Exploring the gap between data privacy regulation and implementation

I’ve spent the past six months learning what the California Consumer Privacy Act (CCPA) is, when it will be passed, when it goes into effect and the potential impacts to my clients’ marketing technology stacks. 

When CCPA went into effect on January 1, most people I knew had no clue what it was. I was focused on educating the agency and my clients and considering the changes we needed to make to tech stacks. And while I’m an expert in my field, what would these changes mean for me as a consumer?

Understanding new regulations

Vox published an excellent article distilling down CCPA for the average person. Their newest podcast, Reset, also had a great episode. 

Based on my understanding of the law, I had an inkling that it wouldn’t have a huge impact on the advertising business. It all fell on the consumer. I’ve had the mindset of education over regulation; we all watched how much of a disaster it was when Zuckerberg testified on the Hill.

Check your digital footprint

In early March, while reading my daily industry email newsletters, I learned of Mine a tech startup attempting to centralize the process for data requests. Intrigued, I signed up and granted them access to my Gmail account so they could get the data they needed to provide a list of companies with my online information. 

They quickly retrieved and provided an overview of my data. On their level of data control, using a scale of 1 to 6, the average user is around 3.5. I was at 1. Oh boy. I explored my footprint, and there were almost 500 companies connected to me—mostly in the financial and identity space. 

I dug in more to see what they found. I scrolled and started picking random companies to ask to delete my data. It was a pretty manual process, where I had to click into each company and ask for my data to be reclaimed. 

The journey to reclaim my data

Mine sends emails on my behalf, cc’ing me. I had Mine send the request to 10–11 companies, more out of curiosity than to take control. Just doing those 10 and scrolling through was over an hour of my time. My inbox quickly filled up with emails. Oh man. 

While Mine sent the request, each company required me to take another action like giving a response or filling out a form. 

The replies varied by company. The law allows businesses to ask for ID validation to process requests. Some businesses wouldn’t fulfill since I was not a California resident—fair, per the law. 

One company asked for further details, as they couldn’t find my account. I asked them to delete my data since I wasn’t sure who they were; unfortunately, I couldn’t provide what they needed, and therefore my request was not valid. Another company asked me to schedule a Zoom meeting. 

Another requested power of attorney or sufficient information to demonstrate I have the authority to make this request since it came through a third party. 

What?! I thought the law was giving us rights?

What data is Facebook collecting?

Facebook launched its Off-Facebook Activity tool at the end of January, so I decided to check it out. It first requested access to my Facebook data—my data is 500MB and many folders. I clicked through them and found pictures, friends I had removed and messages. It was a lot of data to go through. I decided not to dig deep and saved it on my computer.

Under “Settings” and then “Your Facebook Information,” I found the link for my Off-Facebook Activity. You’d think it would be easier to find…or maybe that’s the point.

When clicking on “Manage your Off-Facebook Activity,” they showed me 360 apps and websites where they had collected data on me.

This isn’t even the full list. They have a disclaimer that says not all apps and websites are listed. Great.

I click into random sites/apps to see the number of interactions. Similar to requesting that data be deleted from a website using Mine, I had to go into each app collecting Off-Facebook Activity and select “Turn off future activity from {site/app name}” and confirm my request.  

Regulation is paved with good intentions

Wow… this is A LOT I must do. CCPA and pending privacy regulations have good intentions, but the current execution is not streamlined or simple to do. It’s all on me (and every other person) to go site by site to request my data be deleted. Then I have to follow up after 45 days if the company has not complied. 

Same thing for Facebook. It takes four clicks per site/app to have future activity not linked to my Facebook account, while they keep all my past Off-Facebook Activity. To me, the juice is not worth the squeeze. 

Have you tried to request your data to be deleted? What was your experience like?