Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA?

4 minute read

Publish Date:

CCPA. California Consumer Privacy Act (CCPA) is the first and at the moment, only law in the USA, which protects a consumers personal information (PI). It equips Californians with the right to know who is collecting their PI and for what purpose. It also allows users to opt-out of their data being collected / sold and request websites to delete their data.

Application. CCPA applies to any business that collects or sells Californians’ PI and (1) has annual gross revenue > $25M USD or (2) sells > 50K Californians PI annually or (3) Derives > 50% of its annual revenue from the sale of Californians’ PI. Businesses that fall under the regulations of CCPA have several requirements to fulfill. One of which is displaying a “Do Not Sell My Personal Information” (DNSMPI) link to the users.

Compliance. Due to the complexity of the online ecosystem, analyzing CCPA compliance is a non trivial task. However, by analyzing a measurable component of CCPA, the non trivial problem can be reduced to a measurement task. Keeping this in mind this work focuses on analyzing compliance of CCPA with the lens of DNSMPI links. As integrating a DNSMPI link is a low cost task for any business, analyzing its adoption can set lower bounds for CCPA compliance overall.

Analysis. This work aims to investigate several aspects of CCPA with the lens of DNSMPI link; (1) overall adoption (2) updating implementation with policy updates (3) geo-fencing CCPA guidelines (3) semantical implementation of the guidelines (font, size, placement).

Exemptions. As a verification step, they filter businesses exempt from CCPA and subsequently DNSMPI links. To built this filter, they quantify unique user count (from semrush.com) and tracker presence on the websites. They argue that tracker presence and amount of unique users combined indicate data sharing/selling. Hence, giving them a good sense of websites that should abide by CCPA regulations.

Instrumentation. To analyze the various aspects of DNSMPI link, they first created a set of 1M websites based on popularity and tracker presence. Next, using python and Chrome Developer Protocol, they ran 3 crawls, (a crawl consisted of visiting the set of websites and gathering data about DNSMPI links). Crawl 1 aimed to measure global adoption and applicability of DNSMPI links. Crawl 2 measured locational and longitudinal differences w.r.t DNSMPI links, and presentation characteristics of DNSMPI links was measured in crawl 3.

DNSMPI Adoption. Analyzing set of websites (1M) from crawl 1 showed presence of trackers and advertisers on most of the websites, making them highly probable to fall under the the regulations of CCPA. However, < 2% websites integrate a DNSMPI link and that these websites are spread above and (mostly) below the threshold of unique visitors set by CCPA. On the other hand PrivacyPolicy and ToS links were present on >80% of the websites. The authors argue that since FTC regulating PP and ToS links since the 90’s has made it widely adopted, it should serve as motivation to keep regulating DNSMPI (CCPA) over time as well.

Updated DNSMPI. After the first crawl, CCPA announced changes in the text of the DNSMPI link, which presented the perfect opportunity to measure how (if at all) websites are staying updated with the CCPA regulations. After running a second crawl they observed several sites had removed the DNSMPI links whereas the overall adoption rate increase was very low. Furthermore, they noticed that most (~90%) of the websites had not updated their DNSMPI links showing a one time initial compliance attitude.

Dynamically Hiding DNSMPI. Their second crawl was run from 2 IP’s (Virginia, California) to measure if websites are dynamically hiding the DNSMPI link for visitors outside CA. They measure ~2000 websites that use geo-fencing and hide links for non-californians. They argue this number is low but nonetheless problematic.

Semantics of DNSMPI. Using results form crawl 1 and 2 the authors analyze the semantics of DNSMPI links in their third crawl. They observe the prominence (ratio of the links text size to other text on the page) of the link text is in accordance with the FTC guidelines and the placement of the link is similar to PP and ToS links.

Concluding Remarks. Overall this paper highlights several key points w.r.t to CCPA. First, compliance is extremely difficult to measure due to the lack of a proper vantage point. As mitigation, CCPA should for instance, in addition to requiring a PP link, also require websites to state clearly that they do not sell users PI in accordance with CCPA in their PP. Second, these results should encourage regulators to be more proactive to increase the quality of current regulations and new ones to follow.