We Filed Our CCPA Requests — It Was A Nightmare
California signed the California Consumer Privacy Act into effect on January 1, 2020 and began enforcing it July 1, 2020. The CCPA further expands upon Californians’ right to privacy giving Californians the right to know what information companies have about them, the right to delete this information, the right to opt-out from this information being sold, and the right to non-discrimination for exercising these privacy rights. Unfortunately, the process of exercising those rights as a consumer is rife with obstacles and incredibly time consuming and challenging for businesses who are trying to comply with the law. Part of the difficulty with maintaining privacy in our digital age is that privacy doesn’t work for everyone. Vael wants to change that. Vael is making privacy work for everyone.
The way the CCPA legislature is currently written, Californians have the right to elect an authorized agent to help them facilitate their CCPA data requests (to know, delete, and opt-out). As an early test we decided to file our personal data subject requests, as Michael and Garrett, electing Vael as our authorized agent. In practice, after filing 398 CCPA data subject requests to the data brokers registered on the California Attorney General’s website, we learned that the authorized agent model simply does not work in its current capacity. Not only does the authorized agent model not work, but some of the data brokers were confused as to how we had even found the information that they had registered in a public database (still funny to us by the way).
Companies have put up so many roadblocks that it is nearly impossible for an authorized agent to work at scale, but technically they are still in compliance with CCPA. Upon filing our requests, our personal email inboxes ballooned with identity verification requests — despite having verified our identities through Vael’s verification process. We started receiving 30+ page packets in the mail requesting additional info, we received phone calls to verify our identity because some of these company’s internal structures don’t allow for email, some companies registered as data brokers claimed to be “service providers” that were unable to complete requests, and most shocking of all some companies requested that we email scanned copies of our California driver’s license or passport via unencrypted email (mind you, these companies make money by selling people’s information). And it is not as if Vael sent over a sketchy email request attempting to file subject requests. Vael worked with Santa Clara University’s Entrepreneur Law Clinic to create a Letter of Authorization giving full authorized agent authority.
The most concerning realization from this process was how truly disorganized some organizations are. Luckily, myself and my co-founder, Garrett Gillett, are obviously close friends, but companies were sending our individual Letters of Authorization to the other person’s private email addresses — simply put, my personal email address was on the receiving end of Garrett’s filled out Letter of Authorization with his home address, phone number, and email. Had we not been friends a company would have just sent all of his personal information to a complete stranger — the company could incur a fine up to $7500 for this CCPA violation.
The issue isn’t only with data brokers though. CCPA requires that a company’s homepage have a link saying “Do Not Sell My Information” or “Do Not Sell My Info,” to facilitate a CCPA request to opt-out. Although, often times that link just takes you to their incomprehensible privacy policy. Additionally, there’s no standardization to the forms that need to be filled out or the process you go through to file requests. For instance, some companies only require your email address, but other companies require you to manage your privacy preferences via their Privacy Center that you may or may not need to have an account to access — again who will spend the time to do all of this? All of this to say, there are so many hidden trackers across the internet that sometimes webmasters don’t even know they’re there. Taking control of your data shouldn’t make you feel like you’re Harry Potter navigating a labyrinthine hedge maze to find the TriWizard Cup.
You are the one creating the data that is being captured. You are the one creating value for some of the largest corporations to ever exist. You are the one that should control your data, but some companies don’t seem to want it that way.
