Overview. GDPR (in the EU) and CCPA (in California) are two of the first “User Data Right” policies in existence. The goal of these policies is to give the user rights’ over their data, which has been commodified by advertisers and trackers. These rights enable users’ to know “what” is collected from them, “why” it is collected and by “whom”. In addition, the users’ can also “opt out” of their data being shared/sold.
Compliance Measurement. Enforcement of these laws has lead to several big tech companies getting served massive fines for non-compliance. However, most of these cases have been reactive (to media or consumer reports) rather than pro-active. Mostly because these laws are not mature enough and there is no systematic mechanism to measure compliance of these rights. Keeping this in mind, the authors of this work create a framework that measures compliance of the “opt out” right.
Compliance Proxy. Similar to most of these user rights, the opt out right does not have a systemic way to be measured other than the word of the businesses asked to stop sale/sharing of user data. To this end, the authors use advertiser bids as a proxy to measure compliance. Based on insights from previous works, they hypothesize that advertisers bid differently on users’ they know more about as compared to unknown users’. Hence, a user that opts out of their data being shared/sold, should receive different bid values as compared to users’ who do not.
Results. Analyzing the bid values, the authors are able to show no significant difference between opting in and opting out. Indicating no significance, or faulty implementation of opting out functionality. Furthermore, they show advertisers bid higher for personas as compared to control, indicating they have previous knowledge about the persona. Since opt out should have restricted this knowledge flow, this shows lack of compliance w.r.t opting out functionality.
Conclusion. In summary, this paper sheds insights on how businesses are avoiding compliance to user data rights. Furthermore, this work highlights the difficulty and need, of a systematic compliance measuring framework.