CCPA PHASE ONE Consumer Rights Test
CCPA PHASE ONE Testing Goals
- Determine whether exercising my privacy rights is worth my time and expense.
- Evaluate what my level of risk exposure is to data breaches due to my vendors' privacy practices.
- Determine how prepared my vendors are to help me exercise my privacy rights under the CCPA.
- Discover if the existing statutes are fairly enforced by the Office of Attorney General.
- Find the most cost-effective ways for consumers to exercise their privacy rights under the CCPA and improve processes for businesses which are obliged to comply with the CCPA.
CCPA PHASE ONE Methodology Overview
All tests are based on CCPA statutes and standards taken directly from the final regulations (August 14, 2020).
My CCPA PHASE ONE Compliance Test Suite,
conducted between August 2020 - October 2020, contains these fields:
TestCaseID | Statute | Title | Paragraph | Description | Standard | Requirements | Exemptions | Exceptions | CounterTests |
Here is an example of how each test case is scored:
Using TestCase2, Section 1798.130, “Compliance Obligations Regarding Consumer Rights”, Paragraph ( a )
I use these standards for scoring “Responses to Consumer Requests”:
Score | Standard |
30 points | request acknowledged within 45 days |
50 points | responds within 45 days |
20 points | response covers preceding 12 months |
Each standard has a weighted score cumulating in a single score of 100 maximum score per test case.
I started with this test case because it takes as long as 90 days before a business must respond.
Within the CCPA PHASE ONE Compliance Test Suite is a
Testing Flow Diagram.
It shows the sequence of test cases within the suite as they are executed and evaluated over four distinct phases in the testing lifecycle:
Given a total of 200 personal vendors, so far only 53% of them are NOT exempt from the CCPA.
27% claim an exemption, and 20% are unsure or won't divulge if they must comply.
Approximately 40% of all organizations will not even respond to privacy requests.
The purpose of PHASE ONE is to:
- establish a workable communication channel
- filter out organizations which are exempt
- determine if the organization is a data broker
- find out what mechanisms a business has implemented regarding methods for submitting requests and verifying the identity of the consumer and their authorized agent
PHASE ONE helps me conduct valid tests and fill any compliance gaps on the responder's side that would prevent me from constructing and submitting a ‘verifiable consumer request’.
Many of my vendors have challenged my questions under PHASE ONE as unnecessary and even frivolous; and I believe my preliminary findings show otherwise.
NOTE: This was written before the CPRA was passed in November of 2020. As a result, PHASE TWO also includes “Correct” and “Limit” requests.
It also includes the final test case TC25: “Cost-Accounting”.
Looking at the Testing Flow Diagram, you will see that I standardize my initial requests for all vendors across the board, but the responses received are quite variable. I code the category of each response, and proceed with next steps depending on the response, which could lead to executing another test case, or executing a “Counter Test”. These are my coded response categories for PHASE ONE:
Response Type | |
ACK Only | Question |
Skipped | Appropriate |
FAQ Only | Customers Only |
Pending | No Response |
Complaint | Undeliverable |
Phone Only | Business Terminated |
Policy Update | Vendor Terminated |
For purposes of quality assurance, I publish actual responses, redacting information that would identify the vendor, in a separate dataset so that others can judge how I classified them. Of course, it would be insufficient to judge responses without seeing the actual requests, so these requests are also published. While I do use a template for each type of request across all vendors for standardization, I do personalize my requests and provide relevant details to help the responder.
My Vendors
I have used the term, “vendors” to describe the 200 organizations I do business with as a consumer. This term is problematic for businesses who might consider me to be a “customer”, but they don't consider themselves as my “vendor”. If I tell them I'm a customer, but I don't have a contractual business agreement for paid services or products, they can claim I have “no standing” to even submit such requests. We know that the CCPA is an acronym for “California Consumer Privacy Act”, and as a consumer, I am forced to accept cookies, privacy policies, and other consent agreements before having an opportunity to test whether organizations comply with their own stated policies and practices. Therefore, I consider every policy or consent I accept to be an “implicit business agreement” to exchange my personal information for the privilege of accessing resources, services, and tools. Not every organization I classify as a “vendor” provides paid products and services, but if I accept their policies and voluntarily provide my personal information, they are a “vendor” to me. This approach enables me to conduct standardized data privacy testing of all my vendors and govern the use of my personal information. I can manage and inventory my data assets, prove who is sharing my data within my vendor group, and evaluate the risk of exposure to data breaches when I decide as a consumer, who my “vendors” are. I also subcategorize my vendors, to help me select appropriate requests, data points, and methods for submission:
Vendor Profile | |
Paid | Government Agency |
User | Data Broker |
Inquiry | Third Party |
Free | Contributor |
Member | Subscriber |
Free Tool | Free Trial |
Attendee | Trade Show |
I'm not a big-spending consumer, although I have utilities, media, banks, healthcare, etc. like anyone else. But I am not a “typical consumer” because many of my vendors sell cybersecurity, audit, data science, and privacy tools and services. They also provide access to other resources, such as knowledge and sharing of best practices which help me exercise my data privacy rights. Many of these resources are only available to business enterprises. I formed a limited liability corporation to get access to these resources, to offset costs, and my LLC, PrivacyPortfolio, also serves as my authorized agent to represent me in all privacy matters.
Who is ‘Craig Erickson, a California Consumer’?
Consumers are individual persons, and privacy is a personal matter. Every individual is different, and so are their privacy preferences.
I am a trained IT auditor, cybersecurity professional, and data governance specialist. I audit myself to find security vulnerabilities and evaluate my risk of exposure to data breaches. I became a cybersecurity engineer to fix issues instead of simply reporting vulnerabilities and failures of their controls, as I did in the capacity of IT Auditor. It made perfect sense to me, to practice ‘safe computing practices’ as a security professional, but it made no sense to protect my data on one hand (InfoSec) while the other hand is giving it away freely (Business Analytics). I decided to exercise my data privacy rights because I could find no other tools to proactively protect my personal data.
It's not usually in my interest to submit “know”, “delete” and “opt-out” requests. I like most of my vendors, and I benefit from accessing their resources. Unless I want to terminate a vendor, the only other time I would want to submit these requests is when I want to keep my vendor, but I also want them to improve their practices to help reduce my risk exposure. Testing permits me to identify issues, and work out mutually-beneficial resolutions.
Vendor Risk Testing Guidelines
These are the guidelines I use for all vendor risk tests:
- I have legal standing to conduct tests on the target organization I am testing.
- I try my best to keep tests standardized across target population and keep input and output uniform so that tests are reproducible, and results are comparable.
- I try to be professional and polite, and I also try to be personable whenever possible, because I have found that robotic questions obtain robotic responses.
- I try to protect the identity of organizations I target in my tests by assigning a de-identified token ID, and redacting identifying data in scans and communications, because I don't want to expose the people who provide me with evidence of unauthorized data-sharing.
- If I am not committed to filing a formal complaint with authorities, I stop conducting any tests that require time and effort from the target organization.
“Exemptions”, “Exceptions”, and “CounterTests”
“Exemptions” are covered in Section 1798.145. The most common exemptions are categorized like so:
Exemptions | |
None | |
Government Agency | |
B2B | |
Service Provider | |
Revenue | |
NonProfit | |
Unsure | |
NA (No Answer) | |
HIPAA |
“Exceptions” are testing anomalies which interfere or distort test results. Examples include companies that are now owned by another company, and also any organizations that have changed their policies, procedures, and/or exemption status.
“CounterTests” are tests designed to counter disputed facts or interpretations. Examples include:
- Providing what I call “Seed Data”, either specific pieces of data, dates, events, or company staff I have interacted with to prove a business has in fact collected my personal information.
- Providing text from the actual statutes and regulations to help educate the responding party.
- Following up with another test case, such as TC3: “Qualifications of Personnel Processing Requests”.
- Filing a formal consumer complaint with the California Office of Attorney General to get their determination.
Filing Consumer Complaints
I have a personal privacy policy and a personal privacy program designed to enforce my policy.
It states that my first criteria for any vendor is to establish and maintain cost-effective communication protocols between myself and my vendor.
Therefore, any vendor who does not respond to my requests for whatever the reason, should be terminated.
Termination means my vendor will stop providing services and stop communicating with me but it also means they can no longer use my personal information.
I withdraw all my consent when I no longer want to do business with the vendor.
Obviously, I am prevented from withdrawing my consent or exercising any other privacy right when there is no communication.
I FILE COMPLAINTS WHEN ORGANIZATIONS FAIL TO RESPOND TO MY REQUESTS.
For transparency, I also publish those complaints in my public data catalog in compliance with my personal privacy policy and privacy program.
Consumer complaints filed with the California Office Of Attorney General (OAG) are kept confidential by the OAG. However, that restriction does not prevent me from publishing my complaints.
I have no idea which complaints the OAG will pursue. There is limited funding, and complaints against non-responsive companies are high-volume and expensive to contact.
Examples which justify my approach to CCPA Compliance Testing
- One healthcare provider notified me of a data breach, caused by a registered data broker, saying no medical records have been breached, only my visits and the name of my personal physicians. Due to Health Information Exchanges (HIE), I have been trying to opt-out of all HIEs from all my medical providers, so far, successful with only one single individual who knew how to assist me in this request. Due to existing HIPAA exemptions from the CCPA, I cannot use my rights under the CCPA to help me mitigate this risk, even though it was my CCPA testing that helped me discover this vulnerability.
- One insurance company, who initially failed to respond to my CCPA requests, eventually informed me that I have been paying premiums on an invalid policy for more than two years.
- One banking institution denied me online access to my banking account (during the pandemic) because the data broker they use to verify customers' identities asked me financial questions about a former spouse that I could not answer correctly, and thus, failed the authentication test. The bank claimed they had no responsibility for their third-party service provider, which only accepts access requests via US Mail, and does not include the data used to authentication me in the information returned as a response to a “Know Request”.
- I became a member of a “data platform” that shared sensitive health information with no fewer than 8 other organizations without my authorization, while claiming to be exempt from HIPAA, because according to the Institution Review Board that approves clinical studies, “Organizations are not considered to be covered entities just because they are collecting highly-sensitive PHI for the purpose of enlisting QUALIFIED clinical study participants”. This vendor responded to my CCPA requests only after I personally contacted a member of their advisory board. The response I received, answering none of my questions, was: “[COMPANY X] is committed to complying with CCPA and applies the protections of CCPA across the [COMPANY X] COVID-19 Testing Program that offers Covid-19 tests to the public. Thank you for your inquiry.”
These examples help to illustrate my desire and my justification in exercising my data privacy rights. Although consumers need no justification under the law, my findings highlight obstacles which I have overcome through expressing what my motives are. Phishing, spam, and other inappropriate or illegal activities wasting valuable resources does constitute cause for businesses to be wary, and I do take these factors into consideration when businesses question the motives of consumers.
“Common Issues of Contention”
The most common issue of contention is differing interpretations of what is considered a ‘verifiable consumer request’.
According to 1798.140. “Definitions” (y), “‘Verifiable consumer request’ means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, or by a natural person or a person registered by the Secretary of State, authorized by the consumer to act on the consumer's behalf, and that the business can reasonably verify pursuant to the regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”
This definition goes on to state: “A business is not obligated to provide information to the consumer… if the business cannot verify…that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on the consumer's behalf.”
My preliminary findings show that a significant number of businesses interpret this as justification for NOT responding to the consumer's request. Throughout the Statutes and in the Final Regulations of the CCPA, this interpretation is clearly not supported:
According to 1798.145 Exemptions (i) (2): “If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision of the business.”
According to 1798.145 Exemptions (i) (3): “If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business must bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.”
Even in cases where a consumer's identity cannot be verified, the CCPA always requires the business to notify the consumer of that “fact”. It is not in the spirit of the law, to ignore requests simply because the business does not think the request is a ‘verifiable consumer request’.
“How to construct a legal ‘verifiable consumer request’”
Consumers without legal counsel can rely on “THE FINAL REGULATIONS”, which provides definitions, implementation guidelines and some real-world examples. I will start by constructing a “Request to Know” what personal information a business has collected about me:
(r) “Request to know” means a consumer request that a business disclose personal information that it has collected about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:
- Specific pieces of personal information that a business has collected about the consumer;
- Categories of personal information it has collected about the consumer;
- Categories of sources from which the personal information is collected;
- Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
- Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- The business or commercial purpose for collecting or selling personal information.
TRANSLATED REQUEST:
Will you please fulfill my “Request to know” by disclosing all personal information [COMPANY X] has collected about me,
[FULL LEGAL NAME], a California consumer currently residing at [PHYSICAL ADDRESS]?
Pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115, my request to know includes the following information:
- Specific pieces of personal information [COMPANY X] has collected about me.
- Categories of personal information [COMPANY X] has collected about me.
- Categories of sources from which the personal information was collected by [COMPANY X].
- Categories of personal information that [COMPANY X] sold or disclosed for a business purpose about me.
- Categories of third parties to whom the personal information about me was sold or disclosed by [COMPANY X] for a business purpose; and
- The business or commercial purpose [COMPANY X] has for collecting or selling personal information about me.
STEP TWO
Next, I augment the request with specific data points which can be used to verify my identity:
Personal Data Element | Reasonable Degree of Certainty | Reasonably High Degree of Certainty | Account Holder Status | Proof of Identity Documentation |
First and Last Name | X | X | X | |
Email Address | X | X | X | |
Physical Address | X | X | X |
AUGMENTED REQUEST:
“I am voluntarily providing additional information about me for the exclusive purpose of verifying my identity:
First Name: Craig
Last Name: Erickson
List of Possible Email Addresses Used: [LIST]
Physical Address Where I Legally Reside: [ADDRESS]
I [DO] [DO NOT] have an online account registered with [COMPANY X].
I [AM] [AM NOT] submitting legal, government-approved photo ID or other authoritative documentation for the purpose of proving my identity as the consumer whom [COMPANY X] has collected personal information about.”
STEP THREE
Finally, I also provide all the information requested by all vendors' instructions contained within a corpus of all policies and communications between vendors and consumers (these are only a few examples):
Vendor Type | Request Requirements |
Social Media |
a) Name of the product b) What information you are requesting related to your rights under the CCPA c) Email address linked to your account (if applicable) |
Tech | send us the request at [EMAIL ALIAS]. Please specify at the time whether it relates to a deletion or access request. |
Financial |
Specify: (a) your organisation is a customer of [COMPANY X]; and/or (b) you are making a consumer privacy rights application to [COMPANY X] either on your own behalf or on behalf of a third party |
Third Party Service Provider | written authorization for the agent to act on the consumer's behalf and must verify their identity directly with us. |
Identity Management Provider |
If you are acting on behalf of a specific consumer who is exercising his or her rights under CCPA with respect to personal information collected by [COMPANY X], please let us know the specific consumer and the specific rights that you would like to exercise |
Software Manufacturer |
a) role; b) products; c) accounts; d) To access or delete other data related to [COMPANY X] account or to access or delete personal data collected outside of a [COMPANY X] account, consumers can contact our privacy team. |
Social Media |
a) a signed request that includes your username (e.g., @username or [COMPANY X].com/username) b) the email address and/or phone number associated with your [COMPANY X] account; c) the specific information you are requesting (e.g.: IP logs); and d) a scanned copy of your valid, government-issued photo ID |
Data Governance Vendor |
a) Name: b) Email Id: c) State of residency: d) What is your relationship with [COMPANY X] (customer, vendor, partner, employee, website visitor, other): e) Nature of your data subject request under CCPA (request to access, delete, know, etc.): |
API Vendor | If [COMPANY X] maintains a password-protected account, it verifies the consumer's identity through our existing authentication practices for the consumer's account. If the individual does not have a password-protected account, we match two or three data points provided by the consumer with other reliable data points |
TRANSLATED REQUEST:
“[CONSUMER] is a [LIST OF ROLES] of [COMPANY X],
and has a valid contractual relationship with [COMPANY X] to use [PRODUCT NAMES] [SERVICE NAMES]
or implied contractual relationships by using [FREE UNSECURED SERVICES OR WEBSITE RESOURCES]
under the Terms of Use and Privacy Policy I was forced to accept as a condition of interacting in any way with [COMPANY X].
Attached is my legal, government-approved document for the exclusive purpose of verifying my identity, and the identity and authorization of my agent.”
NOTES: The Agent Authorization form I use is based on an “Advanced Care Directive” commonly used to appoint a “Power of Attorney” on behalf of a medical patient,
which I modified for the purpose of authorizing an agent to represent me in all data privacy matters.
It is signed and witnessed by a Notary Public who verified my identity as a California consumer and US Citizen.
I contend that all three parts of this request constitutes a ‘verifiable consumer request’.
I also contend that asking any qualifying questions regarding a vendor's CCPA compliance status prior to submitting a “Request to Know”, “Request to Delete”, or “Request to Opt-Out“, can also be considered a ‘verifiable consumer request’.
Furthermore, I contend that a consumer's intent to discover whether an organization is exempt from the CCPA, should also be responded to, if only as a common courtesy.