blog: Don Marti


CPRA comments

04 May 2022

I got to comment at a pre-rulemaking stakeholder session for the California Privacy Rights Act (CPRA). Here is my prepared text (not exactly what I said, but close).

As a California resident, I have had a right to know how my personal information is used, since January 1, 2020. On paper, that is. In practice, it’s a little trickier. In order to exercise my California privacy rights, I have had to run a lot of mazes. I won’t mention any specific companies here, but

  • I have taken selfies.

  • I have taken a selfie holding my California driver’s license.

  • I have scanned my California driver’s license, front and back.

  • I have taken a photo of my California driver's license from an Android device, had it rejected, found an Apple device, taken a different photo of the same license, and had it accepted.

  • I have passed a quiz about my former addresses and bank accounts.

  • I have passed a quiz but only by getting some of the answers wrong because they would have been right if a family member of mine with a similar name was taking it.

  • I have printed and signed a document, and scanned it.

  • I have printed and signed a two-page document, gone to a notary, had it notarized, and scanned it.

Getting through the Right to Know process can be tricky. And I’m pretty good at paperwork, I have a variety of different devices to try, and I have a printer and scanner set up and working.

The reason I’m focusing on the Right to Know here is because it’s the CCPA right that helps me decide what to do with all the other rights. If I have a positive response to a Right to Know, then I don’t have to do a Right to Delete, and I can be more confident in sharing information with a company. There are tens of thousands of companies out there that might have some info on me, so I need to prioritize. But realistically, inconsistent and over-complicated handling of Right to Know by the companies I buy stuff from and by data brokers means that it’s a time-consuming effort for me to find out what’s going on with my personal information.

Under CCPA, I have the right to use an authorized agent. But authorized agent requests are even more complicated. Companies generally react to a fully documented authorized agent Right to Know by getting in touch with me directly and making me run the original maze anyway.

The worst part of all this maze running is sometimes there’s no cheese at the end of the maze. I have gone through all the work to do a Right to Know with one company, and ended up with, among other things, a list of the companies that sent my personal information to them. So, when I send a Right to Know to those companies, I should be able to get some information, right?

Not necessarily. Sometimes they claim not to have any information about me.

And in the case of one high-profile company, I can look up the public documents from an ongoing privacy lawsuit, and read employee depositions stating that they have certain kinds of information. But it's information that they don’t disclose to me. A company shouldn’t be able to testify to one thing in court and then tell California residents something else.

In the 2020 election, Proposition 24 was supported by an overwhelming majority of California voters. Today, the CPPA has an opportunity to implement the intent of California voters by adopting regulations that make it practical for everyone to exercise their basic privacy rights.

As a California resident, I should be able to use a simple, standardized Right to Know process, such as being able to request a standard paper form and a Business Reply Envelope. Naturally, businesses and their service providers should be able to compete to offer consumers a simpler, faster online process as an alternative to paper forms and trips to the mailbox. But without a guarantee of a common, baseline simple opt-out process to fall back on, we’re still going to be stuck in a maze next year.

Thank you.

More: The problem with CCPA RtK workflows

Tech companies face a legal nightmare if Roe v. Wade is overturned

How to Get an Abortion in the Age of Surveillance

Why I Don’t Use Ad Blockers

Backlash Against Consent Pop-ups Is a Misleading Argument

Researchers Find Shades of Opacity, Plenty of Tracking, After App Tracking Transparency

Read the Facebook Papers for Yourself