1. bookVolume 2022 (2022): Issue 1 (January 2022)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA?

Published Online: 20 Nov 2021
Page range: 608 - 628
Received: 31 May 2021
Accepted: 16 Sep 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA), arguably the most comprehensive piece of online privacy legislation in the United States. Online services covered by the CCPA are required to provide a hyperlink on their homepage with the text “Do Not Sell My Personal Information” (DNSMPI). The CCPA went into effect on January 1, 2020, a date that was chosen to give data collectors time to study the new law and bring themselves into compliance.

In this study, we begin the process of investigating whether websites are complying with the CCPA by focusing on DNSMPI links. Using longitudinal data crawled from the top 1M websites in the Tranco ranking, we examine which websites are including DNSMPI links, whether the websites without DNSMPI links are out of compliance with the law, whether websites are using geofences to dynamically hide DNSMPI links from non-Californians, how DNSMPI adoption has changed over time, and how websites are choosing to present DNSMPI links (e.g., in terms of font size, color, and placement). We argue that the answers to these questions are critical for spurring enforcement actions under the law, and helping to shape future privacy laws and regulations, e.g., rule making that will soon commence around the successor to the CCPA, known as the CPRA.

Keywords

[1] Accessibility Guidelines Working Group. Understanding success criterion 1.4.3: Contrast (minimum). World Wide Web Consortium (W3C), 2021. https://www.w3.org/WAI/WCAG22/Understanding/contrast-minimum.html. Search in Google Scholar

[2] Idris Adjerid, Alessandro Acquisti, Laura Brandimarte, and George F. Loewenstein. Sleights of privacy: framing, disclosures, and the limits of transparency. In Proc. of the Workshop on Usable Security, 2013. Search in Google Scholar

[3] Fatemeh Alizadeh, Timo Jakobi, Alexander Boden, Gunnar Stevens, and Jens Boldt. GDPR Reality Check – Claiming and Investigating Personally Identifiable Data from Companies. In Proc. of EuroS&PW, 2020. Search in Google Scholar

[4] Ryan Amos, Gunes Acar, Elena Lucherini, Mihir Kshirsagar, Arvind Narayanan, and Jonathan Mayer. Privacy policies over time: Curation and analysis of a million-document dataset. In Proc. of WWW, 2021. Search in Google Scholar

[5] Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. Policylint: Investigating internal privacy policy contradictions on google play. In Proc. of USENIX Security Symposium, 2019. Search in Google Scholar

[6] Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with policheck. In Proc. of USENIX Security Symposium, 2020. Search in Google Scholar

[7] Sajjad Arshad, Amin Kharraz, and William Robertson. Include me out: In-browser detection of malicious third-party content inclusions. In Proc. of Intl. Conf. on Financial Cryptography, 2016. Search in Google Scholar

[8] Zineb Ait Bahajji and Gary Illyes. HTTPS as a ranking signal. Google Search Central Blog, 2014. https://developers.google.com/search/blog/2014/08/httpsas-ranking-signal. Search in Google Scholar

[9] Rebecca Balebako, Florian Schaub, Idris Adjerid, Alessandro Acquisti, and Lorrie Cranor. The impact of timing on the salience of smartphone app privacy notices. In Proc. of the ACM CCS Workshop on Security and Privacy in Smart-phones and Mobile Devices, 2015. Search in Google Scholar

[10] Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, and Christo Wilson. How Tracking Companies Circumvented Ad Blockers Using WebSockets. In Proc. of IMC, 2018. Search in Google Scholar

[11] Muhammad Ahmad Bashir, Sajjad Arshad, Engin Kirda, William Robertson, and Christo Wilson. A Longitudinal Analysis of the ads.txt Standard. In Proc. of IMC, 2019. Search in Google Scholar

[12] Muhammad Ahmad Bashir, Sajjad Arshad, Wil Robertson, Engin Kirda, and Christo Wilson. A Longitudinal Analysis of the ads.txt Standard. In Proc. of IMC, 2019. Search in Google Scholar

[13] Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. Tracing information flows between ad exchanges using retargeted ads. In Proc. of USENIX Security Symposium, 2016. Search in Google Scholar

[14] Muhammad Ahmad Bashir, Sajjad Arshad, and Christo Wilson. Recommended For You: A First Look at Content Recommendation Networks. In Proc. of IMC, 2016. Search in Google Scholar

[15] Muhammad Ahmad Bashir and Christo Wilson. Diffusion of User Tracking Data in the Online Advertising Ecosystem. In Proc. of PETS, 2018. Search in Google Scholar

[16] Harry Brignull. Dark patterns, 2019. https://www.darkpatterns.org/. Search in Google Scholar

[17] Luca Bufalieri, Massimo La Morgia, Alessandro Mei, and Julinda Stefa. GDPR: When the Right to Access Personal Data Becomes a Threat. In Proc. of ICWS, 2020. Search in Google Scholar

[18] Duc Bui, Kang G. Shin, Jong-Min Choi, and Junbum Shin. Automated extraction and presentation of data practices in privacy policies. Proceedings on Privacy Enhancing Technologies, 2021(2):88–110, 2021. Search in Google Scholar

[19] Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proc. of PETS, 2016(4):237–254, 2016. Search in Google Scholar

[20] Aaron Cahn, Scott Alfeld, Paul Barford, and S. Muthukrishnan. An empirical study of web cookies. In Proc. of WWW, 2016. Search in Google Scholar

[21] Original Proposed CCPA Regulations, October 2019. https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-proposed-regs.pdf. Search in Google Scholar

[22] Chapter 20. California Consumer Privacy Act Regulations, 2020. https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=IEB210D8CA2114665A08AF8443F0245AD&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default). Search in Google Scholar

[23] First Set of Proposed Modifications to CCPA Regulations, February 2020. https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-mod-redline-020720.pdf. Search in Google Scholar

[24] Fourth Set of Proposed Modifications to CCPA Regulations, December 2020. https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-prop-mods-text-ofregs-4th.pdf. Search in Google Scholar

[25] Second Set of Proposed Modifications to CCPA Regulations, March 2020. https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-second-set-mod-031120.pdf. Search in Google Scholar

[26] Third Set of Proposed Modifications to CCPA Regulations, October 2020. https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-third-setmod-101220.pdf? Search in Google Scholar

[27] AB-375 California Consumer Privacy Act of 2018, 2018. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375. Search in Google Scholar

[28] SB-1121 California Consumer Privacy Act of 2018, 2018. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB1121. Search in Google Scholar

[29] Annotated Text of the California Privacy Rights Act, 2021. https://www.caprivacy.org/annotated-cpra-text-with-ccpa-changes/. Search in Google Scholar

[30] Adrian Dabrowski, Georg Merzdovnik, Johanna Ullrich, Gerald Sendera, and Edgar Weippl. Measuring Cookies and Web Privacy in a Post-GDPR World. In Proc. of PAM, 2019. Search in Google Scholar

[31] Martin Degeling, Christine Utz, Christopher Lentzsch, Henry Hosseini, Florian Schaub, and Thorsten Holz. We Value Your Privacy... Now Take Some Cookies: Measuring the GDPR’s Impact on Web Privacy. In Proc of NDSS, 2019. Search in Google Scholar

[32] Steven Englehardt and Arvind Narayanan. Online tracking: A 1-million-site measurement and analysis. In Proc. of CCS, 2016. Search in Google Scholar

[33] Benjamin Fabian, Tatiana Ermakova, and Tino Lentz. Large-scale readability analysis of privacy policies. In Proc. of the International Conference on Web Intelligence, 2017. Search in Google Scholar

[34] Lesley Fair. Full disclosure. US FTC Business Blog, 2014. https://www.ftc.gov/news-events/blogs/business-blog/2014/09/full-disclosure. Search in Google Scholar

[35] Imane fouad, Nataliia Bielova, Arnaud Legout, and Natasa Sarafijanovic-Djukic. Missed by Filter Lists: Detecting Unknown Third-Party Trackers with Invisible Pixels. Proceedings on Privacy Enhancing Technologies, 2020(2):499–518, 2020. Search in Google Scholar

[36] Stacia Garlach and Daniel D. Suther. ’I’m supposed to see that?’ AdChoices Usability in the Mobile Environment. In Proc. of HICSS, 2018. Search in Google Scholar

[37] Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. How short is too short? implications of length and framing on the effectiveness of privacy notices. In Proc. of the Workshop on Usable Security, 2016. Search in Google Scholar

[38] Helping advertisers comply with CCPA in Google Ads. Google Ads Help. https://support.google.com/googleads/answer/9614122?hl=en. Search in Google Scholar

[39] Colin M. Gray, Yubo Kou, Bryan Battles, Joseph Hoggatt, and Austin L. Toombs. The Dark (Patterns) Side of UX Design. In Proc. of CHI, 2018. Search in Google Scholar

[40] Colin M. Gray, Cristiana Santos, Nataliia Bielova, Michael Toth, and Damian Clifford. Dark patterns and the legal requirements of consent banners: An interaction criticism perspective. In Proc. of CHI, 2021. Search in Google Scholar

[41] Hana Habib, Sarah Pearman, Jiamin Wang, Yixin Zou, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. “it’s a scavenger hunt”: Usability of websites’ opt-out and data deletion choices. In Proc. of CHI, 2020. Search in Google Scholar

[42] Hana Habib, Yixin Zou, Aditi Jannu, Neha Sridhar, Chelse Swoopes, Alessandro Acquisti, Lorrie Faith Cranor, Norman Sadeh, and Florian Schaub. An empirical analysis of data deletion and opt-out choices on 150 websites. In Proc. of the Workshop on Usable Security, 2019. Search in Google Scholar

[43] Hamza Harkous, Kassem Fawaz, Rémi Lebret, Florian Schaub, Kang G. Shin, and Karl Aberer. Polisis: Automated analysis and presentation of privacy policies using deep learning. In Proc. of USENIX Security Symposium, 2018. Search in Google Scholar

[44] James Hercher. Google Strengthens Ads.txt Enforcement. ad exchanger, July 2018. https://adexchanger.com/ad-exchange-news/google-strengthens-ads-txt-enforcement/. Search in Google Scholar

[45] Kashmir Hill. How an internet mapping glitch turned a random Kansas farm into a digital hell. Splinter News, 2016. https://splinternews.com/how-an-internet-mapping-glitch-turned-a-random-kansas-f-1793856052. Search in Google Scholar

[46] Kashmir Hill. Why lost phones keep pointing at this Atlanta couple’s home. Splinter News, 2016. https://splinternews.com/why-lost-phones-keep-pointing-at-this-atlanta-couples-h-1793854491. Search in Google Scholar

[47] IAB CCPA Compliance Framework For Publishers & Technology Companies. Github, 2020. https://iabtechlab.com/standards/ccpa/. Search in Google Scholar

[48] Carlos Jensen and Colin Potts. Privacy policies as decision-making tools: An evaluation of online privacy notices. In Proc. of CHI, 2004. Search in Google Scholar

[49] Vinayshekhar Bannihatti Kumar, Roger Iyengar, Namita Nisal, Yuanyuan Feng, Hana Habib, Peter Story, Sushain Cherivirala, Margaret Hagan, Lorrie Faith Cranor, Shomir Wilson, Florian Schaub, and Norman Sadeh. Finding a choice in a haystack: Automatic extraction of opt-out statements from privacy policy text. In Proc. of WWW, 2020. Search in Google Scholar

[50] Tobias Lauinger, Abdelberi Chaabane, Sajjad Arshad, William Robertson, Christo Wilson, and Engin Kirda. Thou shalt not depend on me: Analysing the use of outdated javascript libraries on the web. In Proc of NDSS, 2017. Search in Google Scholar

[51] Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proc. of USENIX Security Symposium, 2016. Search in Google Scholar

[52] Timothy Libert. An automated approach to auditing disclosure of third-party data collection in website privacy policies. In Proc. of WWW, 2018. Search in Google Scholar

[53] Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. The Privacy Policy Landscape After the GDPR. Proceedings on Privacy Enhancing Technologies, 2020(1):47–64, January 2020. Search in Google Scholar

[54] Takaki Makino and Doantam Phan. Rolling out the mobile-friendly update. Google Search Central Blog, 2015. https://developers.google.com/search/blog/2015/04/rolling-out-mobile-friendly-update. Search in Google Scholar

[55] Mariano Di Martino, Pieter Robyns, Winnie Weyts, Peter Quax, Wim Lamotte, and Ken Andries. Personal Information Leakage by Abusing the GDPR “Right of Access”. In Proc. of the Workshop on Usable Security, 2019. Search in Google Scholar

[56] Celestin Matte, Nataliia Bielova, and Cristiana Santos. Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework. In Proc. of IEEE Symposium on Security and Privacy, 2020. Search in Google Scholar

[57] Anthony D. Miyazaki. Online privacy and the disclosure of cookie use: Effects on consumer trust and anticipated patronage. Journal of Public Policy & Marketing, 27(1):19–33, 2008. Search in Google Scholar

[58] Monica Nickelsburg. Why washington state could finally pass data privacy laws with a bill backed by the tech industry, January 2021. https://www.geekwire.com/2021/washington-state-finally-pass-data-privacy-laws-bill-backed-tech-industry/. Search in Google Scholar

[59] Midas Nouwens, Ilaria Liccardi, Michael Veale, David Karger, and Lalana Kagal. Dark Patterns after the GDPR: Scraping Consent Pop-Ups and Demonstrating Their Influence. In Proc. of CHI, 2020. Search in Google Scholar

[60] Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proc of NDSS, 2019. Search in Google Scholar

[61] Joel R. Reidenberg, Travis Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James Graves, Fei Liu, Aleecia McDonald, Thomas Norton, Rohan Ramanath, N. Cameron Russell, Norman Sadeh, and Florian Schaub. Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkeley Technology Law Journal, 30, August 2014. Search in Google Scholar

[62] Sarah Rippy. Us state comprehensive privacy law comparison, February 2021. https://iapp.org/resources/article/state-comparison-table/. Search in Google Scholar

[63] Iskander Sanchez-Rola, Matteo Dell’Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. Can I Opt Out Yet?: GDPR and the Global Illusion of Cookie Control. In Proc. of AsiaCCS, 2019. Search in Google Scholar

[64] Kanthashree Mysore Sathyendra, Florian Schaub, Shomir Wilson, and Norman Sadeh. Automatic extraction of optout choices from privacy policies. In Proc. of the AAAI Fall Symposium on Privacy and Language Technologies, 2016. Search in Google Scholar

[65] Jannick Sørensen and Sokol Kosta. Before and After GDPR: The Changes in Third Party Presence at Public and Private European Websites. In Proc. of WWW, 2019. Search in Google Scholar

[66] Mukund Srinath, Shomir Wilson, and C. Lee Giles. Privacy at scale: Introducing the privaseer corpus of web privacy policies, 2020. https://arxiv.org/abs/2004.11131. Search in Google Scholar

[67] David Stauss and Shelby Dolen. Virginia house passes consumer data protection act, February 2021. https://www.bytebacklaw.com/2021/02/virginia-house-passes-consumer-data-protection-act/. Search in Google Scholar

[68] Peter Story, Sebastian Zimmeck, and Norman Sadeh. Which apps have privacy policies? an analysis of over one million google play store apps. In Proc. of Annual Privacy Forum, 2018. Search in Google Scholar

[69] Jenny Tang, Hannah Shoemaker, Ada Lerner,, and Eleanor Birrell. Defining privacy: How users interpret technical terms in privacy policies. Proceedings on Privacy Enhancing Technologies, 2021(3):70–94, 2021. Search in Google Scholar

[70] Terms of service didn’t read, 2021. https://tosdr.org/. Search in Google Scholar

[71] Martino Trevisan, Stefano Traverso, Eleonora Bassi, and Marco Mellia. 4 Years of EU Cookie Law: Results and Lessons Learned. Proceedings on Privacy Enhancing Technologies, 2019(2):126–145, June 2019. Search in Google Scholar

[72] Tobias Urban, Dennis Tatang, Martin Degeling, Thorsten Holz, and Norbert Pohlmann. A Study on Subject Data Access in Online Advertising After the GDPR. In Proc. of Data Privacy Management, Cryptocurrencies and Blockchain Technology, 2019. Search in Google Scholar

[73] Privacy Online: A Report to Congress, 1998. https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf. Search in Google Scholar

[74] Christine Utz, Martin Degeling, Sascha Fahl, Florian Schaub, and Thorsten Holz. (Un)informed Consent: Studying GDPR Consent Notices in the Field. In Proc. of CCS, 2019. Search in Google Scholar

[75] Shomir Wilson, Florian Schaub, Frederick Liu, Kanthashree Mysore Sathyendra, Daniel Smullen, Sebastian Zimmeck, Rohan Ramanath, Peter Story, Fei Liu, Norman Sadeh, and Noah A. Smith. Analyzing privacy policies at scale: From crowdsourcing to automated annotations. ACM Trans. Web, 13(1), December 2018. Search in Google Scholar

[76] Shomir Wilson, Florian Schaub, Rohan Ramanath, Norman Sadeh, Fei Liu, Noah A. Smith, and Frederick Liu. Crowd-sourcing annotations for websites’ privacy policies: Can it really work? In Proc. of WWW, 2016. Search in Google Scholar

[77] Sebastian Zimmeck and Steven M. Bellovin. Privee: An architecture for automatically analyzing web privacy policies. In Proc. of USENIX Security Symposium, 2014. Search in Google Scholar

[78] Sebastian Zimmeck, Peter Story, Daniel Smullen, Abhilasha Ravichander, Ziqi Wang, Joel Reidenberg, N. Cameron Russell, and Norman Sadeh. MAPS: Scaling Privacy Compliance Analysis to a Million Apps. Proceedings on Privacy Enhancing Technologies, 2019(3):66–86, July 2019. Search in Google Scholar

[79] Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg. Automated analysis of privacy requirements for mobile apps. In Proc of NDSS, 2017. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo