In one of the first analysis to date regarding adoption of the California Consumer Privacy Act (“CCPA”), Consumer Reports has exposed what many in the industry already knew: many companies are not complying with one of the central tenets of CCPA’s requirements. These noncompliant practices can cause consumer frustration as well as exposure to significant financial penalties for companies both within and outside of California.
What Was This Study About?
In May and June 2020, Consumer Reports conducted a study to examine whether CCPA is working as intended for consumers. The study focused on the Do Not Sell My Personal Information (“DNS”) provision in the CCPA, which gives consumers the right to opt out of the sale of their personal information to third parties through a “clear and conspicuous link” on the company’s homepage. As part of the study, 543 California residents made DNS requests to 214 data broker companies, and study participants reported their experiences through a survey.
What Did The Study Find?
Even given the somewhat limited scope of the study (and its focus specifically on data broker companies, who should be out in front of any data privacy regulation), Consumer Reports showed that companies are struggling to comply with DNS, which is a primary component of CCPA, and novel in its implementation (Europe’s GDPR does not have a similar DNS requirement). Primary takeaways for the study included:
1) Consumers struggled to locate the required DNS links to opt out of the sale of their information
a. For 42.5% of sites tested testers were unable to find a DNS link
2) Many data brokers’ opt-out processes are so challenging that they substantially impaired consumers’ ability to opt out
a. Some DNS processes involved multiple, complicated steps to opt out, including downloading third-party software
b. Some data brokers asked consumers to submit documentation such as a government ID number, a photo of their government ID, or a selfie
c. Some data brokers confused consumers by requiring them to accept cookies just to access the site
3) Consumers were often forced to wade through confusing and intimidating disclosures to opt out
a. Some consumers spent an hour or more on a request
b. At least 14% of the time, burdensome or broken DNS processes prevented consumers from exercising their rights under the CCPA
c. At least one data broker used information provided for a DNS request to add the user to a marketing list, in violation of the CCPA
d. At least one data broker required the user to set up an account to opt out, in violation of the CCPA
e. Consumers often didn’t know if their opt-out request was successful. About 46% of the time, consumers were left waiting or unsure about the status of their DNS request
f. About 52% of the time, the tester was “somewhat dissatisfied” or “very dissatisfied” with the opt-out processes, which correlated with how difficult the processes was made by that company
The study did find that some companies made the opt-out process easier when they allowed participants to click on prominent links on company home pages that read “Do not sell my data,” filled out a short form, and were quickly emailed a confirmation that the company would make good on the request. In these cases, participants expressed a positive view of the company.
Data broker companies, like the ones subject to this survey, should have a heightened sensitivity to data privacy laws. The fact that a large number aren’t properly complying with CCPA is troubling, and it may mean that companies in other industries have a lower compliance adoption rate. CCPA is industry agnostic, and if your company is subject to CCPA, you need to ensure you’re in compliance so that you avoid significant noncompliance penalties.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to help comply with CCPA, GDPR, and other laws as they continue to change. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.