.
In closing, I thank the PPA for your time and consideration. I also have a blog post on recommendations for the Privacy Protection Agency that go into these suggestions in more details.