How I classify my 200 personal vendors:

I HAVE LEGAL STANDING TO CONDUCT TESTS ON THESE TARGET ORGANIZATIONS.
Read my Vendor Risk Testing Guidelines.

Not all vendors must comply with CCPA, so I ask them:

    1. Does your organization claim any exemptions to the California Consumer Privacy Act?
            YES  ______       NO  ______ 
            If so, which exemption(s) are you claiming?
            ___________________________________________
    

SOME OF THESE TARGET ORGANIZATIONS DON'T AGREE THEY ARE A VENDOR OF MINE.

Fortunately, I have evidence in support of my claim:

• I have a Vendor Risk Management Platform and an on-boarding process for my vendors.
• I have a start date when I on-boarded each vendor, a baseline privacy scan, and copies of all policies.
• I have most all of the information received from, and sent to, each vendor.
• In particular, I have evidence of all personal data I submitted to each vendor.

I maintain baseline metadata for all my vendors, and publish it in a de-identified dataset in my VendorRiskPlatform catalog: Vendors_08052020.csv

I also maintain private metadata on vendors which includes:
Ownership details, domain registrations, applicable laws, vendor classification, account/billing information and privacy/security configurations.

Some of this information is needed to manage my vendor resources,
and some information is used to predict trends and identify outliers in risk assessments.

I CONDUCT CCPA TESTING TO ASSESS THE RISK OF DATA BREACHES AND UNAUTHORIZED DATA-SHARING.

My Testing Goals explain why tests are conducted within the context of a Vendor Risk Program.
I don't exercise my privacy rights just for kicks.

Data breaches are a prominent topic in the CCPA:

• a data breach triggers the right to civil action;
• requiring notification to consumers;
• and levies fines which helps fund enforcement.

I don't ask vendors to disclose their data breach history.
I use the State of California Office of Attorney General list of Data Breaches which I screen-scraped into a csv format: CA-DataBreaches-020402020.csv.

I use this source assuming that the OAG uses it as a trigger for enforcement actions when the breach involves a registered data broker.
The OAG has an obligation and a financial incentive to enforce the CCPA with registered data brokers.
If I discover that a vendor of mine was breached, and is also a registered data broker,
I fully expect the OAG to investigate and mandate remediation independent of any consumer complaint or civil action originating from a consumer.

The CCPA's treatment of data brokers differs from other regulated entities.
Testing data brokers requires different tests using different standards, and also, different ways of constructing “verifiable consumer requests”.

Although I have other tools to get this information, such as my Data Broker Oracle, I prefer my vendors to represent themselves, so I ask them:

2. Is your organization registered as a Data Broker with the Office of Attorney General for the State of California?
        YES  ______       NO  ______ 

Vendor Compliance Status is derived from standards taken directly from the CCPA statutes and final regulations.
These standards and the weighted scoring algorithms for computing compliance status are documented in my CCPA Compliance Test Suite.

Each test case contains these fields:

Test cases are grouped into Phases to control execution according to my Testing Flow Diagram.

PHASE ONE is what I call, a 'Discovery' phase, consisting of the following test cases:

(Each standard has a weighted score cumulating in a single score of 100 maximum score per test case.)

* TC2 NOT TESTED in PHASE ONE; this standard only applies to KNOW, DELETE, OPT-OUT requests in PHASE TWO.

(The cumulative score for each test case within each test phase is how Vendor Compliance Status is computed.)

The results from each test phase are published in my CCPA PHASE ONE Test Results.xlsx.

The "Next Test" column represents the Test Status for each vendor, i.e., where we are in the Test Suite according to the Test Flow.

I STOP all CCPA testing after PHASE ONE on all vendors who are "EXEMPT".
I also STOP all CCPA testing after PHASE ONE for all vendors I "SKIPPED".

For all vendors I have filed a "COMPLAINT" against, I skip PHASE TWO because I am unable to exercise my rights.

However, in PHASE THREE I will execute Test Case 21 to detect discrimination (any change in service for these vendors I label as 'COMPANY X')
, and in PHASE FOUR I test the enforcement agency's performance (CA Office of Attorney General) in responding to my consumer complaints.

Some vendors during PHASE ONE testing disclosed personal data they collected about me, whether I requested it or not. For these vendors, I will proceed to Test Case 12, "Right to Know Response Coding" in PHASE TWO.

All other vendors proceed as PHASE TWO test candidates.

PHASE TWO involves “Know” “Delete”, and “Opt-Out” requests.
Before discussing PHASE TWO, we need to explore why PHASE ONE is extremely important as a prerequisite to exercising one's rights.

The most familiar rights granted to California Consumers under the CCPA are:

1. The right to KNOW
2. The right to DELETE
3. The right to OPT-OUT

All of these rights are dependent upon a vendor's 100% compliance with the CCPA -- in advance.

Although sufficient notice is mandated by the CCPA, privacy policies rarely contain all the information necessary for a consumer to exercise their rights.

Consumers do not have the right to dispute, or challenge, or test a vendor's privacy assertions and practices.
Consumers don't even have the right to ask questions of the vendor, or how the laws are interpreted by enforcement authorities.

I cheat by asking my vendors three questions before submitting KNOW, DELETE, or OPT-OUT requests.

I do this for two reasons:

1. It costs time and money to exercise my rights under the CCPA
2. I must compose a 'verifiable consumer request' which includes how the responder can verify my identity.

In my first question I asked if the vendor was exempt from the CCPA, which reduced my target population by 22.5%.

In my second question I asked if the vendor was a registered data broker, which counters some revenue and not-for-profit exemptions, and helps me select the appropriate tests and format for submitting my 'verifiable consumer request'

For my third question I asked the vendor about "agents".

The CCPA permits consumers to use an agent to exercise privacy rights on the consumers' behalf.
This provision prescribes:

• no acceptable standard for verifying the agent's identity,
• no disclosure obligations to provide instructions regarding agents,
• and no standards for ensuring agents can access all needed resources without "impersonating" the consumer
  (sharing the consumer's online accounts and email).

So I asked my vendors:

3. Does your organization have a process for authenticating agents authorized by consumers to act on their behalf?

       YES  ______       NO  ______ 

One of the fields I added to the vendor metadata during PHASE ONE was,
ID Verified: Did the vendor make any attempt or mention (a generously low bar) 'verification' in their policies or responses?

I use two primary tools for documenting my testing activities:
An activity log, in which I record the details about the vendor, the researcher (requestor), and the respondent;

and an email log, in which I capture every email sent or received for each vendor.

Vendors in the email log HAVE NOT been de-identified because I published the consumer complaints filed against them.
I need these logs easily accessible to enforcement authorities as evidence to support my claims.

All vendors in my ActivityLog, as shown above, ARE de-identified because I published vendors who responded "appropriately" as a separate dataset.

I've also published the actual responses which were coded as "Appropriate", redacting information that would identify the vendor, as shown below. Publishing these responses permits others to judge how I coded them, and also providing additional context and insight to researchers.

During the test, I code the RequestType, which I standardize as much as possible by using named templates for all vendors.
I code the ResponseType from vendors using these response categories for PHASE ONE:

After filing consumer complaints, the test subject transitions from vendor to enforcement agency, which is the California Office of Attorney General (OAG). Testing how the law is interpreted and enforced is tracked using these additional fields:

I also established a baseline of OAG's performance prior to CCPA testing which can be used for comparisons.
In my Vendor Risk Platform data catalog, I filed 4 prior complaints and only one vendor was investigated.
Without reviewing or asking the consumer for additional evidence, the OAG basically accepted the vendor's response.

Looking forward, I've also published a Test Suite for the CPRA
with a CCPA crosswalk to evaluate comparisons between the two laws as written, and as enforced.

Given these results, it makes 0 sense to spend one minute or one dime to exercise my CCPA rights.

The CCPA permits California consumers to exercise their data privacy rights, but at what cost to the consumer?

In business, we conduct cost-benefit analyses to determine if we are are getting good returns on our investments.
When the CCPA was being written, business people complained to lawmakers about exhorbitant costs of fulfilling data privacy requests from consumers. Yet, little effort was made to estimate the costs incurred by the typical consumer who exercises their rights.

The table below lists some of the consumer cost metrics produced during my test runs:

To cut the costs of exercising my CPPA rights,
I AM OFFERING a $100 dollar REWARD FOR EVIDENCE I CAN PUBLISH
proving that the OAG performed its duty to investigate and resolve at least one consumer complaint.

Out of my total population sample of 200 vendors, 45 vendors (22.5%) are EXEMPT from the CCPA.

Consumers cannot easily tell who must comply with the CCPA.
This icon on my website serves as notification that PrivacyPortfolio is exempt from the CCPA.

Consumers lack the tools to easily discover and manage their personal vendors, which is a significant obstacle to exercising their rights.
Vendors who sell privacy-consent-management tools to businesses could tailor their offerings to help consumers given sufficient demand.

Only 78 vendors out of 200
are candidates for PHASE TWO testing ...after subtracting vendors whose compliance status is "EXEMPT", "SKIPPED", or "COMPLAINT".

The CCPA doesn't cover enough organizations to make it worthwhile for consumers to exercise their rights.
Publishing a datset rich enough for privacy professionals to analyze and evaluate, can help identify these gaps.
For example: examining whether carve-outs for HIPAA, FCRA, and other legislation helps or hinders the intent of the CCPA,
whether government agencies, healthcare, and non-profit organizations account for a larger segment of data breaches and incidents of identity theft;
and general challenges of identifying "unregulated entities" which are difficult to hold accountable due to obfiscated ownership details.

Only 43 Vendors (21.5%) mentioned anything about 'verification' in their policies or responses.

Verifying the consumer's identity is a relatively rare practice.
Even when performed, there are no common standards or procedures for consumers or vendors. Some vendors outsource this function to third-party providers, some of which are registered data-brokers and exempted credit reporting agencies. Infrastructure for standardized "digital identities" are badly needed for many legitimate purposes in addition to privacy rights, both by businesses and consumers.
Currently, the burden is on consumers to "divine" what information and proof must be provided to their vendors.
Although data privacy rights under the CCPA only applies to California residents, no vendor verified my state of residency.

Out of all 200 Vendors, 67 (33.5%) had consumer complaints filed against them,
66 complaints were acknowledged by OAG;
0 complaints were responded to by the OAG or the vendors;
and 0 remediation actions were taken by OAG.

Given those results,
How do companies justify the time and expense of complying with the CCPA?
By providing the consumer with a customer experience so wonderful they will want to exercise their rights?