(Un)clear and (In)conspicuous: The right to opt-out of sale under CCPA
share
The California Consumer Privacy Act (CCPA)—which began enforcement on July 1, 2020—grants California users the affirmative right to opt-out of the sale of their personal information. In this work, we perform a manual analysis of the top 500 U.S. websites and classify how each site implements this new requirement. We find that the vast majority of sites that implement opt-out mechanisms do so with a Do Not Sell link rather than with a privacy banner, and that many of the linked opt-out controls exhibit features such as nudging and indirect mechanisms (e.g., fillable forms). We then perform a pair of user studies with 4357 unique users (recruited from Google Ads and Amazon Mechanical Turk) in which we observe how users interact with different opt-out mechanisms and evaluate how the implementation choices we observed—exclusive use of links, prevalent nudging, and indirect mechanisms—affect the rate at which users exercise their right to opt-out of sale. We find that these design elements significantly deter interactions with opt-out mechanisms (including reducing the opt-out rate for users who are uncomfortable with the sale of their information) and that they reduce users' awareness of their ability to opt-out. Our results demonstrate the importance of regulations that provide clear implementation requirements in order empower users to exercise their privacy rights.
READ FULL TEXT