blog: Don Marti


The problem with CCPA RtK workflows

14 May 2022

Here is a follow-up to my comments at the pre-rulemaking stakeholder sessions for CPRA last week: Example CCPA workflow. printed copy of CCPA form

This is one where I had to print out and sign a form, and have it notarized.

As I pointed out before, making Right to Know work is really a critical first step for all the other CCPA tasks. If you don't know which companies have which info, it's almost impossible to prioritize who gets a CCPA delete, which requires more effort, and who gets a Do Not Sell.

If every data broker and surveillence marketing firm could make the Right to Know process a little different, then it would be nearly impossible for anybody to get anywhere with CCPA, and we might as well not have it.

What would be good to see in the CPRA rulemaking is one standard baseline process for Right to Know, that any company would have to do. They could, of course, add additional, more convenient processes, but there should at least be one that is of known difficulty.

Here is my suggestion.

  1. As a California resident, I go to the California DMV, show my California ID, and get a stack of printed Right to Know slips. These are pieces of paper and have my identifying information on them. The DMV is allowed to charge me for the printing costs.

  2. When I want to exercise my Right to Know, I fill out a company's Right to Know form on their web site, and provide my contact info and postal address.

  3. If the company doesn't have any info on me, they can email me to say so.

  4. If the company does have info on me, they send me a Business Reply Mail envelope.

  5. I put one of my Right to Know slips from step 1 in the Business Reply Mail envelope and send it back.

  6. The company checks my Right to Know slip and sends me a copy of my info.

This puts all the sensitive data handling either under the DMV's roof, or in postal mail space where mail fraud is a Federal crime.

Naturally, a lot of people will come up with ways to do this more cheaply and conveniently on the Internet. That would be great. Putting a simple, standard, postal process in the regulations will set the baseline: you can't make it too much harder than DMV+postal, or people will do DMV+postal.

FACEBOOK Doesn't Know What It Does With Your Data, Or Where It Goes?

Why target ads at pregnant women

Apple Mail Now Blocks Email Tracking. Here’s What It Means For You, by Justin Pot, Wired

Land value tax in online games and virtual worlds: A how-to guide

The Unreasonable Fight for Municipal Broadband

I Commanded U.S. Army Europe. Here’s What I Saw in the Russian and Ukrainian Armies.

The Unsung Women of the Betty Crocker Test Kitchens

Lawsuit Highlights How Little Control Brokers Have Over Location Data – The Markup

Problems Persist With Google’s Privacy Sandbox Proposals as Trials Open