Photo by Matthew Henry on Unsplash

Opportunities with California Privacy Access Requests

The Challenge

The fundamental problem is I have to give up more of my personal information in order to find out what information a company holds about me. When further asking what they do with the information used to verify I am the original requestor, they either have no policy or refer me to their original privacy policy. It quickly becomes a rabbit hole with no bottom. No one has time for this. I suspect this is a secondary beneficial effect of the CCPA for the companies. Yes, they have glowing language about how they care about the CCPA and your privacy. Let's call it "privacy signalling". However, they rarely have to do much beacuse the process is obtuse and they know few people will actually follow through to completion.

I understand the need to verify the identity of the requestor so that the company (aka record holder) doesn't accidentally give out personal information to the wrong person. There are at least five others with my name, that I know of. Which Andrew is requesting the records? And which records?

Out of curiosity, I found a site which claims I have a criminal background and arrest record based on actual court records (I don't have such a record). I fill out their CCPA compliance form. I receive the following a day later(details changed to protect the company involved):

Dear Andrew

ExampleCompany is in receipt of your request dated 04/14/20 regarding your personal information under the California Consumer Privacy Act of 2018 (“CCPA”), Cal. Civ. Code § 1798.100 et seq. 

The CCPA requires that any request related to a consumer’s personal information must be a verifiable consumer request. Cal. Civ. Code § 1798.130(a)(2). In order for us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the person about whom we may have collected personal information or a person who has been duly authorized to make the request on behalf of the consumer. 

Based on the information you provided, we are unable to verify your identity and respond to your request. In order for ExampleCompany to verify your request, you must either:

  1. provide us with a personal email address; or 
  2. Provide us a copy of your driver license, with your full name , DOB, and address. 

Unless we receive such evidence from you, we will consider this matter closed.

Thank you,

Privacy Compliance Director

privacy@example.com

The first challenge is I have 1000s of email addresses, none of which should be in their database, but we'll find out if true.  The second challenge is they want a copy of my drivers license, but won't tell me what they do with the copy. Some companies say they keep the copy of the DL on file per their retention policy as clearly stated in their Terms of Service (typically 3 years). Others, don't understand the question. And then there are the companies which just close the CCPA records request when asked the question.

Automation and Services

Companies have automated the response process. It seems everything is designed to make you the consumer do the most work possible. This work is ripe for automation or some kind of service. The model of DoNotPay seems like a good start. However, what companies have your data? If you spend 5 minutes, you can probably think of the products you use every day. In another 5 minutes, you'll have a longer list. What 3rd party companies do these companies use to provide you services? With whom do they sell your data? You start to build a fairly big linked list of potential companies pretty quickly. There are sites with lists of ways to opt out yourself from many companies. However, you're still doing the work. 

Can I pay for an opt-out service?

Well, right now, no. DoNotPay is the closest I've found, but it still doesn't do much with regards to CCPA. I want a service which provides transparency of what they store and what they're doing with my data, while they basically take my first-order list of services/companies and file CCPA-related requests for me. From that first order list, they then peruse the terms of service and contracts, and quickly identify all 3rd party companies with which to file CCPA requests. Further, from the results of the first-order companies, they can then chase down all of the mentioned companies. Project VRM has some of these ideas.

In my mind, I'm thinking of something like MuckRock, but for CCPA instead of FOIA. The big four credit agencies could easily do this as a service, since they already have your information. You pay for the convenience and time saved in the whole process.

Rabbit Holes

Say such a service existed. There's the obvious data they collect about you and then the metadata they have about what you have and have not tried to receive and opt-out. And the sheer volume of data collected by each of the companies. And of course, the OptOut Service Provider would see which 3rd parties are used and eventually they could become the default clearinghouse for all of California residents and the rest of the world. This also expands to GDPR, just replace California with Europe.