CCPA opt out, nerd edition

12 June 2020

Update 1 Jan 2020: link to current version of opt out letter

While we figure out how to make general-purpose CCPA opt-outs practical (feel free to set up a time on Calendly if you want to talk with me about Authorized Agent projects), here's a quick summary of my current CCPA opt-out tools. This is a prototype only, but does work.

1. Mutt with GNU Privacy Guard (I put this first so people with a normal mail client setup can stop reading. You're welcome.)

2. A Keybase account. Yes, we don't know what will happen to this service in the long run, but this is a prototype so whatevs.

3. My ccpa shell script.

4. An opt-out letter.

   • This is my lightweight opt-out. This is a letter that they have to do right away.

   • and here is a heavier generic opt out letter that does more CCPA stuff, plus some other privacy laws. They can come back and ask for more info if you send this one.

What the script does is generate a GPG-signed opt-out request that I can edit and send in Mutt, and the letter contains a link to the Keybase profile. Remember that the CCPA regulations Section 999.315(h) if you're following along at home. say,

"A request to opt-out need not be a verifiable consumer request. If a business, however, has a good-faith, reasonable, and documented belief that a request to opt-out is fraudulent, the business may deny the request. The business shall inform the requestor that it will not comply with the request and shall provide an explanation why it believes the request is fraudulent."

They're not allowed to deny the first one, opt-out, unless they come up with a good reason. Their choice is to do the opt-out or to take on a writing assignment for me for no money. And if they really want to pick the latter, and write an explanation of their "good-faith, reasonable, and documented belief" that this opt-out is fraudulent, they have to learn GPG and Keybase, and no growth-hacking marketer is going to spend time doing that.

This script works so far. They just do the opt-out. Sometimes they'll even treat the opt-out alone as either a Request to Know and/or a Request to Delete, because seriously, time is limited and once you have decided to just give the privacy nerd what they want, you might as well get all that nerd stuff out of the way at once.

Next steps? Make it work for more people, opting out of more companies. Right now this is just a simple version of the items needed for a "real" opt-out.

• credibly claim that I am the person identified by data points that can be found in a marketing database (email, phone, IDFA/AdID, postal address...)

• credibly claim that I am in a jurisdiction where I have a privacy right

• assert that the sender of this letter has the right to act on a privacy request for me (in this case because it's me)

To be practical at scale, all of these need good UX, working, scalable implementation, and an effective legal payload. Some opt-outs will be on-demand, one company at a time, and others will be larger, in cases where you want to opt out of every company engaging in a specific practice and have your authorized agent do it.

But for now, for someone with my mail setup, doing CCPA is pretty convenient.

More, including template suppport: CCPA for nerds, part 2

Bonus links

Preliminary results are in! CCPA testers provide important insights into the landmark privacy law

Bombora Sues ZoomInfo For Allegedly Gaining An Unfair Advantage By Breaching CCPA

Maine Was Sued for Trying to Modernize Privacy Laws

Ad Buyers Should Rethink Facebook Spending, Says Media Watchdog