Your experience with exercising your rights (e.g. downloading your data) under CCPA or GDPR

From IIW

Your Experience with Exercising Your Rights (e.g. downloading your data) Under CCPA or GDPR

Tuesday 4C

Convener: Johannes Ernst

Notes-taker(s):

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Attendees:

Wendell Baker

Pete

Keith Kowal

Kaitlin Asrow

Terry Hayes

Jacob Siebach

mahod mah

Johannes Ernst

Doc Searls


Johannes presented his experiences with exercising data download rights from various companies: e.g. Google, Facebook, Walgreens, PG&E etc. Some observations:


Some are PDF, or HTML, many of them (unreadable, to the consumer) JSON or CSV

Process to get through the download is complicated

Major platforms (like Google, Apple) were fast (hours); many others took 45 days, and some asked for 45 day extensions

Identity verification of downloader is difficult; failed to prove my identity in a few cases

Google privacy settings respected: no location data in my download

Everybody made up their own formats

Some standard formats (eg .mbox for e-mail, .ics for contacts)

“Rate limits”: may only download data x times in y period (e.g. once a quarter)


Two types of data: data retained for service use (available for transparency reasons), data that the consumer cares about retaining (mail, photos…). Both referred to above. Possibly also portability to other services, but so far not possible (proprietary formats)

Related materials: http://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study



Zoom Chat copy-paste (edited for brevity)


14:33:30 From Jacob Siebach : http://www.theverge.com/2018/12/20/18150531/amazon-alexa-voice-recordings-wrong-user-gdpr-privacy-ai

14:39:01 From mahod mah : they can deliver cars from texas.. and it's tax free

14:39:07 From mahod mah : but then you still reregister in CA

14:39:11 From mahod mah : and pay some..

14:39:14 From mahod mah : it's weird

14:39:32 From mahod mah : some people also keep cars registered in other states, in CA to avoid the sales tax on new car

14:39:44 From dsearls : Getting bad ads is just bad use of profile selections by advertisers of their robots.

14:39:52 From dsearls : OR their robots.

14:40:31 From dsearls : I'm late to this. Are we talking here about how to get more personalized advertising, or something else?

14:40:46 From Jacob Siebach : We're discussing GDPR/CCPA.

14:41:01 From Kaitlin Asrow : how the rights to download/access data are valuable or not

14:41:03 From Jacob Siebach : Companies have your data, and what is the extent that they have, and how often are they wrong.

14:41:14 From mahod mah : Doc: we got a demonstration at beginning of what the data looks like when you ask for it under CCPA

14:41:28 From mahod mah : and are discussing what it means to give people access to their data

14:41:30 From dsearls : OK.

14:41:32 From Terry Hayes : And that you can’t really use it anywhere

14:41:37 From mahod mah : yes

14:42:14 From mahod mah : I give info that is 2 addresses back, and 20y old

14:42:23 From mahod mah : but disguise it a bit

14:42:29 From mahod mah : i figure they know me, but why know me now?

14:42:39 From dsearls : to me the CCPA is about getting back data horses that have left your barn. Alas, not about encouraging development of ways to keep the horses in the barn. Also, you are a mere "consumer," with no recognition that you can produce anything, including better terms by which you do business.

14:43:06 From Jacob Siebach : I did bring that up a moment ago, just before you came, Doc.  :)

14:43:18 From Kaitlin Asrow : though CCPA is the largest expansion of the definition of “consumer” across all US data laws

14:43:45 From dsearls : Good. Thanks. Meanwhile the GDPR regards you as a mere "data subject": a pinball in the machines of controllers and processors.

14:44:17 From Kaitlin Asrow : agreed, I think there are looking for new terms that are not already baked with legal precedent

14:44:28 From dsearls : It is good to have Wendell here to explain the ad systems' side of this stuff.

14:44:32 From Kaitlin Asrow : for example, the term “person” is used in US law to refer to a business in some cases

14:44:40 From Jacob Siebach : @doc Agreed.

14:45:00 From mahod mah : ha

14:45:03 From Terry Hayes : Of course!

14:52:51 From dsearls : I think this is what Wendell is talking about:http://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study

14:55:07 From Johannes Ernst (Indie Computing) : http://indieweb.org/site-deaths

14:55:53 From dsearls : Nothing disappears as totally as bits. If you're "saving" something that way, you're making a choice that likely won't leave a trace, or a fossil, or ash, dust or anything. It's just gone from here to gone.

14:56:27 From dsearls : See http://www.bing.com/search?q=google+graveyard

14:57:48 From dsearls : http://killedbygoogle.com/

14:59:08 From dsearls : I think the GDPR and the CCPA are red herrings for developers, and for users as well. Very distracting, away from work that needs to be done.

15:00:17 From dsearls : I actually don't want to change our relationship with anything through the mechanisms of existing laws. it's the wrong approach.

15:01:19 From dsearls : I came over from another session on SSI wallets. Good invention, once we have ones we can use. I don't think anybody working on those is thinking about the GDPR or the CCPA. They just want to make wallets for verifiable credentials.

15:04:20 From dsearls : I consulted Axciom years ago, and advised them to make all the data they collected on people available to them. When they finally did that (after firing the guy who hired me), I was amazed at how totally wrong much of it was. Maybe most of it. Age, residence, phone numbers, licenses held, number of kids, cars, places I shop, loyalty memberships... amazingly wrong. Their system invited me to correct the data, and for yuks I tried correcting a small subset. None of the changes stuck. When I checked again, it was just as wrong.