Consumer Reports Study Shows California's Privacy Law Is A Poorly-Enforced Mess
from the not-helping dept
Over the last few decades, the U.S. government (more accurately the industries that lobby it) have made it abundantly clear most aren’t keen on even the most basic of privacy law for the internet era. Sure, companies like Facebook and AT&T say they want a privacy law, but they don’t. Not really. Even the most basic privacy laws would educate consumers and empower them to more easily opt out of tracking and behavioral ads, costing countless sectors billions of dollars. What they want, if we have to have a law at all, is a law their lawyers write, so riddled with loopholes and caveats as to legalize dodgy behavior, not ban it.
Since these bogus solutions don’t sell well with consumer advocates and many privacy experts, we routinely hit gridlock. The result: the U.S. has no meaningful federal privacy law for the internet era decades after the fact. And, in the rare instances where U.S. leaders somehow manage to shake off lobbying influence and their own incompetence to pass even modest rules (like the FCC’s dead broadband privacy rules), they’re quickly dismantled by a Congress slathered in campaign contributions from multiple, coordinating industries.
This federal, lobbyist-induced apathy to passing any real federal privacy solutions has resulted in states rushing to fill the void. Often poorly. California, for example, has been lauded for passing one of the most comprehensive privacy solutions in the nation (which isn’t saying much) in the form of the California Consumer Privacy Act (CCPA). The problem, as we’ve noted previously, is that it was a rushed mess cobbled together in a mad dash. Sloppy wording means the bill had a huge share of problems, which Mike has outlined previously. For a subject this complicated, a “mad dash” approach was never likely to work out that well.
Fast forward to this week, when a new report by Consumer Reports found the bill (surprise!) isn’t really succeeding at its primary goal: clearly informing consumers what’s going on in terms of access to their data, and making it easier to opt out of data collection and sale. This most basic provision also isn’t being meaningfully enforced in any substantive way. The organization spent much of May testing numerous websites and found that actually trying to opt out of data collection and sales was either impossible, or very difficult to confirm with the companies in question:
Consumers struggled to locate the required links to opt out of the sale of their information. For 42.5% of sites tested, at least one of three testers was unable to find a DNS link. All three volunteers failed to find a ?Do Not Sell? link on 12.6% of sites, and in several other cases one or two of three testers were unable to locate a link. At least 14% of the time, burdensome or broken DNS processes prevented consumers from exercising their rights under the CCPA. Consumers often didn?t know if their opt-out request was successful. Neither the CCPA nor the CCPA rules require companies to notify consumers when their request has been honored. As a result, about 46% of the time, consumers were left waiting or unsure about the status of their request. About 52% of the time, the tester was ?somewhat dissatisfied? or ?very dissatisfied? with opt-out processes.
Cool. The full report (pdf) is worth a read, and also found that data brokers fairly consistently violated the law without any penalty. One used data gleaned from opting out to actually sign the consumer up for additional marketing. Some brokers demanded data that consumers eager to opt-out of data monetization and tracking wisely weren’t keen on providing to often-dodgy data brokers (like copies of government IDs). Again, none of these problems should be particularly surprising for a bill numerous experts say was rushed and undercooked, attempting to fix a problem that’s global and massive.
Consumer Reports was quick to note that some of these problems should be fixed by California Proposition 24, which will be voted on in November. Though still, questions remain as to whether California has the competency to pull this off given the scale of the problem we’re talking about. Ideally, it would be best to have this problem tackled by a cohesive, federal level law and actually staffed and funded privacy regulators at places like the FTC. But most efforts to accomplish that are routinely undermined by a coalition of industries (and the lawmakers paid to love them) which would prefer consumers remain opted in and befuddled by fine print.
But with major privacy scandals occurring weekly, doing nothing is starting to get harder to pull off. So instead, we’re starting to see a laundry list of federal solutions by bad faith actors whose top interest isn’t consumer protection, but bogus laws designed to pre-empt tougher, better, consensus-driven solutions on both the state and federal level. As such while California’s proposal is a (hopefully fixable) mess, it’s surprising the bill was even created at all in an environment where doing nothing or doing nothing but dressing it up as something is the preferred outcome for a large number of privacy-violating giants.