The problem with CCPA RtK workflows
14 May 2022
Here is a follow-up to my comments at the pre-rulemaking stakeholder sessions for CPRA last week: Example CCPA workflow.
This is one where I had to print out and sign a form, and have it notarized.
As I pointed out before, making Right to Know work is really a critical first step for all the other
CCPA tasks. If you don't know which companies have which info, it's almost impossible to prioritize
who gets a CCPA delete, which requires more effort, and who gets a
Do Not Sell.
If every data broker and surveillence marketing firm could make the Right to Know process a little different, then it would be nearly impossible for anybody to get anywhere with CCPA, and we might as well not have it.
What would be good to see in the CPRA rulemaking is one standard baseline process for Right to Know, that any company would have to do. They could, of course, add additional, more convenient processes, but there should at least be one that is of known difficulty.
Here is my suggestion.
As a California resident, I go to the California DMV, show my California ID, and get a stack of printed Right to Know slips. These are pieces of paper and have my identifying information on them. The DMV is allowed to charge me for the printing costs.
When I want to exercise my Right to Know, I fill out a company's Right to Know form on their web site, and provide my contact info and postal address.
If the company doesn't have any info on me, they can email me to say so.
If the company does have info on me, they send me a Business Reply Mail envelope.
I put one of my Right to Know slips from step 1 in the Business Reply Mail envelope and send it back.
The company checks my Right to Know slip and sends me a copy of my info.
This puts all the sensitive data handling either under the DMV's roof, or in postal mail space where mail fraud is a Federal crime.
Naturally, a lot of people will come up with ways to do this more cheaply and conveniently on the Internet. That would be great. Putting a simple, standard, postal process in the regulations will set the baseline: you can't make it too much harder than DMV+postal, or people will do DMV+postal.