research-article

Open access

Fighting the Fog: Evaluating the Clarity of Privacy Disclosures in the Age of CCPA

Authors:

Aleecia M. McDonald,

Norman SadehAuthors Info & Claims

WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

Pages 73 - 102

https://doi.org/10.1145/3463676.3485601

Published: 15 November 2021 Publication History

Abstract

Vagueness and ambiguity in privacy policies threaten the ability of consumers to make informed choices about how businesses collect, use, and share their personal information. The California Consumer Privacy Act (CCPA) of 2018 was intended to provide Californian consumers with more control by mandating that businesses (1) clearly disclose their data practices and (2) provide choices for consumers to opt out of specific data practices. In this work, we explore to what extent CCPA's disclosure requirements, as implemented in actual privacy policies, can help consumers to answer questions about the data practices of businesses. First, we analyzed 95 privacy policies from popular websites; our findings showed that there is considerable variance in how businesses interpret CCPA's definitions. Then, our user survey of 364 Californian consumers showed that this variance affects the ability of users to understand the data practices of businesses. Our results suggest that CCPA's mandates for privacy disclosures, as currently implemented, have not yet yielded the level of clarity they were designed to deliver, due to both vagueness and ambiguity in CCPA itself as well as potential non-compliance by businesses in their privacy policies.

References

[1]

Faraz Ahmed, M. Zubair Shafiq, and Alex X. Liu. The Internet is for porn: Measurement and analysis of online adult traffic. In Proceedings of the 36th International Conference on Distributed Computing Systems, ICDCS '16, pages 88--97, 2016.

[2]

Alexa. Top sites in United States. https://www.alexa.com/topsites/countries/US [needs subscription], Feb. 15, 2020.

[3]

American Community Surveys. California geography profile. United States Census Bureau, https://data.census.gov/cedsci/profile?g=0400000US06, 2019.

[4]

Waleed Ammar, Shomir Wilson, Norman Sadeh, and Noah A. Smith. Automatic categorization of privacy policies: A pilot study. Technical Report Carnegie Mellon University-ISR-12--114/Carnegie Mellon University-LTI-12-019, Carnegie Mellon University, 2012.

[5]

Jeeyun Sophia Baik. Data privacy against innovation or against discrimination?: The case of the California Consumer Privacy Act (CCPA). Telematics and Informatics, 52:101431, 2020.

[6]

Hal Berghel. Malice domestic: The Cambridge Analytica dystopia. Computer, 51(5):84--89, 2018.

[7]

Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies, 2016(4):237--254, 2016.

[8]

Duc Bui, Kang G. Shin, Jong-Min Choi, and Junbum Shin. Automated extraction and presentation of data practices in privacy policies. Proceedings on Privacy Enhancing Technologies, 2021(2):88--110, 2021.

[9]

CA OAG. CCPA regulations: Final text of regulations. Office of the Attorney General, California Department of Justice, Aug. 14, 2020.

[10]

CA OAG. CCPA regulations: Final regulation text. Office of the Attorney General, California Department of Justice, Mar. 15, 2021.

[11]

CA OAG. California Consumer Privacy Act (CCPA). Office of the Attorney General, California Department of Justice, n.d.

[12]

Fred H. Cate. The failure of Fair Information Practice Principles. In Consumer Protection in the Age of the 'Information Economy', pages 351--388. Routledge, 2006.

[13]

Fred H. Cate. The limits of notice and choice. IEEE Security & Privacy, 8(2):59--62, 2010.

Digital Library

[14]

Anupam Chander, Margot E. Kaminski, and William McGeveran. Catalyzing privacy law. Minnesota Law Review, 2019.

[15]

Giuseppe Contissa, Koen Docter, Francesca Lagioia, Marco Lippi, Hans-W. Micklitz, Przemyslaw Palka, Giovanni Sartor, and Paolo Torroni. CLAUDETTE meets GDPR: Automating the evaluation of privacy policies using artificial intelligence. Technical report, The European Consumer Organisation, 2018.

[16]

Lorrie Faith Cranor, Pedro Giovanni Leon, and Blase Ur. A large-scale evaluation of U.S. financial institutions' standardized privacy notices. ACM Transactions on the Web, 10(3):1--33, 2016.

Digital Library

[17]

Cori Faklaris, Laura Dabbish, and Jason I. Hong. A self-report measure of end-user security attitudes (SA-6). In Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS '19, pages 61--77, 2019.

[18]

Yuanyuan Feng, Yaxing Yao, and Norman Sadeh. A design space for privacy choices: Towards meaningful privacy control in the internet of things. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, CHI '21, pages 1--16, 2021.

Digital Library

[19]

Elizabeth L. Field. United States data privacy law: The domino effect after the GDPR. North Carolina Banking Institute, 24(1):481--498, 2020.

[20]

Elena Gil González and Paul de Hert. Understanding the legal provisions that allow processing and profiling of personal data-an analysis of GDPR provisions and principles. ERA Forum, 19(3):597--621, 2019.

[21]

Erin Illman and Paul Temple. California Consumer Privacy Act: What companies need to know. Business Lawyer, 75:1637--1646, 2020.

[22]

Network Advertising Initiative. The California Privacy Rights Act of 2020: NAI summary of important changes to the CCPA. https://www.networkadvertising.org/sites/default/files/nai_summary_of_cpra_may_2020.pdf, May 2020.

[23]

Margot Kaminski. A recent renaissance in privacy law. Communications of the ACM, 63(9):24--27, 2020.

Digital Library

[24]

J. Clark Kelso. California's constitutional right to privacy. Pepperdine Law Review, 19:327--484, 1992.

[25]

Joanna Kessler. Data protection in the wake of the GDPR: California's solution for protecting "the world's most valuable resource". Southern California Law Review, 93(1):99--128, 2019.

[26]

Jana Korunovska, Bernadette Kamleitner, and Sarah Spiekermann. The challenges and impact of privacy policy comprehension. In Proceedings of the 28th European Conference on Information Systems, ECIS '20, pages 1--17, 2020.

[27]

Serge A. Krashakov, Anton B. Teslyuk, and Lev N. Shchur. On the universality of rank distributions of website popularity. Computer Networks, 50(11):1769--1780, 2006.

Digital Library

[28]

Juliano Laran, Amy N. Dalton, and Eduardo B. Andrade. The curious case of behavioral backlash: Why brands produce priming effects and slogans produce reverse priming effects. Journal of Consumer Research, 37(36):999--1014, 2010.

[29]

Cathy Lee. The aftermath of Cambridge Analytica: A primer on online consumer data privacy. AIPLA Quarterly Journal, 48(3):529, 2020.

[30]

Yunge Li. The California Consumer Privacy Act of 2018: Toughest U.S. data privacy law with teeth? Loyola Consumer Law Review, 32:177--192, 2019.

[31]

Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. The privacy policy landscape after the GDPR. Proceedings on Privacy Enhancing Technologies, 2020(1):47--64, 2020.

[32]

Alastair Mactaggart. The California Privacy Rights Act of 2020. Office of the Attorney General, California Department of Justice, Nov. 4, 2019.

[33]

Aleecia M. McDonald and Lorrie F. Cranor. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 4(3):543--568, 2008.

[34]

Jayashree Mohan, Melissa Wasserman, and Vijay Chidambaram. Analyzing GDPR compliance through the lens of privacy policy. In Proceedings of the 2019 Workshop on Heterogeneous Data Management, Polystores, and Analytics for Healthcare, DMAH/Poly '19, pages 82--95, 2019.

Digital Library

[35]

Sean O'Connor, Ryan Nurwono, Aden Siebel, and Eleanor Birrell. (un)clear and (in)conspicuous: The right to opt-out of sale under CCPA. arXiv preprint, 2021.

[36]

Stuart L. Pardau. The California Consumer Privacy Act: Towards a European-style privacy regime in the United States. Journal of Technology Law & Policy, 23:68--114, 2018.

[37]

Grace Park. The changing wind of data privacy law: A comparative study of the European Union's General Data Protection Regulation and the 2018 California Consumer Privacy Act. UC Irvine Law Review, 10:1455--1489, 2019.

[38]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. TRANCO: A research-oriented top sites ranking hardened against manipulation. In Proceedings of the 2019 Network and Distributed Systems Security Symposium, NDSS '19, pages 1--15, 2019.

[39]

Robert W. Reeder, Patrick Gage Kelley, Aleecia M. McDonald, and Lorrie Faith Cranor. A user study of the Expandable Grid applied to P3P privacy policy visualization. In Proceedings of the 7th Workshop on Privacy in the Electronic Society, WPES '08, pages 45--54, 2008.

Digital Library

[40]

Joel R. Reidenberg, Travis Breaux, Lorrie Faith Cranor, Brian French, Amanda Grannis, James Graves, Fei Liu, Aleecia McDonald, Thomas Norton, Rohan Ramanath, N. Cameron Russell, Norman Sadeh, and Florian Schaub. Disagreeable privacy policies: Mismatches between meaning and users' understanding. Berkeley Technology Law Journal, 30:39--88, 2015.

[41]

Sarah Rippy. Virginia passes the Consumer Data Protection Act. International Association of Privacy Professionals, https://iapp.org/news/a/virginia-passes-the-consumer-data-protection-act/, March 3, 2021.

[42]

Norman Sadeh, Alessandro Acquisti, Travis D. Breaux, Lorrie Faith Cranor, Aleecia M. McDonald, Joel R. Reidenberg, Noah A. Smith, Fei Liu, N. Cameron Russell, Florian Schaub, and Shomir Wilson. The Usable Privacy Policy Project: Combining crowdsourcing, machine learning and natural language processing to semi-automatically answer those privacy questions users care about. Technical Report Carnegie Mellon University-ISR-13-119, Carnegie Mellon University, 2013.

[43]

Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor. A design space for effective privacy notices. In Proceedings of the 11th Symposium on Usable Privacy and Security, SOUPS '15, pages 1--17, 2015.

[44]

Paul M. Schwartz and Daniel Solove. Notice and choice: Implications for digital marketing to youth. In The Second NPLAN/BMSG Meeting on Digital Media and Marketing to Children, pages 1--6, 2009.

[45]

Frank M. Shipman and Catherine C. Marshall. Ownership, privacy, and control in the wake of Cambridge Analytica: The relationship between attitudes and awareness. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI '20, pages 1--12, 2020.

[46]

Russell Spivak. Too big a fish in the digital pond? The California Consumer Privacy Act and the Dormant Commerce Clause. University of Cincinnati Law Review, 88(2):475--514, 2020.

[47]

Jenny Tang, Hannah Shoemaker, Ada Lerner, and Eleanor Birrell. Defining privacy: How users interpret technical terms in privacy policies. Proceedings on Privacy Enhancing Technologies, 2021(3):1--25, 2021.

[48]

Matthew W. Vail, Julia B. Earp, and Annie I. Antón. An empirical study of consumer perceptions and comprehension of web site privacy policies. IEEE Transactions on Engineering Management, 55(3):442--454, 2008.

[49]

Michael Veale and Lilian Edwards. Clarity, surprises, and further questions in the Article 29 Working Party draft guidance on automated decision-making and profiling. Computer Law & Security Review, 34(2):398--404, 2018.

[50]

Salomé Viljoe. The promise and pitfalls of the California Consumer Privacy Act. Cornell Tech Digital Life Initiative, https://www.dli.tech.cornell.edu/post/the-promise-and-pitfalls-of-the-california-consumer-privacy-act, Apr. 11, 2020.

[51]

Kim-Phuong L. Vu, Vanessa Chambers, Fredrick P. Garcia, Beth Creekmur, John Sulaitis, Deborah Nelson, Russell Pierce, and Robert W. Proctor. How users read and comprehend privacy policies. In Proceedings of the 2007 Symposium on Human Interface and the Management of Information, pages 802--811, 2007.

[52]

Shomir Wilson, Florian Schaub, Frederick Liu, Kanthashree Mysore Sathyendra, Daniel Smullen, Sebastian Zimmeck, Rohan Ramanath, Peter Story, Fei Liu, Norman Sadeh, and Noah A. Smith. Analyzing privacy policies at scale: From crowdsourcing to automated annotations. ACM Transactions on the Web, 13(1):1--29, 2018.

Digital Library

[53]

Razieh Nokhbeh Zaeem and K. Suzanne Barber. The effect of the GDPR on privacy policies: Recent progress and future promise. ACM Transactions on Management Information Systems, 12(1):1--20, 2020.

Digital Library

[54]

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg. Automated analysis of privacy requirements for mobile apps. In Proceedings of the 2017 Network and Distributed Systems Security Symposium, NDSS '17, pages 1--15, 2017.

Cited By

Tran VMehrotra AChetty MFeamster NFrankenreiter JStrahilevitz L(2024)Measuring Compliance with the California Consumer Privacy Act Over Space and TimeProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642597(1-19)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642597
Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Rasaii AGosain DGasser OMontpetit MLeivadeas AUhlig SJaved M(2023)Thou Shalt Not Reject: Analyzing Accept-Or-Pay Cookie Banners on the WebProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624846(154-161)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624846
Show More Cited By

Index Terms

Fighting the Fog: Evaluating the Clarity of Privacy Disclosures in the Age of CCPA

Recommendations

A Formal Framework for Consent Management
Formal Techniques for Distributed Objects, Components, and Systems
Abstract
The aim of this work is to design a formal framework for consent management in line with EU’s General Data Protection Regulation (GDPR). To make a general solution, we consider a high-level modeling language for distributed service-oriented ...
E-P3P privacy policies and privacy authorization
WPES '02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society

Enterprises collect large amounts of personal data from their customers. To ease privacy concerns, enterprises publish privacy statements that outline how data is used and shared. The Platform for Enterprise Privacy Practices (E-P3P) defines a fine-...
Encoding Privacy: Sociotechnical Dynamics of Data Protection Compliance Work
CHI '24: Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems

How do developers shape data protection regulations when they are passed from the policy arena to technical teams for compliance? This study explores data protection compliance work (DPCW) as a sociotechnical process mediated by developers’ attitudes ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

November 2021

257 pages

ISBN:9781450385275

DOI:10.1145/3463676

General Chairs:
Yongdae Kim
Korea Advanced Institute of Science & Technology, Republic of Korea)
,
Jong Kim
Pohang University of Science and Technology, Republic of Korea
,
Program Chairs:
Giovanni Livraga
Università degli Studi di Milano, Italy
,
Noseong Park
Yonsei University, Republic of Korea

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2021

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Yahoo
NSF (National Science Foundation)

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
897
Total Downloads

Downloads (Last 12 months)381
Downloads (Last 6 weeks)55

Reflects downloads up to 23 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Tran VMehrotra AChetty MFeamster NFrankenreiter JStrahilevitz L(2024)Measuring Compliance with the California Consumer Privacy Act Over Space and TimeProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642597(1-19)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642597
Birrell ERodolitz JDing ALee JMcReynolds EHutson JLerner A(2024)SoK: Technical Implementation and Human Impact of Internet Privacy Regulations2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00206(673-696)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00206
Rasaii AGosain DGasser OMontpetit MLeivadeas AUhlig SJaved M(2023)Thou Shalt Not Reject: Analyzing Accept-Or-Pay Cookie Banners on the WebProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624846(154-161)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624846
Cejas OAzeem MAbualhaija SBriand L(2023)NLP-Based Automated Compliance Checking of Data Processing Agreements Against GDPRIEEE Transactions on Software Engineering10.1109/TSE.2023.328890149:9(4282-4303)Online publication date: 1-Sep-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3288901
Mazumdar TTimko DRahman M(2023)Are Current CCPA Compliant Banners Conveying User’s Desired Opt-Out Decisions? An Empirical Study of Cookie Consent BannersCryptology and Network Security10.1007/978-981-99-7563-1_9(186-207)Online publication date: 30-Oct-2023
https://dl.acm.org/doi/10.1007/978-981-99-7563-1_9
Rasaii ASingh SGosain DGasser O(2023)Exploring the Cookieverse: A Multi-Perspective Analysis of Web CookiesPassive and Active Measurement10.1007/978-3-031-28486-1_26(623-651)Online publication date: 21-Mar-2023
https://dl.acm.org/doi/10.1007/978-3-031-28486-1_26
Lee KWei H(2022)Design Factors of Ethics and Responsibility in Social Media: A Systematic Review of Literature and Expert Review of Guiding PrinciplesJournal of Media Ethics10.1080/23736992.2022.210752437:3(156-178)Online publication date: 1-Aug-2022
https://doi.org/10.1080/23736992.2022.2107524
Nunes Vieira LO’Sullivan CZhang XO’Hagan M(2022)Privacy and everyday users of machine translationTranslation Spaces10.1075/ts.22012.nun12:1(21-44)Online publication date: 20-Dec-2022
https://doi.org/10.1075/ts.22012.nun

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents