California Office of Attorney General (OAG) CCPA Enforcement Test
CCPA Enforcement Testing Goals
- To determine whether exercising my privacy rights is worth my time and expense.
- To discover if the existing statutes are fairly enforced by the Office of Attorney General.
Methodology Overview
All tests are based on CCPA statutes and standards taken directly from the final regulations.
My CCPA Compliance Test Suite is accessible as a worksheet in my public data catalog, containing these fields:
“Exemptions”, “Exceptions”, and “CounterTests”
“Exemptions” are covered in Section 1798.145. The most common exemptions are categorized like so:
Exemptions | |
None | |
Government Agency | |
B2B | |
Service Provider | |
Revenue | |
NonProfit | |
Unsure | |
NA (No Answer) | |
HIPAA |
“Exceptions” are testing anomalies which interfere or distort test results. Examples include companies that are now owned by another company, and also any organizations that have changed their policies, procedures, and/or exemption status.
“CounterTests” are tests designed to counter disputed facts or interpretations. Examples include:
- Providing what I call “Seed Data”, either specific pieces of data, dates, events, or company staff I have interacted with to prove a business has in fact collected my personal information.
- Providing text from the actual statutes and regulations to help educate the responding party.
- Following up with another test case, such as TC3: “Qualifications of Personnel Processing Requests”.
- Filing a formal consumer complaint with the California Office of Attorney General to get their determination.
Filing Consumer Complaints
I have a personal privacy policy and a personal privacy program designed to enforce my policy.
It states that my first criteria for any vendor is to establish and maintain cost-effective communication protocols between myself and my vendor.
Therefore, any vendor who does not respond to my requests for whatever the reason, should be terminated.
Termination means my vendor will stop providing services and stop communicating with me but it also means they can no longer use my personal information.
I withdraw all my consent when I no longer want to do business with the vendor.
Obviously, I am prevented from withdrawing my consent or exercising any other privacy right when there is no communication.
I FILE COMPLAINTS WHEN ORGANIZATIONS FAIL TO RESPOND TO MY REQUESTS.
For transparency, I also publish those complaints in my public data catalog in compliance with my personal privacy policy and privacy program.
Consumer complaints filed with the California Office Of Attorney General (OAG) are kept confidential by the OAG. However, that restriction does not prevent me from publishing my complaints.
I have no idea which complaints the OAG will pursue. There is limited funding, and complaints against non-responsive companies are high-volume and expensive to contact.
Given complaints which may seem more harmful, such as failure to issue data breach notifications, or selling personal information after opting out,
any failure to respond to CCPA requests may seem less egregious, however, this simply rewards scofflaws by giving them a free pass.
Failing to respond, is the easiest, least expensive way to prevent consumers from exercising their data privacy rights.
Examples which justify my approach to CCPA Compliance Testing
- One healthcare provider notified me of a data breach, caused by a registered data broker, saying no medical records have been breached, only my visits and the name of my personal physicians. Due to Health Information Exchanges (HIE), I have been trying to opt-out of all HIEs from all my medical providers, so far, successful with only one single individual who knew how to assist me in this request. Due to existing HIPAA exemptions from the CCPA, I cannot use my rights under the CCPA to help me mitigate this risk, even though it was my CCPA testing that helped me discover this vulnerability.
- One insurance company, who initially failed to respond to my CCPA requests, eventually informed me that I have been paying premiums on an invalid policy for more than two years.
- One banking institution denied me online access to my banking account (during the pandemic) because the data broker they use to verify customers' identities asked me financial questions about a former spouse that I could not answer correctly, and thus, failed the authentication test. The bank claimed they had no responsibility for their third-party service provider, which only accepts access requests via US Mail, and does not include the data used to authentication me in the information returned as a response to a “Know Request”.
- I became a member of a “data platform” that shared sensitive health information with no fewer than 8 other organizations without my authorization, while claiming to be exempt from HIPAA, because according to the Institution Review Board that approves clinical studies, “Organizations are not considered to be covered entities just because they are collecting highly-sensitive PHI for the purpose of enlisting QUALIFIED clinical study participants”. This vendor responded to my CCPA requests only after I personally contacted a member of their advisory board. The response I received, answering none of my questions, was: “[COMPANY X] is committed to complying with CCPA and applies the protections of CCPA across the [COMPANY X] COVID-19 Testing Program that offers Covid-19 tests to the public. Thank you for your inquiry.”
These examples help to illustrate my desire and my justification in exercising my data privacy rights. Although consumers need no justification under the law, my findings highlight obstacles which I have overcome through expressing what my motives are. Phishing, spam, and other inappropriate or illegal activities wasting valuable resources does constitute cause for businesses to be wary, and I do take these factors into consideration when businesses question the motives of consumers.
“Common Issues of Contention”
The most common issue of contention is differing interpretations of what is considered a ‘verifiable consumer request’.
According to 1798.140. “Definitions” (y), “‘Verifiable consumer request’ means a request that is made by a consumer, by a consumer on behalf of the consumer's minor child, or by a natural person or a person registered by the Secretary of State, authorized by the consumer to act on the consumer's behalf, and that the business can reasonably verify pursuant to the regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information.”
This definition goes on to state: “A business is not obligated to provide information to the consumer… if the business cannot verify…that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on the consumer's behalf.”
My preliminary findings show that a significant number of businesses interpret this as justification for NOT responding to the consumer's request. Throughout the Statutes and in the Final Regulations of the CCPA, this interpretation is clearly not supported:
According to 1798.145 Exemptions (i) (2): “If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision of the business.”
According to 1798.145 Exemptions (i) (3): “If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business must bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.”
Even in cases where a consumer's identity cannot be verified, the CCPA always requires the business to notify the consumer of that “fact”. It is not in the spirit of the law, to ignore requests simply because the business does not think the request is a ‘verifiable consumer request’.
“How to construct a legal ‘verifiable consumer request’”
Consumers without legal counsel can rely on “THE FINAL REGULATIONS”, which provides definitions, implementation guidelines and some real-world examples. I will start by constructing a “Request to Know” what personal information a business has collected about me:
(r) “Request to know” means a consumer request that a business disclose personal information that it has collected about the consumer pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115. It includes a request for any or all of the following:
- Specific pieces of personal information that a business has collected about the consumer;
- Categories of personal information it has collected about the consumer;
- Categories of sources from which the personal information is collected;
- Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
- Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
- The business or commercial purpose for collecting or selling personal information.
TRANSLATED REQUEST:
Will you please fulfill my “Request to know” by disclosing all personal information [COMPANY X] has collected about me,
[FULL LEGAL NAME], a California consumer currently residing at [PHYSICAL ADDRESS]?
Pursuant to Civil Code sections 1798.100, 1798.110, or 1798.115, my request to know includes the following information:
- Specific pieces of personal information [COMPANY X] has collected about me.
- Categories of personal information [COMPANY X] has collected about me.
- Categories of sources from which the personal information was collected by [COMPANY X].
- Categories of personal information that [COMPANY X] sold or disclosed for a business purpose about me.
- Categories of third parties to whom the personal information about me was sold or disclosed by [COMPANY X] for a business purpose; and
- The business or commercial purpose [COMPANY X] has for collecting or selling personal information about me.
STEP TWO
Next, I augment the request with specific data points which can be used to verify my identity:
Personal Data Element | Reasonable Degree of Certainty | Reasonably High Degree of Certainty | Account Holder Status | Proof of Identity Documentation |
First and Last Name | X | X | X | |
Email Address | X | X | X | |
Physical Address | X | X | X |
AUGMENTED REQUEST:
“I am voluntarily providing additional information about me for the exclusive purpose of verifying my identity:
First Name: Craig
Last Name: Erickson
List of Possible Email Addresses Used: [LIST]
Physical Address Where I Legally Reside: [ADDRESS]
I [DO] [DO NOT] have an online account registered with [COMPANY X].
I [AM] [AM NOT] submitting legal, government-approved photo ID or other authoritative documentation for the purpose of proving my identity as the consumer whom [COMPANY X] has collected personal information about.”
STEP THREE
Finally, I also provide all the information requested by all vendors' instructions contained within a corpus of all policies and communications between vendors and consumers (these are only a few examples):
Vendor Type | Request Requirements |
Social Media |
a) Name of the product b) What information you are requesting related to your rights under the CCPA c) Email address linked to your account (if applicable) |
Tech | send us the request at [EMAIL ALIAS]. Please specify at the time whether it relates to a deletion or access request. |
Financial |
Specify: (a) your organisation is a customer of [COMPANY X]; and/or (b) you are making a consumer privacy rights application to [COMPANY X] either on your own behalf or on behalf of a third party |
Third Party Service Provider | written authorization for the agent to act on the consumer's behalf and must verify their identity directly with us. |
Identity Management Provider |
If you are acting on behalf of a specific consumer who is exercising his or her rights under CCPA with respect to personal information collected by [COMPANY X], please let us know the specific consumer and the specific rights that you would like to exercise |
Software Manufacturer |
a) role; b) products; c) accounts; d) To access or delete other data related to [COMPANY X] account or to access or delete personal data collected outside of a [COMPANY X] account, consumers can contact our privacy team. |
Social Media |
a) a signed request that includes your username (e.g., @username or [COMPANY X].com/username) b) the email address and/or phone number associated with your [COMPANY X] account; c) the specific information you are requesting (e.g.: IP logs); and d) a scanned copy of your valid, government-issued photo ID |
Data Governance Vendor |
a) Name: b) Email Id: c) State of residency: d) What is your relationship with [COMPANY X] (customer, vendor, partner, employee, website visitor, other): e) Nature of your data subject request under CCPA (request to access, delete, know, etc.): |
API Vendor | If [COMPANY X] maintains a password-protected account, it verifies the consumer's identity through our existing authentication practices for the consumer's account. If the individual does not have a password-protected account, we match two or three data points provided by the consumer with other reliable data points |
TRANSLATED REQUEST:
“[CONSUMER] is a [LIST OF ROLES] of [COMPANY X],
and has a valid contractual relationship with [COMPANY X] to use [PRODUCT NAMES] [SERVICE NAMES]
or implied contractual relationships by using [FREE UNSECURED SERVICES OR WEBSITE RESOURCES]
under the Terms of Use and Privacy Policy I was forced to accept as a condition of interacting in any way with [COMPANY X].
Attached is my legal, government-approved document for the exclusive purpose of verifying my identity, and the identity and authorization of my agent.”
NOTES: The Agent Authorization form I use is based on an “Advanced Care Directive” commonly used to appoint a “Power of Attorney” on behalf of a medical patient,
which I modified for the purpose of authorizing an agent to represent me in all data privacy matters.
It is signed and witnessed by a Notary Public who verified my identity as a California consumer and US Citizen.
I contend that all three parts of this request constitutes a ‘verifiable consumer request’.
I also contend that asking any qualifying questions regarding a vendor's CCPA compliance status prior to submitting a “Request to Know”, “Request to Delete”, or “Request to Opt-Out“, can also be considered a ‘verifiable consumer request’.
Furthermore, I contend that a consumer's intent to discover whether an organization is exempt from the CCPA, should also be responded to, if only as a common courtesy.