Privacy Experiment #1: “Submitting Privacy Requests” In our debut on Data Privacy Day, PrivacyPortfolio presented the results of our first Privacy Research Experiment:
what happens when consumers exercise their privacy rights?

Privacy Experiment #2: Can we build a Data Broker Oracle to tell us which companies should be registered with California Office of Attorney General?
Identifying which companies are acting as “Data Brokers” as defined by the CCPA and California Assembly Bill 1202, helps us determine if those companies sold personal data.

Privacy Experiment #3: "Pandemic Privacy".
The goal of this experiment is to let the public decide:
Is the law being enforced?
How much do we care about alleged violations?
Did enforcement actions compel changes in an organization's data privacy practices?
The California Attorney General does not disclose consumer complaints, so I published four complaints I filed in my Research catalog on data.world . Should consumers have a right to know who filed complaints? Who are targets of these complaints? Which violations are alleged? Were laws enforced?

Experiment #3: "Pandemic Privacy" Update
Almost one year after filing my original complaint against OnwardCA, I publish evidence that Bitwise Industries, dba OnwardCA, harvests emails for their mailing list instead of providing notification of community resources intended to help Californians during the pandemic.
The community resources listed were sourced from other companies without the right to do so, and when I contacted several organizations listed in OnwardCA, all of them were unaware of OnwardCA, and did not give permission to be listed on OnwardCA's' website. This proves that the Attorney General did not enforce consumer protection laws in this case, even when one individual consumer establishes a pattern of a "pervasive scam or systematic violation of California law...(which) may become a matter of public broad interest and thus warrant intervention by our office under California consumer protection laws".

Privacy Experiment #4: Pandemic Privacy: Villians To the Rescue!
How Alphabet-owned companies, Google & Verily, use their “data platform” and “clinical studies” to bypass HIPAA regulations and data broker legislation by partnering with California Department of Public Health, Stanford University, Quest Diagnostics, Abbott Laboratories, and RiteAid to provide COVID-19 testing.

Privacy Experiment #5: Testing the CCPA
In PHASE ONE, I test how consumers begin testing their rights under the CCPA,
and I also test and evaluate the enforcement performance by the California Office of Attorney General.
On July 17, 2021, AG Rob Bonta published CCPA Enforcement Case Examples, which I am using to guide my decisions about filing formal consumer complaints. Typically, I file complaints against vendors who do not respond, and vendors engaging in fraudulent or highly unethical behavior.

In PHASE TWO, I test against Final Regulations of the CPRA-Amended CCPA.

Privacy Experiment #6: Testing Privacy Agents
The CCPA provides legal mechanisms for consumers to authorize agents to represent them and to act on their behalf. How well do these "privacy agents" assist consumers in exercising their digital rights, and how do companies respond to these agents?

Privacy Experiment #7: Dear Vendor Campaign
Measure consumers' influence over their vendors' business practices, using a variety of tactics.

Privacy Experiment #8: Zero-Trust Architecture for Authorized Agents
I'm an advocate for consumers' right to be represented by authorized agents because not everyone has the capability, capacity, or resources to manage their personal information.
For authorized agents offering services to consumers, a Zero-Trust Architecture is required. Businesses must trust agents so these agent can provide services to consumers. Consumers must trust agents who have access to the consumer's personal information. Neither the business, nor the the consumer can trust the agent completely: both parties need a "kill switch" capable of terminating the relationship and removing or revoking access to resources.

Privacy Experiment #9: Privacy Rights & Job Discrimination
According to 1798.125, "Consumer's Right to No Retaliation", a job applicant cannot be discriminated against for exercising their privacy rights. This experiment tests the responses from personal vendors of mine that I've applied to for jobs, AND also submitted privacy requests to under the CCPA. Proving discrimination is very difficult, even in a court of law. As the CCPA or CPRA provides no right to civil action for discrimination / retaliation, consumers depend entirely on how enforcement authorities perform.

I currently conduct this test on registered and suspected data brokers to establish a first-party relationship with selected third parties as a prerequisite for submitting KNOW, CORRECT, and LIMIT requests.

Privacy Experiment #10: Regulating Health Information Exchanges
When healthcare consumers request their patient medical records, they are often directed to a secure portal they believe is hosted by their healthcare provider, but in many cases are the product of a Health Information Exchange (HIE), which shares medical information among other healthcare providers. I tried to identify every health information exchange in the United States to discover how HIEs work, and how legal agreements and compliance mandates are enforced.

A 'new' law, "The 21st Century Cures Act", is intended to prevent Health Information Exchanges (HIE's) from blocking access requests from patients. Instead of a Data Processing Agreement (or DPA), Health Information Exchange participants use a Data Use Reciprocal Support Agreement (or DURSA).

Privacy Experiment #11: “Conducting Risk Assessments on the use of AI for Automated Decision-making” As a second incarnation of Experiment #1, I use my right to ask 'Privacy Questions & Concerns' about my personal vendors' use of AI.
I conduct the risk assessments mandated by the California Privacy Protection Agency on behalf of my vendors who decline to submit one themselves.

Privacy Experiment #12: “Testing Data Brokers' Use of the 'Accessible Delete Mechanism'” As a second incarnation of Experiment #2, I use my right under the California DELETE ACT to ask registered data brokers why they should pay to use the mandated 'Accessible Delete Mechanism' when $200 per day fines on data brokers who fail to register are not collected.
I test whether the 'Accessible Delete Mechanism works as intended and I document additional costs due to unfair competition from unregistered data brokers.