Example CCPA workflow

Here is an example of the steps I have been going through to do a CCPA Right to Know.

These are all diferent from company to company. The company, not the user, gets to set up what the process is, and they can get pretty creative. I have found that it's usually fastest to start with an email to the company privacy address, and wait for them to either start the process or write back with instructions. From that point on, they're all a little different.

Saturday, 19 February 2022: initial contact

I sent the following email to privacy@wiland.com.

To whom it may concern:

Any information I provide to you may be used solely for the limited purpose of complying with the request stated in this letter.

This letter is in regard to your obligations under the California Consumer Privacy Act.

My address is

PII REDACTED

and my phone number is PII REDACTED.

According to the California Consumer Privacy Act Regulations, "If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall either: (1) Treat the request as if it had been submitted in accordance with the business’s designated manner, or (2) Provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable." If you choose the second option, please provide the required directions.

I request that you disclose to me the categories and specific pieces of personal information that your company has collected about me, as required under the CCPA.

I await your prompt response.

Sincerely,

That's my normal CCPA letter.

Tuesday, 22 February 2022: reply from company

I received a reply.

Dear Don Marti,

We received your privacy request and can help. Due to changes in legal requirements and consumer privacy processes at our company we now require consumer privacy choices to be submitted as shown on our privacy choices web portal. Please visit http://www.wiland.com/Privacy-Choices for more information.

Very truly,

NAME

[Wiland, Inc.]

NAME

Corporate Paralegal

That page includes a link with the text "I want to access my own personal information" which goes to a form hosted at onetrust.com.

Screenshot from privacy portal form

Tuesday, 22 February 2022: my question about notary fees

I know that there are hundreds of registered data brokers, and paying $15 to get a form notarized for each one would be a lot of money, so I had to ask.

Hi NAME,

I checked the form in your link. According to the CCPA regulations,

"A business shall not require the consumer or the consumer’s authorized agent to pay a fee for the verification of their request to know or request to delete. For example, a business may not require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization."

https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf?

How should we handle the notary payment? Do you want me to get a price from the notary and you can send me a check?

Thank you for your help,

Don Marti

Tuesday, 22 February 2022: answer to my question about notary fees

And the answer is yes, they will pay me back.

Don,

Thank you for asking about notary fees. We do require a notarized data access request form when a consumer requests that we disclose the data we have on file for them, in order to protect against unauthorized access requests to your data.

Your bank or other financial institution may provide notary services for free. If you do need to pay for notary service, you will need to upload your receipt for notarization and a Federal W-9 form along with your access request form. These documents can be uploaded when you submit your data access request at https://privacyportal-cdn.onetrust.com/dsarwebform/7567ece3-2d27-4ee0-a506-1153cb7a62b7/a1e6c0c7-b7ff-45f9-9c62-7f1eb47a6e77.html (bottom of the page, “Select a Documentation File”). By law, notary fees in California are capped at $15 per signature.

The data access request form is available as a hyperlink at the URL listed above. The Federal W-9 form is available here: https://www.irs.gov/pub/irs-pdf/fw9.pdf

Please let me know if you have any questions.

Thank you, NAME

Thursday, 17 March 2022: printed, notarized, scanned

There is a gap in the dates here. I had some other stuff going on and I did not have time to do the forms for getting paid back my $15 for the notary. That would have meant submitting a receipt, data broker's expense report form, and a Federal W-9 form. Eventually I decided not to do the side quest of getting reimbursed for the notary fee.

I printed out the one document that they want notarized:

printed copy of CCPA form

and took it to the local notary for signature and notarization. Then I scanned it and uploaded it at the privacy portal site.

Got an acknowledgement that they have it.

Friday, 13 May 2022:

Received an email telling me that I can visit the privacy portal site for an update. Once there, I can download a PDF. It's called WILAND DISCLOSURE: CATEGORICAL INFORMATION.

This document starts with a page of my PII that I sent them, then a big table. The table is a bunch of categories of personal information they collect about me, and all the categories of third parties to which they sold or disclosed my personal information. Example:

First PDF result from CCPA RtK

But the only actual personal information on this PDF is what I submitted on 17 March. And here is the end of the document:

End of First PDF result from CCPA RtK

If you wish to access copies of the specific pieces of personal information held about the data subject, if permitted by law, you must take additional steps. Go to https://Wiland.com/PAR/ on or before the indicated 'Follow-Up Date' listed at the top of this document and enter the Request ID listed at the top of this document. If you submitted your original request by telephone, call the Wiland privacy contact line again to submit the Request ID by telephone.

So I went ahead and did that, and here's the result.

Privacy Team status

Update, 17 May 2022

Email subject line: "Your Privacy Request has been completed." After the usual privacy portal dance (you know the drill, cut and paste the code to prove that you have access to the email address we just wrote to you at, much security) it's another PDF. Seven pages this time.

Block of contact info at the top, with fields for both "Requester" and "Data Subject"

Request ID: B4L2X4PCDW Request Date: 2022-03-17 Follow-Up Date: 2022-06-10 Requester Type: Data Subject Requester First Name: Donald Requester Last Name: Marti Requester Email: dmarti@zgp.org Requester Phone Number: [REDACTED] Requester Address: [REDACTED] Requester City: [REDACTED] Requester State: CA Requester Zip: [REDACTED]

Then a block of ADDITIONAL DATA SUBJECT CONTACT INFORMATION (These values are masked to protect consumer privacy):

Some are X-ed out versions of my old postal addresses, some are X-ed out postal addresses for relatives.

Now here's the fun part. A big block of OTHER ATTRIBUTES. Ready?

All mashed together like this...

First PDF result from CCPA RtK

But I'm going to split it out into lines, just to make it a little easier to read.

There are a lot of entries here, so I'll just include some of them. If you want to compare yours, let me know.

address deliverability:1;
address delivery type:E;
address deliverability:1;
address delivery type:E;
address deliverability:1;
address delivery type:A;
address deliverability:3;
address delivery type:X;
address deliverability:1;
address delivery type:E;
address deliverability:1;
address delivery type:C;
address deliverability:NONE;
address delivery type:NONE;
API ID:0623652348;
API ID:2708692489;
Email_SourceURL:buyautoinsurance.com;
Email_SourceURL:collegedegreesforme.com;

I have signed up for emails from neither one of those sites.

Conservative Causes: Traditional Values Propensity Score:Low Propensity;
Wealth Magazines Propensity Score:Low Propensity;
Computer Manufacturers Interest Propensity Score:Low Propensity;
The Clearance Section Propensity Score:High Propensity;
Trasnportation Aircraft Services Propensity Score:High Propensity;
Beauty and Cosmetics: Dermatology Propensity Score:Low Propensity;
Investing Services Propensity Score:Low Propensity;
Upscale Home Contemporary/Artsy Propensity Score:Low Propensity;
Online Purchasing: Big Box Electronics Propensity Score:Low Propensity;
Drycleaning Propensity Score:Low Propensity;
Pets: Grooming, Dogs Propensity Score:Low Propensity;
Land and River Conservation Group Propensity Score:Neutral Propensity;
Duty Free Shops Propensity Score:Low Propensity;
Shopping: Metal Stock Supplier Propensity Score:Low Propensity;
Bill Payments Propensity Score:Low Propensity;
Shoes: Online Retailers Propensity Score:Low Propensity;
Repair Shops and Related Services Propensity Score:Low Propensity;
Pet Adoption: Breeders, Dogs Propensity Score:High Propensity;
Pet Training: Dogs and Cats Propensity Score:High Propensity;
Apparel: Men's and Boys Propensity Score:Low Propensity;
Car Rental Propensity Score:Low Propensity;
Apparel: Men's and Boys Accessories Propensity Score:Low Propensity;
Entertainment: Talent and Booking Propensity Score:Low Propensity;
Recorded Music, Active Rock Propensity Score:High Propensity;
Apparel: Men's and Women's Activewear Propensity Score:Low Propensity;
Pets: At-Home Assistance, Dogs Propensity Score:Low Propensity;
Event Equipment Rentals Propensity Score:Low Propensity;
Apparel: Fur Propensity Score:Low Propensity;
Women's Apparel: Refined Propensity Score:Low Propensity;
Golf Magazine Interest Propensity Score:Low Propensity;
Apparel: Upscale Ready-To-Wear Propensity Score:Low Propensity;
Dating Services Propensity Score:High Propensity;
Shoes: Repair Services Propensity Score:Low Propensity;
Apparel: Lifestyle Footwear Propensity Score:Low Propensity;
Pet Adoption: Breeders, Dogs Propensity Segment:High Propensity;
Dating Services Propensity Segment:High Propensity;
Conservative Causes: Traditional Values Propensity Segment:Low Propensity;
Bill Payments Propensity Segment:Low Propensity;
Computer Manufacturers Interest Propensity Segment:Low Propensity;
Apparel: Men's and Boys Accessories Propensity Segment:Low Propensity;
Repair Shops and Related Services Propensity Segment:Low Propensity;
Entertainment: Talent and Booking Propensity Segment:Low Propensity;
Recorded Music, Active Rock Propensity Segment:High Propensity;
Investing Services Propensity Segment:Low Propensity;
Car Rental Propensity Segment:Low Propensity;
Duty Free Shops Propensity Segment:Low Propensity;
Shoes: Online Retailers Propensity Segment:Low Propensity;
Apparel: Upscale Ready-To-Wear Propensity Segment:Low Propensity;
Wealth Magazines Propensity Segment:Low Propensity;
The Clearance Section Propensity Segment:High Propensity;
Apparel: Fur Propensity Segment:Low Propensity;
Upscale Home Contemporary/Artsy Propensity Segment:Low Propensity;
Apparel: Lifestyle Footwear Propensity Segment:Low Propensity;
Pets: Grooming, Dogs Propensity Segment:Low Propensity;
Shoes: Repair Services Propensity Segment:Low Propensity;
Golf Magazine Interest Propensity Segment:Low Propensity;
Trasnportation Aircraft Services Propensity Segment:High Propensity;
Event Equipment Rentals Propensity Segment:Low Propensity;
Pet Training: Dogs and Cats Propensity Segment:High Propensity;
Land and River Conservation Group Propensity Segment:Neutral Propensity;
Shopping: Metal Stock Supplier Propensity Segment:Low Propensity;
Apparel: Men's and Women's Activewear Propensity Segment:Low Propensity;
Apparel: Men's and Boys Propensity Segment:Low Propensity;
Women's Apparel: Refined Propensity Segment:Low Propensity;
Pets: At-Home Assistance, Dogs Propensity Segment:Low Propensity;
Online Purchasing: Big Box Electronics Propensity Segment:Low Propensity;
Drycleaning Propensity Segment:Low Propensity;
Beauty and Cosmetics: Dermatology Propensity Segment:Low Propensity;

I'm going to snip out a bunch of postal-looking entries like LOT_CARRIER_LINE_OF_TRAVEL and CARRIER_ROUTE_CODE just in case I have any direct mail nerds stalking me.

Inferred Household Rank:1;
Vacation Property Ownership Propensity:83;
Religious / Inspirational:1;
Home Owner Type Detail (RP):O;

Here are some more with interesting codes, not sure what those mean.

Country of Origin (High Detail):9;
Country of Origin (High Detail):3;
Hispanic Language Preference:E;

Maybe "E" is for Español? Anyway, I don't know how they're numbering the countries. Now for some fun ones. The values for the following three are long alphanumeric strings.

AbiliTec - Consumer Link
AbiliTec - Consumer Address Link
AbiliTec - Consumer Household Link

AbiliTec Identifiers are a LiveRamp thing and they do refer to invididuals. And here are some more:

Personicx Lifestage Cluster Code Cluster
Personicx Lifestage Cluster Code Cluster
Personicx LifeStage Groups Code Cluster
Personicx LifeStage Groups Code Cluster
Personicx LifeStage Groups Code Cluster
Personicx LifeStage Groups Code Cluster
PersonicxPopulationDensity_2
PersonicxPopulationDensity_2
Personicx Lifestage Ins Grp Code Cluster
Personicx Lifestage Ins Grp Code Cluster
Personicx Lifestage Ins Grp Code Cluster
Personicx Lifestage Ins Grp Code Cluster

Looks like Personix Lifestage is an Acxiom classification system. I don't know what the values for these mean. Somebody put up a document about it, but I don't know if the values in this RtK disclosure match up with the groups in that PDF.

Some house ones:

Home Room Count (RP)
Home Heating / Cooling (RP)
Home Exterior (RP)
Home Roof Type (RP)
Home Heat Source (RP)
Home Purchase Year (RP)
Home Lot Square Footage - Actual (RP):69565;
Home Assessor Parcel Number (RP)
Home Bedroom Count (RP):2;
Home Purchase Amount - Actual (RP):265000;
Home Assessed Value - Actual (RP):206375;

And more small integer codes:

Attitude and Behavior Prop: Tech Adopt:13;
TeleTrends - Internet User:8;
Teletrends - Cellular User:10;
TT - International Long Distance User:3;
TT - Top 20 Percent Long Distance User:4;

Some more where it's hard to tell what they mean. Looks like I have a lot of Q&A email ahead of me. (13 what?)

Home Owner Type (RP):P;
Move Date Year:2017;
Economic Stability Indicator:4;

Is a 4 for economic stability good or bad?

Net Worth Ultra Affluent Flag:0;
Home Market Value - Est - Actual (RP):270000;
FIPS Minor Civil Division (MCD) Code:43000;
Age of Head of Household:80;
Age of Head of Household in ranges:7;
Age of Individual:88;
Ethnicity: Country of Origin:30;
Ethnicity: Ethnicity of Head of Household:H;

Don't know what country is "30". And here are some more that just have a letter or integer code:

Heavy Transacting Indicator
Household Donor: Charitable Cause
Household Income
Home Market Value Decile
Home Owner or Renter
Home Property Type (detailed)
Home Purchase Amount

All right, that's some more to ask about.

Wait, this is interesting...the CCPA Regulations say, A business shall identify the categories of personal information, categories of sources of personal information, and categories of third parties to whom a business sold or disclosed personal information, in a manner that provides consumers a meaningful understanding of the categories listed. but I don't see where it says the business has to disclose the actual specific pieces of personal information in a way that provides consumers with meaningful understanding. Well played, Palo Alto lawyers, well played. Perhaps we'll fix that loophole next time.

Interest Category: Collectibles:1;
Interest Category: Travel:1;
Interest: Collectibles, Antiques:1;
Interest: Crafts:1;
Interest: DIY Home Improvement:1;
Interest: Fashion :1;
Interest: Fine Arts:1;
Interest: Gardening:1;
Interest: Home Furnishing / Decorating:1;
Interest: Movie Collecting:1;
Interest: Reading, Financial Publications:1;
Interest: Reading, General:1;
Interest: Reading, Magazines:1;
Interest: Sewing / Knitting / Needlework:1;
Interest: Travel, Domestic:1;
Length of Residence:2;
Marital Status:M;

And (checks notes) I'm also Dating Services Propensity Score:High Propensity; which sounds like trouble.

Purchase Propensity: Compact CUV:2;
Purchase Propensity: Compact Pickup:20;
Purchase Propensity: Compact SUV:18;
Purchase Propensity: Coupe:20;
Purchase Propensity: Entry Compact Car:3;
Purchase Propensity: European Vehicle:2;
Purchase Propensity: Full-Size SUV:20;
Purchase Propensity: HD Full-Size Pickup:20;
Purchase Propensity: Japanese Luxury Vehicle:10;
Purchase Propensity: Japanese Reg Vehicle:4;
Purchase Propensity: Korean Vehicle:10;
Purchase Propensity: LD Full-Size Pickup:20;
Purchase Propensity: Luxury Coupe:3;
Purchase Propensity: Luxury CUV:6;
Purchase Propensity: Luxury Sedan:7;
Purchase Propensity: Luxury Sports Car:10;
Purchase Propensity: Luxury SUV:7;
Purchase Propensity: Mid-size CUV:12;
Purchase Propensity: Mid-size Luxury Car:14;
Purchase Propensity: Mid-size SUV:20;
Purchase Propensity: Premium Compact Car:1;
Purchase Propensity: Premium Sports Car:5;
Purchase Propensity: Sedan:8;
In Market: Japanese Luxury Vehicle:8;
In Market: New Domestic Luxury Vehicle:12;
Media Poster: Photo:15;
Media Poster: Post Responder:14;
Media Poster: Text:18;
Media Poster: Video:16;
Social: Facebook Use:19;
Social: Influenced Propensity:16;
Social: Influencer Propensity:14;
Social: LinkedIn Use:16;
Social: Networker Propensity:20;
Social: Twitter Use:12;
Social: YouTube Use:20;

They have me as 19 for Facebook use, but only 2 for Twitter use? I only use Facebook to get names of companies to send CCPA RtKs to, and I'm on Twitter [terrible fact about Twitter over-use redacted] every day.

Likely Investor:1;
Avg Dollars per Offline Order, last 24-mo:E;
Total Dollars Spent per Offline Order, last 24-mo:G;
Avg Dollars per Online Order, last 24-mo:D;
Total Dollars Spent per Online Order, last 24-mo:H;
Last Offline Purchase Date:2018-04-03;
Last Online Purchase Date:2018-11-28;
Weeks Since Last Offline Order:89;
Weeks Since Last Online Order:55;
Weeks Since Last Order:55;

(Some purchase categories, like "Women's Apparel: Total Dollars" here. Look like they could be dollar amounts but not really what I spend.)

UnderBanked Indicator:20;

What's that?

24-mo Byr: Health/Beauty
Community Involvement - Causes Supported
Inferred Household Rank
Discretionary Income Score (SC)
Income Range Premium (SC)
Vacation Property Ownership Propensity
Religious / Inspirational
Exercise / Health Grouping

The above 8 lines are all small integers or letter codes.

Year of Birth:1930;
Month of Birth:6;
Gender:M;
Vehicle - Year - 1st Vehicle:2001;
Vehicle - Year - 2nd Vehicle:2007;
Upscale Men's Dress Apparel, Propensity to Buy:High Propensity;
Upscale Contemporary Home Décor, Propensity to Buy:High Propensity;
Recorded Msuic, Rock and Roll, Propensity to Buy:High Propensity;
Age of Home (in months):516.0;
Age of Individual (in months):1102;
Months since Home Purchase:56;
Concerned Environmentalists:2.9001;
Equestrians and Horse Fans:5.9001;
Idealistic Parents:31.0001;
Handmade Hobbyists:45.6001;
Outdoor Enthusiasts:7.8001;
Outdoor Sporting:11.5001;
Country Gentlefolk:4.1001;
Wealthy Seniors:11.8001;
Globe Trotters:4.0001;
Upscale Design and Luxury:16.0001;
Premium Classic Car Buffs:16.0001;
Young, Affluent, and Carefree:24.0001;
Sophisticated Ladies:9.5001;
Active Seniors:31.2001;
Great Adventurers:7.3001;
The Good Life :10.2001;
Modest Grandparents:15.0001;
Young, Comfortable, and Active:17.1001;
Budget-Conscious Women:25.9001;
Charitable Elderly:69.2001;
Affluent Empty Nesters:54.5001;
Young, Affluent, and Techy:21.2001;
Young and Active:5.5001;
Wiland Wealth Rating :45436.0001;
Crafting Ladies:44115.0001;
Perfect Baby, Perfect Nursery:7565.0001;
Doggie Matters:560.0001;
Dignified Women's Apparel:44179.0001;
Value-Conscious Seniors:15352.0001;
Home Owners in a Decorating Mode:42607.0001;
Techy Photographers:7636.0001;
Value-Conscious Living:21397.0001;
Striving and Reliable:8534.0001;
Horse Lovers:8422.0001;
Plants, Compost, & Gloves:81546.0001;
Horse and Land:7989.0001;
Wealthy Donor:57279.0001;
Home on the Range:19753.0001;
Pet Lovers:11398.0001;
Horse Tack, Grooming, and Supplies:30474.0001;
Professionals with Horses:79271.0001;
Free Enterprise Business Supporters:32767.0001;
Potential Animal Welfare Donors:42819.0001;
Patriotic Historians:60575.0001;
American History Enthusiasts:86698.0001;
Living History Advocates:62438.0001;
Military and Veteran Supporters:40492.0001;
Upscale Homeowners:262571.0001;
Bakers, Cakers, Yummy Stuff Makers:65283.0001;
Women Readers Who Do Most Everything:200541.0001;
Upscale Homeowners with Pools:78633.0001;

Privacy Nerds Who Have Two Thumbs And No Idea What Those Categories Mean:this guy

Social Conservatives Propensity:Neutral Propensity;
Economic Conservatives Propensity:Neutral Propensity;
Pro-Business Conservatives Propensity:Neutral Propensity;
2nd Amendment Supporters Propensity:Neutral Propensity;
Trump Loyalists Propensity:Neutral Propensity;
Border Security Supporters Propensity:Neutral Propensity;
Private Health Care Advocates Propensity:Neutral Propensity;
Founding Principles Enthusiasts Propensity:Neutral Propensity;
Strong National Defense Supporters Propensity:Neutral Propensity;
Republican Stalwarts Propensity:Neutral Propensity;
Law, Order, and Community Protection Propensity:Neutral Propensity;
America The Nation Propensity:Neutral Propensity;
Composite Conservative Rank:Neutral Propensity;
Consumer Optimism Propensity:Neutral Propensity;
Quality Traditional Education Advocates Propensity:Low Propensity;
Concerned about Terrorism Propensity:Neutral Propensity;
Hope for the Poor and Needy Propensity:Neutral Propensity;

These political ones creep me out although they don't seem to be populated for me—all neutral. Don't know what it takes to get flagged for one of these, or what happens to you.

Upwardly Mobile Propensity:Neutral Propensity;
American History Enthusiasts Propensity:Neutral Propensity;
Rural America Propensity:Neutral Propensity;
Outdoors & Workshops Hobbies Propensity:Neutral Propensity;
Crafts & Homemaking Hobbies Propensity:Neutral Propensity;
Business Fashion Propensity:Neutral Propensity;

RFM Index in the Theme: Mainstream Media: Business, Politics, & Culture:4788.738072;
Recency in the Theme: Mainstream Media: Business, Politics, & Culture:10;
Recency in the Theme: Toddler through Age 6 Educational Toys and Games:28;
RFM Index in the Theme: Toddler through Age 6 Educational Toys and Games:52.540393;
Recency in the Theme: Upscale Home & Garden Planning and Design:220;
RFM Index in the Theme: Gardening: Upscale Home & Garden Planning and Design:0.225047;
Recency in the Theme: Books, Videos, etc. with Religious Themes:78;
RFM Index in the Theme: Books, Videos, etc. with Religious Themes:0.655921;
Client Diversity Index in the Theme: Art Museums, Historic Places, and Literature Enthusiasts:1.0;
Client Diversity Index in the Theme: Upscale, Stylish and Fashionable Home & Gift:-1.0;
Client Diversity Index in the Theme: Mainstream Media: Business, Politics, & Culture:7.0;
Client Diversity Index in the Theme: Toddler through Age 6 Educational Toys and Games:2.0;
Client Diversity Index in the Theme: Books, Videos, etc. with Religious Themes:1.0;
Recency in the Theme: Help for the Terminally Ill, Disabled, & Economically Challenged:21;
Client Diversity Index in the Theme: Gardening: Upscale Home & Garden Planning and Design:1.0 

Anyway, I'm going to ask about some of these and see what they mean.

I realize that I might be disclosing something sensitive about myself by putting these scores up, but it's probably safer to share with my blog readers now (few people, who I mostly know) than with some companies I don't know.

More later.