1 Introduction
In the past few years, states in the United States have begun enacting comprehensive consumer privacy laws modeled loosely on Europe’s General Data Protection Regulation (GDPR) [
16,
22,
55,
58]. The most ambitious of these state frameworks, the California Consumer Privacy Act (CCPA), was adopted in California. This act grants essential rights to consumers in that state, while placing obligations on larger for-profit companies that operate in the state and meet specific thresholds, such as annual revenues exceeding 25 million dollars or buying, selling, or sharing the personal data of 100,000 or more California residents [
2,
15,
38].
The basic structure of the CCPA places the onus on consumers themselves to safeguard their privacy. Consumers can limit the sale and sharing of their personal information, find out what information companies possess about them, request the deletion of such information, or rectify errors concerning their personal information. Yet, to exercise these important CCPA rights, individual consumers need to affirmatively invoke them [
2,
15,
17]. To facilitate consumers’ ability to exercise their privacy rights, the CCPA also imposes disclosure obligations on businesses. For example, websites subject to the CCPA must typically create a link on their home pages that a consumer can click on to invoke their CCPA rights [
5,
17].
In this paper, we evaluate the effectiveness of this policy design choice by focusing on the first step in that process—specifically, whether for-profit businesses comply with the CCPA’s mandates to enable consumers to opt out of the sale and sharing of their personal information. If companies ignore their legal obligations to facilitate (and ultimately honor) opt-out requests, then the far-reaching privacy rights that the CCPA grants to consumers become illusory.
The CCPA’s rules have changed over time, due to the enactment of statutory amendments (for example, via the California Privacy Rights Act (CPRA)) and regulations promulgated by California’s Attorney General and Privacy Protection Agency, altering the requirements for opt-out methods (please refer to Figure
1 for important events of the CCPA and Section
2 for more details about how the CCPA evolved over time). It is important to monitor whether businesses subjected to the CCPA are staying current with the CCPA’s shifting requirements. It is also valuable to assess whether companies extend these CCPA rights to consumers who are located outside California (i.e., spillover effects of the CCPA to
non-California consumers) and whether businesses not under CCPA jurisdiction offer CCPA rights to their consumers (i.e., spillover effects of the CCPA to non-CCPA-subject businesses). Note that measuring spillover effects to consumers in other states requires multiple steps, including answering the following questions: (i) do firms implement the opt-out links in states other than California? (ii) do they allow non-Californian consumers located in California to successfully opt out? and (iii) do they allow non-Californian consumers located in states other than California to successfully opt out? Given that steps (ii) and (iii) are difficult to measure, primarily because they require a determination of whether consumers can complete all the steps necessary to opt out successfully, this study only focus on measuring (i) only. To measure the spillover effects to non-CCPA-subject businesses, we focus on determining whether businesses that are probably not subject to CCPA implement the opt-out link for California consumers. Since several states enacted consumer privacy laws after California did, typically with less specific and onerous requirements, we are also interested in measuring whether businesses showed consumers in those states opt-out links mirroring those shown to Californians, or whether they tried to comply with other states’ mandates in a narrower way. This study represents the first attempt to gauge businesses’ compliance with the evolving CCPA requirements across space and time. Our research questions are as follows:
(1)
How has the implementation of the CCPA’s opt-out requirements changed over time?
(2)
Do the opt-out links implemented on websites meet the CCPA’s respective current requirements?
(3)
Do the businesses that implement the opt-out link for California consumers also implement an opt-out link for non-California consumers?
(4)
How does the implementation of the opt-out link differ between businesses that are subject to CCPA and those that are not subject to CCPA?
(5)
What are the reasons for the absence of the opt-out link in websites that are likely subject to CCPA?
To answer these research questions, we designed and implemented a custom web measurement tool to survey 1,016 websites twice per month, from January-July 2023 from five vantage points: California (CA), Virginia (VA), Colorado (CO), Illinois (IL), and Utah (UT). We chose these vantage points because Virginia had a relatively lax law that was in effect for all of 2023, Colorado had a law almost as strict as California’s that went into effect in mid-2023, Utah had a relatively lax law that went into effect at the very end of 2023, and Illinois had no data protection law remotely comparable to CCPA throughout our study period. We also rely on various data sources to examine whether the websites in our sample are likely subject to CCPA. Finally, we apply a combination of automatic and manual methods to check whether these websites implement alternative opt-out methods, as well as to account for the absence of opt-out links in websites that are likely subject to CCPA. Our findings are as follows:
•
The number of websites starting to implement the CCPA opt-out link, as well as those changing their opt-out link to be CCPA-compliant, increases over time. By the end of July 2023, 349 (70%) out of 496 of websites likely subject to CCPA had implemented an opt-out link.
•
Among websites that are likely subject to the CCPA but lack the opt-out link, less than 30% claim that they do not sell consumers’ personal information while the rest either implemented the opt-out link later, embedded the opt-out methods in the privacy policy, offered offline opt-out methods, or did not mention CCPA or the opt-out rights of consumers at all.
•
Among websites that implement the opt-out link regardless of whether they are subject to CCPA, more than 40% of them do not meet the updated CCPA’s requirements for the appearance of the opt-out link in terms of terminology, locations, and other requirements such as including the opt-out icon when needed.
•
There is also a varying degree of spillover effects on non-California consumers. Of the 581 websites that implement the opt-out link in at least one state by the end of our measurement period, the majority implement the opt-out link across all states, including Illinois (IL), which does not have a state-specific privacy law. On the other hand, some websites implement the opt-out link exclusively in a limited number of states.
•
A significant number of for-profit websites not likely subject to the CCPA still implement the opt-out link.
This paper makes the following contributions:
•
We design and implement a software tool to scalably, reliably, and efficiently measure the presence (or absence) of opt-out links for the sale or sharing of personal data on online websites.
•
We use this tool to measure how businesses’ implementation of CCPA’s requirements change over time from multiple vantage points.
•
We measure the extent of “spill-over” effects of CCPA compliance around the sale and sharing of personal data to non-California consumers and businesses not likely subject to CCPA, as well as jurisdictions that have data protection laws with less specific opt-out requirements than California.
•
We present the reasons for the absence of the opt-out link for websites that are likely subject to CCPA but do not implement the opt-out link.
Our findings suggest that the California Consumer Privacy Act (CCPA) impacts not only businesses directly subject to it, but also those that are not. The study also reveals positive spill-over effects in states with less stringent privacy laws, and even in those without state specific privacy regulations. Additionally, our study provides clear evidence of non-compliance among some websites, underscoring the need for strict CCPA enforcement to ensure adherence. The rest of the paper is organized as follows. Section
2 presents background and related works. Section
3 describes our data collection process, including our rationale for the selection of the websites that we chose to study. Section
4 describes our measurement methods for studying the presence of opt-out links over time, as well as the presence of alternative opt-out methods. Section
5 presents our findings, Section
6 discusses the implications of our findings, and Section
7 concludes.
3 Dataset
To answer our research questions, we created a dataset of websites on which we measured CCPA compliance, specifically concerning allowing users to opt out of the sale and sharing of personal data. We describe how we create the dataset and perform our measurements.
Dataset: To ensure the diversity of websites, we purposely selected popular websites from 80 different categories from a widely-used web ranking of websites [
37], which provides information such as the overview, category, and number of unique visitors for websites. This helps to verify that websites we visit are legitimate, have a large number of users, and therefore, are likely subject to the CCPA. We examined 1,016 unique websites in total, as this is a large enough dataset to give a good coverage to tell us more about the compliance (or non-compliance) of businesses, while also being manageable enough for us to be able to measure these sites’ compliance status frequently.
Vantage Points: Due to the lack of access to vantage points located physically at different states to measure the opt-out links frequently, we choose to use a Virtual Private Network (VPN) which allows us to connect to a network in a different location and browse websites as if we are browsing from that location itself. We conduct our measurements twice per month, starting from January 2023 to end of July 2023, from 4 states, namely Illinois (IL), California (CA), Colorado (CO) and Virginia (VA). We added Utah (UT) as another vantage point beginning in February 2023. UT, CO, and VA are states that had a comprehensive consumer privacy law in effect by the end of 2023 [
34,
39,
41], though CO’s is somewhat weaker in terms of protecting consumer privacy, and VA and UT’s are much weaker [
52,
56]. These states also have their privacy laws going into effect at different times, giving us insights into how websites respond to each new legal mandate. IL has no state specific privacy law resembling the CCPA [
36], hence it serves as a comparison for states that have a state specific privacy law.
4 Methods
In this section, we first describe how we check whether a website is likely subject to CCPA. Next, we explain how we automatically measure the presence of the opt-out link, followed by how the implementation of the opt-out preference signals and other opt-out methods are conducted.
4.1 Checking whether Websites Are Subject to CCPA
As previously mentioned, not all websites are subject to the CCPA. Further details on who is subjected to the CCPA can be found in Section
2. Certain criteria are difficult to check. For example, we can get the number of unique website visitors for each site we are measuring, but that does not necessarily correspond to the unique number of consumers, and especially California consumers. As such, during the curation of our dataset, we only select websites that serve at least 100,000 unique website visitors, based on website traffic analysis reports [
37]. We then use Pitchbook [
40], a financial data and software company that maintains comprehensive data on the private and public markets, to obtain information about each website including (i) annual gross revenue of the company, (ii) where the company’s headquarters are located, and (iii) the number of unique visitors to the company’s website. Unfortunately, not all companies are in Pitchbook’s database, as such, we use another credible database from ZoomInfo [
42] to obtain information such as the company’s gross annual revenue, headquarter locations, and whether the company is government-owned, non-profit, or for-profit. Based on the criteria of who is subjected to the CCPA, we divide the websites into the following five groups (refer to Table
4 for details about how many websites fall into each category):
(1)
Non-profit (Not Subject to CCPA). These sites are either non-profit websites or are owned by the government. This group is clearly not subject to the CCPA.
(2)
Non-CCPA-subject For-profit (Not Subject to CCPA). The sites are for-profit websites with annual gross revenue less than $25 million. It is rather unlikely that entities in this group are subject to the CCPA because they do not meet the annual gross revenue threshold. However, if they annually buy, receive, sell, or share personal information of over 100,000 California residents, or derive 50% or more of their annual revenue from selling or sharing personal information of California residents, they are still subject to the CCPA [
38].
(3)
CCPA-subject For-profit (Subject to CCPA). These sites are for-profit websites with annual gross revenue of at least $25 million and headquarters located inside the US. This group is highly likely to be subject to the CCPA because their revenue exceeds the threshold and they are highly likely to conduct businesses in California.
(4)
International For-profit (Unsure whether They Are Subject to CCPA). These sites are for-profit websites with annual gross revenue greater than $25 million and headquarters located outside of the US. Assessing CCPA’s applicability to this group is harder because their consumer bases may be international, so it is less certain whether they conduct businesses in California, how many California consumers they have, and how much of the total revenue comes from selling California consumers’ personal information.
(5)
Unknown For-profit (Unsure whether They Are Subject to CCPA). These sites are for-profit websites whose information is not available, hence, it is difficult to conclude whether they are likely subject to CCPA.
4.2 Measuring the Presence of the Opt-out Link Over Time
This section first describes how the measurement of the opt-out link is conducted, followed by the performance of our measurement.
4.2.1 Utilizing a Two-pronged Approach to Measure the Presence of the Opt-out Link:
Because the opt-out link’s wording must follow the CCPA’s requirements [
38], we first constructed a list of compliant keywords based on the CCPA requirements. To help us construct this list, we manually visited a subset of the 1,016 websites and realized that some websites might use different wordings to refer to the opt-out link such as “Do not share”, “Don’t sell/share” or “for CA and VA Residents”. We then conducted a more thorough manual inspection of all the websites in our dataset and added these additional phrasings to the original keyword search list. We use these phrasings to search for the presence of an opt-out link on the site. A detailed description of the method follows below.
Because we are measuring a large number of websites, frequently, over a long period of time, we must devise an efficient measurement method that enables retrieving exact phrasings of the opt-out link while providing screenshots to confirm the visual presence of opt-out link. We used a two-prong approach to confirm the presence of the opt-out link: one that involves direct searching of keywords on the web page and one that involves analyzing the page source of websites. Direct search on the website and page source analysis are not only fast but also complementary. Saving the page source allows us to find the exact wording used by the website. However, if the opt-out link is implemented in JavaScript, it is often the case that the page source cannot capture it. On the other hand, directly searching on the rendered website involves direct searching for opt-out keywords automatically using the ‘ctrl’+’f’ function on the browser. However, since it is time-consuming to perform direct searching on all websites, we can only do so for a limited number of keywords.
In addition to capturing the page source and directly searching on the rendered websites, we also capture screenshots of the websites during the direct search process to enable us to perform a manual check when the two approaches disagree. Our method to measure the presence of an opt-out link is described in Figure
4. After rendering each website using Selenium, we first check whether there is an error in accessing the webpage by searching for a few keywords indicating the presence of errors, including errors related to robot detection, network errors, or other blocking. Once the page is determined to be accessible, we conduct our search for the opt-out link as follows:
Search in Page Source of the Main Page: After the page is rendered, we save the page source of the main page. Initial inspection of these websites reveal that the opt-out link is often implemented as a <span>, <a> or <button> in the page source. As such, we search for any of these elements containing the keywords. We obtain the text of these elements, divide it into sentence or phrases and finally, narrow them down to the exact keywords of the opt-out link. If none of the keywords are present, we continue to search through all <div> to ensure that we do not miss out on any elements containing the keywords.
Search for Keywords Using In-page Search: We use the PyAutoGUI Python library to control the keyboard and mouse actions to conduct an in-page search for the keywords on the rendered page. For each keyword in the keyword list, we use the find in page function to search for the keyword on the rendered web page and take a screenshot of the web page for later verification. From the screenshot of each keyword search, we crop out the picture of the search bar and convert it to text using the PyTesseract library. We then search this text to see if the returned number of results that match with the keyword is greater than 0. If it is, we conclude that the keyword is present on the page.
Analyze the Presence of Keywords: If the keyword found in the in-page search process is also present in the page source, we conclude that the two methods agree. We store the website’s URL and extract the opt-out link’s wording from the page source. If they disagree, we do a manual check using the page source and screenshots of in page search to account for the discrepancy and then, get the exact phrasings of the opt-out link.
4.2.2 Examining the Performance of the Measurement Method:
To evaluate effectiveness of our measurement approach, we randomly select a date amongst the dates that we conduct our measurements. The date selected is July 8, 2023, conducted from a CA vantage point. After manually checking each website on that date, we compare the results of a manual check with those from our approach. Our approach yields two false positives (i.e., the opt-out link is not present but we report that it is present) and two false negatives (i.e., the opt-out link is present but we report that is it not present). Figure
5 shows more details about these cases. We also identify two cases where the opt-out link is present in the page source but is not present in the screenshot (for an example, website collegeboard.com has “Your Privacy Choices” present in the screenshot but not the page source) and 14 cases where the opt-out link is present in the screenshots but not the page source (refer to Figure
6 for an example). As such, this shows that our two-pronged approach can give higher confidence performance compared to using only page source or screenshot when checking the presence of the opt-out link.
4.3 Measuring Other Opt-out Methods
A business might not need to implement the opt-out link for several reasons, (i) it does not collect, sell, or share users’ personal information, (ii) it processes the opt-out preference signals in a frictionless manner via a browser using GPC, or (iii) it does not collect users’ personal information in an online manner and offers other offline opt-out mechanisms [
46]. As such, we try to measure to what extent websites do not implement the opt-out link due to these reasons.
4.3.1 Measuring the Presence and Notification of the Frictionless Opt-out Preference Signals.
In order to implement the frictionless opt-out preference signals that comply with the CCPA, businesses must (i) process the opt-out preference signals in a frictionless manner and (ii) mention in its privacy policy that it processes the opt-out preference signals in a frictionless manner. Businesses may also notify the consumers if the opt-out preference signals are honored [
38]. To measure the presence and notification of the frictionless opt-out preference signals, we manually browsed each website from the CA vantage point on July 10, 2023 using the DuckDuckGo browser, which automatically sends the GPC signals to the website. We then visit pages where the frictionless opt-out preference signals are likely to be mentioned, including the front page, the opt-out page (if present, this page is obtained by clicking onto the opt-out link) and the privacy policy, and save each of these pages as a single file web page for further analysis. We then automatically extract the text of each page, filter out sentences that contain keywords related to the opt-out preference signals, and analyze these sentences to determine if the website mentions about the frictionless opt-out signals and whether they notify that the sent GPC signal is honored.
4.3.2 Examining whether Businesses Sell/share Personal Information and whether They Offer Other Opt-out Methods.
We initially tried to scrape the privacy pages of these websites and use that data for this task but later realized that many websites such as
www.apple.com place information related to the CCPA and California consumers in a separate page several steps away from the main Privacy page. Furthermore, the terminology of privacy policies can be nuanced and vary from website to website. As such, we did this process manually to ensure high confidence in our results. We only conduct our analysis on websites that are highly likely subject to the CCPA (for-profit websites whose headquarters are located within the US and whose revenue exceeds $25 million) but did not implement the opt-out link by the end of our measurement period. If businesses do not implement the opt-out link because they do not sell or share consumers’ information, they have to mention this in their privacy policy. As such, we visit each of these websites’ privacy policy page, aiming to answer the following questions:
•
Does the business sell/share consumers’ personal information?
•
Are any of the CCPA, opt-out rights mentioned in the privacy policy?
•
Are there any methods for consumers to exercise the opt-out rights?
4.4 Limitations
Measuring Compliance: Our methods of checking whether websites are subject to the CCPA do not cover all criteria of who is subject to the CCPA. For example, we cannot capture whether businesses conduct business in California (although we believe that large companies, especially those with headquarters located in the US, likely conduct businesses in California), how many California consumers the company has, or how much of the entity’s revenue derives from selling personal information. This information is not readily available.
Checking if the Opt-out Link is Functional and Satisfies CCPA’s Requirements: Although our study measures compliance of websites with the CCPA, we do not examine whether the opt-out link is conspicuous enough and works effectively from the user’s perspective. We only measure the presence of the opt-out link and consider sites compliant if the link is present. Given that websites’ opt-out processes can be diverse, involving multiple steps and human understanding of the opt-out language to complete the opt-out process, measuring compliance remains a challenging task and is a topic for future work.
Selecting Dataset: Furthermore, while we choose to cap our dataset at 1016 websites for easier monitoring of these websites over time, we are aware that this number is still modest compared to those that are subject to the CCPA. As such, our numerical results might be affected by the selection of websites and may not reflect fully the percentage of websites that are CCPA compliant/non-compliant.
Checking Spillover Effects on Non-CA States: The presence of the opt-out links in non-Californian states does not mean that a resident outside of California can successfully out out. For some websites that have the opt-out link present, if the users select that they are non-Californian residents, the opt-out of sale or sharing of personal information may not apply to them. Please refer to Figure
7 to see an example of such websites. However, once again, this checking of spillover effects for non-Californian residents is challenging to measure because it is difficult to automate and requires completion of the whole opt-out process to determine whether that can be done successfully.
Checking Spillover Effects on Non-CCPA-subject Websites: Although the presence of the opt-out link on for-profit websites whose revenue is less than 25 million dollars might be due to the spillover effects of CCPA on non-CCPA-subject websites, this might not be conclusive because our measure of what firms are subject to CCPA is underinclusive. That said, we strongly suspect that triggering the 25 million dollar revenue threshold is the reason why most firms are subject to the CCPA. Because figures about firms’ number of California users and the percentage of firm revenue derived from the sale of personal data are not publicly available, it is quite challenging for researchers and agencies charged with enforcing the CCPA to develop a perfect measure of its applicability.
6 Discussion
We explored various implications of our findings, addressing challenges encountered in conducting this large-scale, automated study, and discussing the implications for regulators and others in automated compliance checking.
6.1 Consumer Protection Policy Implications
At the end of 2022, with Democrats about to lose their majority in the United States House of Representatives, Speaker Nancy Pelosi faced a choice. The House Energy and Commerce Committee voted by a 53–2 margin to approve the American Data Protection and Privacy Act (ADPPA) [
23]. The ADPPA would have created sweeping new consumer privacy protections at the federal level. If enacted, the United States would have a new law, national in scope, to rival Europe’s GDPR. But ADPPA would have preempted more protective state laws; this preemption provision was necessary in order to secure support from Congressional Republicans. This preemption provision meant that parts of CCPA might become invalid (because they were incompatible with the ADPPA), and California’s ability to enact new laws in the future expanding consumer privacy rights further would be substantially curtailed. (Those laws would likely be preempted by ADPPA).
Faced with opposition from California’s governor and chief privacy regulators [
29]. Speaker Pelosi decided to block the ADPPA. As a result, no bipartisan comprehensive privacy law was enacted, and such legislation has languished subsequent to the Republican takeover of the House. Our research is a first step towards evaluating the wisdom of Pelosi’s decision. If California privacy laws are de facto national privacy laws, because companies will find it economical to give consumers nationwide the benefits of rights that Californians enjoy, then Pelosi almost certainly made the right call. If CCPA has had minimal spillover effects, then Pelosi’s decision might have benefited Californians’ privacy rights at the expense of their fellow Americans’ rights.
Our study reveals that the CCPA does have a positive effect on the behaviors of websites, as evident by the increase in the implementation of the opt-out link over time, not only in CA, but also for non-CA states. However, the study also reveals a lag, and potentially non-compliance, in websites that fail to update their practices to align with evolving CCPA requirements. These findings for the CCPA mirror in some respects research on the General Data Protection Regulation (GDPR), a European Union privacy law for entities that conduct collect and process personal information of residents of the EU [
9,
13,
25,
28]. For example, as a result of GDPR, the number of websites that have privacy policies increased over time, as did the number of websites with cookie consent banners [
12]. However, much like how our study suggests partial compliance with the CCPA, there are still a number of websites not implementing the GDPR requirements. In addition, we also see a small number of websites offering delayed or differentiated versions of the opt-out links for residents in different states, just as websites offer differentiated versions of the privacy and cookies notices for residents in different countries in Europe [
12]. This suggests that websites tend to have the same kind of behaviors in reacting to different privacy laws, at least with respect to laws like CCPA that entail moderate compliance costs. Another interesting observation during the course of our study is that, we observe some websites clearly acknowledge the CCPA, but fail to comply with the CCPA’s requirements. Some examples include those that embed the link to opt-out forms in the privacy policy instead of using a conspicuous opt-out link on the main page, offer offline opt-out methods despite having an online platform, or merely offer instructions about how a user can modify various privacy settings. As such, these websites appear to violate CCPA’s requirements despite knowing that they have to comply with the CCPA. These observations, perhaps, suggest that more muscular enforcement and significant fines are needed to spur these websites into updating their websites to be CCPA-compliant.
One recent study conducted during the same time period arrives at conclusions that differ from ours in some respects. While our study reveals an increase over time in the number of websites that implement the opt-out links or modify opt-out links to become CCPA-compliant (refer to Figure
8), Charatan et al. [
7] discover a significant number of websites that stopped providing any opt-out methods after CPRA went into effect. They attribute this effect to CPRA’s increase in the number of California consumers, households, or devices whose personal information must be collected for a website to be subject to the law’s requirements (Section 4.3.1). (CCPA applied to websites that buy, sell, or share the personal information of 50,000 consumers, households, or devices, whereas CPRA raised that threshold to 100,000.) They also report that CPRA’s modifications to the threshold caused websites to switch to respecting GPC signals only rather than providing opt-out links, reducing users’ awareness and understanding of their privacy choices (Section 4.3.1). We hypothesize that the discrepancies result from these dynamics:
(1)
Choice of Dataset. While our study focuses on a smaller number of websites that are likely subject to CCPA and CPRA because of the large scope of their online business, their study is performed on a much larger dataset of websites. As such, their study includes websites that are more likely to be affected by CPRA’s changes to the reach of the statute. As the authors note, their set of 25,000 popular websites also includes sites not rendered in the English language and not aimed at consumers, suggesting that they are more likely to study websites that were subject to neither CCPA nor CPRA. At most, 15.2% of the websites in their sample provided a CCPA opt-out mechanism via a link or GPC. (Calculation based on Section 4.3.1).
(2)
Missing Measures of CCPA Applicability. Relatedly, while our study uses independent measures of corporate revenues and for-profit status to exclude websites that are probably not subject to CCPA’s requirements, their study does not have a robust method to check whether websites are subject to CCPA or are affected by the changes in the statutory scope. It is important to note that not all websites subject to CCPA comply with mandatory opt-out requirements, so when a website eliminates an opt-out process, that could indicate that it was subject to CCPA but not CPRA, or it could indicate noncompliance with the law. Ascribing significant changes in website behavior during the observation period to the changes in statutory scope is particularly tricky because the number of consumers, households, and devices whose personal information is collected by a firm is typically non-public information. Our effort to obtain the list of websites used in their study for comparison purposes was unsuccessful.
Both studies show that the number of websites that implement at least one opt-out method increased over time (refer to Figure
8 of our paper and Figure
2 of their study). Ultimately, despite our divergent interpretations of the data, the two studies’ findings complement each other by providing varied perspectives into the impacts of CCPA and CPRA on different subsets of websites. The somewhat varied results also underscore the importance of examining the impacts of CCPA from multiple perspectives for a more comprehensive understanding of the impact of the laws.
6.2 Challenges in Compliance Checking
Confirming the presence or absence of a CCPA-prescribed opt-out link on websites is technically challenging. Determining compliance with the CCPA is even more complex, particularly for sites without an opt-out link. The difficulties include:
•
Identifying firms subject to the CCPA is time-consuming and complex, especially when key information, like the number of California consumers or revenue from selling personal information, is not publicly available.
•
Privacy policies are often lengthy, disorganized, and filled with confusing jargon. This makes it hard to determine whether websites are selling or sharing personal information. The updated CCPA complicates this further, as websites previously compliant might now fall short due to sharing consumer data for targeted marketing.
•
Variations in state specific privacy laws add another layer of complexity. Websites might comply with some state laws but not others. This disparity makes it challenging to ascertain applicable laws, particularly when websites offer different privacy rights or opt-out links in various states.
•
Measuring compliance with CCPA is easier than measuring compliance with other states’ laws. Because California identifies two sets of “magic words” that will communicate opt-out rights to consumers, researchers and agencies charged with law enforcement can more readily automate the process of measuring compliance. By contrast, laws like Virginia’s or Utah’s tell entities to inform consumers about their rights, but give them lots of flexibility in what wording to employ. There does not seem to be any obvious benefit to permitting this flexibility. It makes it harder for consumers to find what they are looking for and harder for third parties to measure compliance.
These challenges in automated consumer privacy law compliance monitoring highlight the difficulties faced not only by consumers in invoking privacy rights but also by regulators in enforcing compliance efficiently. In the following section, we delve deeper into these policy implications and offer suggestions for addressing them.
6.3 Recommendations for Policymakers
The challenges in checking CCPA compliance suggest the need for more accessible compliance monitoring. Proposed measures include:
•
Creating a public dataset listing entities subject to the CCPA to simplify monitoring compliance.
•
Mandating a standardized structure for privacy policies, enabling quicker access to relevant sections.
•
Standardizing the language used in privacy policies to require a finite list of “magic words”, particularly when businesses do not sell or share personal information.
In addition, given these evident non-compliance observations and the time elapsed since the enactment of the CCPA and the CPRA, we strongly recommend that the California Attorney General’s Office use automated techniques to identify entities that are non-compliant and demand documentation from these firms that CCPA is inapplicable to them.
6.4 Avenues for Future HCI and Policy Research
The CCPA places the responsibility of opting out on consumers, making it crucial for them to decide whether to exercise their privacy rights. This decision is influenced by factors such as consumer awareness about privacy rights and their preference for certain opt-out methods. Future research could extend this work to explore how aware users are of their privacy rights and their ability to navigate different opt-out processes. It could also compare users’ familiarity with manual opt-out methods, like using an opt-out link, against automated techniques such as browser-based Global Privacy Control settings.
Our study serves as a basis for measuring the spillover effects of the CCPA and understanding how websites respond to privacy laws in different states. It provides some reason to believe that CCPA may function as a de facto national comprehensive consumer privacy law, despite its ostensibly limited jurisdictional reach. In further research, we plan to exercise CCPA opt-out rights on behalf of consumers based in California and in Illinois. This will allow us to confirm that the potential spillover effects we observe are real and meaningful. Our research indicates some websites restrict opt-out options for non-CA consumers or offer varied opt-out experiences, but the prevalence of these practices is unclear, and the presence of an opt-out link does not necessarily mean that opt-outs from non-Californians will be processed and respected.
At this juncture, though, there is some reason to believe that a “Sacramento effect” exists in consumer privacy law [
14]. The California market is big enough, and providing different versions of web sites to residents of different states is cumbersome enough, to justify giving residents of every state the ability to exercise CCPA opt-out rights. If further explorations confirm this possibility, then it suggests that enacting federal legislation is a less urgent priority than many privacy advocates believe. In short, Nancy Pelosi’s decision to kill the ADPPA may, in the long run, prove to be a decision that expands privacy protections for all Americans.