CCPA PHASE ONE Testing Goals

1. Determine whether exercising my privacy rights is worth my time and expense.
2. Evaluate what my level of risk exposure is to data breaches due to my vendors' privacy practices.
3. Determine how prepared my vendors are to help me exercise my privacy rights under the CCPA.
4. Discover if the existing statutes are fairly enforced by the Office of Attorney General.
5. Find the most cost-effective ways for consumers to exercise their privacy rights under the CCPA and improve processes for businesses which are obliged to comply with the CCPA.

CCPA PHASE ONE Methodology Overview

All tests are based on CCPA statutes and standards taken directly from the final regulations (August 14, 2020).
My CCPA PHASE ONE Compliance Test Suite, conducted between August 2020 - October 2020, contains these fields:

Here is an example of how each test case is scored:
Using TestCase2, Section 1798.130, “Compliance Obligations Regarding Consumer Rights”, Paragraph ( a )
I use these standards for scoring “Responses to Consumer Requests”:

Each standard has a weighted score cumulating in a single score of 100 maximum score per test case.
I started with this test case because it takes as long as 90 days before a business must respond.

Within the CCPA PHASE ONE Compliance Test Suite is a Testing Flow Diagram.
It shows the sequence of test cases within the suite as they are executed and evaluated over four distinct phases in the testing lifecycle:

Looking at the Testing Flow Diagram, you will see that I standardize my initial requests for all vendors across the board, but the responses received are quite variable. I code the category of each response, and proceed with next steps depending on the response, which could lead to executing another test case, or executing a “Counter Test”. These are my coded response categories for PHASE ONE:

For purposes of quality assurance, I publish actual responses, redacting information that would identify the vendor, in a separate dataset so that others can judge how I classified them. Of course, it would be insufficient to judge responses without seeing the actual requests, so these requests are also published. While I do use a template for each type of request across all vendors for standardization, I do personalize my requests and provide relevant details to help the responder.

I have used the term, “vendors” to describe the 200 organizations I do business with as a consumer. This term is problematic for businesses who might consider me to be a “customer”, but they don't consider themselves as my “vendor”. If I tell them I'm a customer, but I don't have a contractual business agreement for paid services or products, they can claim I have “no standing” to even submit such requests. We know that the CCPA is an acronym for “California Consumer Privacy Act”, and as a consumer, I am forced to accept cookies, privacy policies, and other consent agreements before having an opportunity to test whether organizations comply with their own stated policies and practices. Therefore, I consider every policy or consent I accept to be an “implicit business agreement” to exchange my personal information for the privilege of accessing resources, services, and tools. Not every organization I classify as a “vendor” provides paid products and services, but if I accept their policies and voluntarily provide my personal information, they are a “vendor” to me. This approach enables me to conduct standardized data privacy testing of all my vendors and govern the use of my personal information. I can manage and inventory my data assets, prove who is sharing my data within my vendor group, and evaluate the risk of exposure to data breaches when I decide as a consumer, who my “vendors” are. I also subcategorize my vendors, to help me select appropriate requests, data points, and methods for submission:

I'm not a big-spending consumer, although I have utilities, media, banks, healthcare, etc. like anyone else. But I am not a “typical consumer” because many of my vendors sell cybersecurity, audit, data science, and privacy tools and services. They also provide access to other resources, such as knowledge and sharing of best practices which help me exercise my data privacy rights. Many of these resources are only available to business enterprises. I formed a limited liability corporation to get access to these resources, to offset costs, and my LLC, PrivacyPortfolio, also serves as my authorized agent to represent me in all privacy matters.

Consumers are individual persons, and privacy is a personal matter. Every individual is different, and so are their privacy preferences.

I am a trained IT auditor, cybersecurity professional, and data governance specialist. I audit myself to find security vulnerabilities and evaluate my risk of exposure to data breaches. I became a cybersecurity engineer to fix issues instead of simply reporting vulnerabilities and failures of their controls, as I did in the capacity of IT Auditor. It made perfect sense to me, to practice ‘safe computing practices’ as a security professional, but it made no sense to protect my data on one hand (InfoSec) while the other hand is giving it away freely (Business Analytics). I decided to exercise my data privacy rights because I could find no other tools to proactively protect my personal data.

It's not usually in my interest to submit “know”, “delete” and “opt-out” requests. I like most of my vendors, and I benefit from accessing their resources. Unless I want to terminate a vendor, the only other time I would want to submit these requests is when I want to keep my vendor, but I also want them to improve their practices to help reduce my risk exposure. Testing permits me to identify issues, and work out mutually-beneficial resolutions.

These are the guidelines I use for all vendor risk tests:

1. I have legal standing to conduct tests on the target organization I am testing.
2. I try my best to keep tests standardized across target population and keep input and output uniform so that tests are reproducible, and results are comparable.
3. I try to be professional and polite, and I also try to be personable whenever possible, because I have found that robotic questions obtain robotic responses.
4. I try to protect the identity of organizations I target in my tests by assigning a de-identified token ID, and redacting identifying data in scans and communications, because I don't want to expose the people who provide me with evidence of unauthorized data-sharing.
5. If I am not committed to filing a formal complaint with authorities, I stop conducting any tests that require time and effort from the target organization.

“Exemptions” are covered in Section 1798.145. The most common exemptions are categorized like so:

“Exceptions” are testing anomalies which interfere or distort test results. Examples include companies that are now owned by another company, and also any organizations that have changed their policies, procedures, and/or exemption status.

“CounterTests” are tests designed to counter disputed facts or interpretations. Examples include:

1. Providing what I call “Seed Data”, either specific pieces of data, dates, events, or company staff I have interacted with to prove a business has in fact collected my personal information.
2. Providing text from the actual statutes and regulations to help educate the responding party.
3. Following up with another test case, such as TC3: “Qualifications of Personnel Processing Requests”.
4. Filing a formal consumer complaint with the California Office of Attorney General to get their determination.

I have a personal privacy policy and a personal privacy program designed to enforce my policy.
It states that my first criteria for any vendor is to establish and maintain cost-effective communication protocols between myself and my vendor.

Therefore, any vendor who does not respond to my requests for whatever the reason, should be terminated.
Termination means my vendor will stop providing services and stop communicating with me but it also means they can no longer use my personal information. I withdraw all my consent when I no longer want to do business with the vendor.
Obviously, I am prevented from withdrawing my consent or exercising any other privacy right when there is no communication. I FILE COMPLAINTS WHEN ORGANIZATIONS FAIL TO RESPOND TO MY REQUESTS.

For transparency, I also publish those complaints in my public data catalog in compliance with my personal privacy policy and privacy program.
Consumer complaints filed with the California Office Of Attorney General (OAG) are kept confidential by the OAG. However, that restriction does not prevent me from publishing my complaints. I have no idea which complaints the OAG will pursue. There is limited funding, and complaints against non-responsive companies are high-volume and expensive to contact.

1. One healthcare provider notified me of a data breach, caused by a registered data broker, saying no medical records have been breached, only my visits and the name of my personal physicians. Due to Health Information Exchanges (HIE), I have been trying to opt-out of all HIEs from all my medical providers, so far, successful with only one single individual who knew how to assist me in this request. Due to existing HIPAA exemptions from the CCPA, I cannot use my rights under the CCPA to help me mitigate this risk, even though it was my CCPA testing that helped me discover this vulnerability.
2. One insurance company, who initially failed to respond to my CCPA requests, eventually informed me that I have been paying premiums on an invalid policy for more than two years.
3. One banking institution denied me online access to my banking account (during the pandemic) because the data broker they use to verify customers' identities asked me financial questions about a former spouse that I could not answer correctly, and thus, failed the authentication test. The bank claimed they had no responsibility for their third-party service provider, which only accepts access requests via US Mail, and does not include the data used to authentication me in the information returned as a response to a “Know Request”.
4. I became a member of a “data platform” that shared sensitive health information with no fewer than 8 other organizations without my authorization, while claiming to be exempt from HIPAA, because according to the Institution Review Board that approves clinical studies, “Organizations are not considered to be covered entities just because they are collecting highly-sensitive PHI for the purpose of enlisting QUALIFIED clinical study participants”. This vendor responded to my CCPA requests only after I personally contacted a member of their advisory board. The response I received, answering none of my questions, was: “[COMPANY X] is committed to complying with CCPA and applies the protections of CCPA across the [COMPANY X] COVID-19 Testing Program that offers Covid-19 tests to the public. Thank you for your inquiry.”

These examples help to illustrate my desire and my justification in exercising my data privacy rights. Although consumers need no justification under the law, my findings highlight obstacles which I have overcome through expressing what my motives are. Phishing, spam, and other inappropriate or illegal activities wasting valuable resources does constitute cause for businesses to be wary, and I do take these factors into consideration when businesses question the motives of consumers.

The most common issue of contention is differing interpretations of what is considered a ‘verifiable consumer request’.

According to 1798.140. “Definitions” (y), “‘Verifiable consumer request’ means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, or by a natural person or a person registered by the Secretary of State, authorized by the consumer to act on the consumer's behalf, and that the business can reasonably verify pursuant to the regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”

This definition goes on to state: “A business is not obligated to provide information to the consumer… if the business cannot verify…that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on the consumer's behalf.”

My preliminary findings show that a significant number of businesses interpret this as justification for NOT responding to the consumer's request. Throughout the Statutes and in the Final Regulations of the CCPA, this interpretation is clearly not supported:

According to 1798.145 Exemptions (i) (2): “If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision of the business.”

According to 1798.145 Exemptions (i) (3): “If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business must bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.”

Even in cases where a consumer's identity cannot be verified, the CCPA always requires the business to notify the consumer of that “fact”. It is not in the spirit of the law, to ignore requests simply because the business does not think the request is a ‘verifiable consumer request’.