Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Two Steps Forward and One Step Back: The Right to Opt-out of Sale under CPRA (2312.15094v1)

Published 22 Dec 2023 in cs.CY and cs.HC

Abstract: The California Privacy Rights Act (CPRA) was a ballot initiative that revised the California Consumer Privacy Act (CCPA). Although often framed as expanding and enhancing privacy rights, a close analysis of textual revisions -- both changes from the earlier law and changes from earlier drafts of the CPRA guidelines -- suggest that the reality might be more nuanced. In this work, we identify three textual revisions that have potential to negatively impact the right to opt-out of sale under CPRA and evaluate the effect of these textual revisions using (1) a large-scale longitudinal measurement study of 25,000 websites over twelve months and (2) an experimental user study with 775 participants recruited through Prolific. We find that all revisions negatively impacted the usability, scope, and visibility of the right to opt-out of sale. Our results provide the first comprehensive evaluation of the impact of CPRA on Internet privacy. They also emphasize the importance of continued evaluation of legal requirements as guidelines and case law evolve after a law goes into effect.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (37)
  1. Advanced n.d. Advanced Data Protection Control. https://www.dataprotectioncontrol.org/.
  2. California Privacy Protection Agency. 2022a. California Consumer Privacy Act Regulations (Text of Proposed Regulations). July 2022. https://cppa.ca.gov/regulations/pdf/20220708_text_proposed_regs.pdf.
  3. California Privacy Protection Agency. 2022b. California Consumer Privacy Act Regulations (Text of Proposed Regulations). November 2022. https://cppa.ca.gov/regulations/pdf/20221102_mod_text.pdf.
  4. California Privacy Protection Agency. 2023. California Consumer Privacy Act Regulations. https://cppa.ca.gov/regulations/pdf/cppa_regs.pdf.
  5. Finding a choice in a haystack: Automatic extraction of opt-out statements from privacy policy text. In Proceedings of The Web Conference 2020. 1943–1954.
  6. Attorney General Xavier Becerra. Jan. 28, 2021. https://twitter.com/AGBecerra/status/1354850758236102656.
  7. California Office of the Attorney General. 2023. CCPA Enforcement Case Examples. https://oag.ca.gov/privacy/ccpa/enforcement.
  8. California Privacy Protection Agency. n.d. Frequently Asked Questions. https://cppa.ca.gov/faq.html.
  9. Fighting the fog: Evaluating the clarity of privacy disclosures in the age of ccpa. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. 73–102.
  10. Design and evaluation of a usable icon and tagline to signal an opt-out of the sale of personal information as required by CCPA. Retrieved September 13th (2020).
  11. Geckodriver n.d.. Geckodriver. https://github.com/mozilla/geckodriver.
  12. Global n.d. Global privacy control. https://globalprivacycontrol.org.
  13. Toggles, dollar signs, and triangles: How to (in) effectively convey privacy choices with icons and link texts. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. 1–25.
  14. Privacy preference signals: Past, present and future. Proceedings on Privacy Enhancing Technologies 2021, 4 (2021), 249–269.
  15. Joanne Hinds and Adam N Joinson. 2018. What demographic attributes do our digital footprints reveal? A systematic review. PloS one 13, 11 (2018), e0207112.
  16. Data Protection and Consenting Communication Mechanisms: Current Open Proposals and Challenges. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 231–239.
  17. How gullible are web measurement tools? a case study analysing and strengthening OpenWPM’s reliability. In Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies. 171–186.
  18. IAB Tech Lab. 2020. US Privacy String. https://github.com/InteractiveAdvertisingBureau/USPrivacy/blob/master/CCPA/US%20Privacy%20String.md.
  19. Maureen Mahoney. 2020. California Consumer Privacy Act: Are consumers’ digital rights protected? Consumer Reports Digital Lab.
  20. (Un) clear and (In) conspicuous: The right to opt-out of sale under CCPA. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. 59–72.
  21. Office of Attorney General Rob Bonta. Aug. 24, 2022. Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.
  22. State of California Legislative Counsel. 2018. Assembly bill no. 375. California Consumer Privacy Act.
  23. State of California Legislative Counsel. 2020. Proposition 24. California Privacy Rights Act.
  24. Platform n.d. Platform for Privacy Preferences. https://www.w3.org/P3P/.
  25. Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites Ranking. In 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/cset19/presentation/lepochat
  26. Tranco. https://tranco-list.eu/.
  27. Exploring the Cookieverse: A Multi-Perspective Analysis of Web Cookies. In International Conference on Passive and Active Network Measurement. Springer, 623–651.
  28. Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA). Proceedings on Privacy Enhancing Technologies 3 (2023), 103–121.
  29. Selenium Project. n.d.. https://www.selenium.dev/.
  30. Aden Siebel and Eleanor Birrell. 2022. The Impact of Visibility on the Right to Opt-out of Sale under CCPA. arXiv preprint arXiv:2206.10545 (2022).
  31. Latanya Sweeney. 1997. Weaving technology and policy together to maintain confidentiality. The Journal of Law, Medicine & Ethics 25, 2-3 (1997), 98–110.
  32. Replication: How well do my results generalize now? The external validity of online privacy and security surveys. In Eighteenth symposium on usable privacy and security (SOUPS 2022). 367–385.
  33. (Un) informed consent: Studying GDPR consent notices in the field. In Proceedings of the 2019 acm sigsac conference on computer and communications security. 973–990.
  34. Maggie Van Nortwick and Christo Wilson. 2022. Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA? Proceedings on Privacy Enhancing Technologies 2022, 1 (2022), 608–628.
  35. Sebastian Zimmeck and Kuba Alicki. 2020. Standardizing and implementing do not sell. In Proceedings of the 19th Workshop on Privacy in the Electronic Society. 15–20.
  36. Generalizable Active Privacy Choice: Designing a Graphical User Interface for Global Privacy Control. Proceedings on Privacy Enhancing Technologies 1 (2024), 258–279.
  37. Usability and Enforceability of Global Privacy Control. Proceedings on Privacy Enhancing Technologies 2 (2023), 1–17.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now