Your experience with exercising your rights (e.g. downloading your data) under CCPA or GDPR
Your Experience with Exercising Your Rights (e.g. downloading your data) Under CCPA or GDPR
Tuesday 4C
Convener: Johannes Ernst
Notes-taker(s):
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Attendees:
Wendell Baker
Pete
Keith Kowal
Kaitlin Asrow
Terry Hayes
Jacob Siebach
mahod mah
Johannes Ernst
Doc Searls
Johannes presented his experiences with exercising data download rights from various companies: e.g. Google, Facebook, Walgreens, PG&E etc. Some observations:
Some are PDF, or HTML, many of them (unreadable, to the consumer) JSON or CSV
Process to get through the download is complicated
Major platforms (like Google, Apple) were fast (hours); many others took 45 days, and some asked for 45 day extensions
Identity verification of downloader is difficult; failed to prove my identity in a few cases
Google privacy settings respected: no location data in my download
Everybody made up their own formats
Some standard formats (eg .mbox for e-mail, .ics for contacts)
“Rate limits”: may only download data x times in y period (e.g. once a quarter)
Two types of data: data retained for service use (available for transparency reasons), data that the consumer cares about retaining (mail, photos…). Both referred to above.
Possibly also portability to other services, but so far not possible (proprietary formats)
Related materials: http://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study
Zoom Chat copy-paste (edited for brevity)
14:33:30 From Jacob Siebach : http://www.theverge.com/2018/12/20/18150531/amazon-alexa-voice-recordings-wrong-user-gdpr-privacy-ai
14:39:01 From mahod mah : they can deliver cars from texas.. and it's tax free
14:39:07 From mahod mah : but then you still reregister in CA
14:39:11 From mahod mah : and pay some..
14:39:14 From mahod mah : it's weird
14:39:32 From mahod mah : some people also keep cars registered in other states, in CA to avoid the sales tax on new car
14:39:44 From dsearls : Getting bad ads is just bad use of profile selections by advertisers of their robots.
14:39:52 From dsearls : OR their robots.
14:40:31 From dsearls : I'm late to this. Are we talking here about how to get more personalized advertising, or something else?
14:40:46 From Jacob Siebach : We're discussing GDPR/CCPA.
14:41:01 From Kaitlin Asrow : how the rights to download/access data are valuable or not
14:41:03 From Jacob Siebach : Companies have your data, and what is the extent that they have, and how often are they wrong.
14:41:14 From mahod mah : Doc: we got a demonstration at beginning of what the data looks like when you ask for it under CCPA
14:41:28 From mahod mah : and are discussing what it means to give people access to their data
14:41:30 From dsearls : OK.
14:41:32 From Terry Hayes : And that you can’t really use it anywhere
14:41:37 From mahod mah : yes
14:42:14 From mahod mah : I give info that is 2 addresses back, and 20y old
14:42:23 From mahod mah : but disguise it a bit
14:42:29 From mahod mah : i figure they know me, but why know me now?
14:42:39 From dsearls : to me the CCPA is about getting back data horses that have left your barn. Alas, not about encouraging development of ways to keep the horses in the barn. Also, you are a mere "consumer," with no recognition that you can produce anything, including better terms by which you do business.
14:43:06 From Jacob Siebach : I did bring that up a moment ago, just before you came, Doc. :)
14:43:18 From Kaitlin Asrow : though CCPA is the largest expansion of the definition of “consumer” across all US data laws
14:43:45 From dsearls : Good. Thanks. Meanwhile the GDPR regards you as a mere "data subject": a pinball in the machines of controllers and processors.
14:44:17 From Kaitlin Asrow : agreed, I think there are looking for new terms that are not already baked with legal precedent
14:44:28 From dsearls : It is good to have Wendell here to explain the ad systems' side of this stuff.
14:44:32 From Kaitlin Asrow : for example, the term “person” is used in US law to refer to a business in some cases
14:44:40 From Jacob Siebach : @doc Agreed.
14:45:00 From mahod mah : ha
14:45:03 From Terry Hayes : Of course!
14:52:51 From dsearls : I think this is what Wendell is talking about:http://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study
14:55:07 From Johannes Ernst (Indie Computing) : http://indieweb.org/site-deaths
14:55:53 From dsearls : Nothing disappears as totally as bits. If you're "saving" something that way, you're making a choice that likely won't leave a trace, or a fossil, or ash, dust or anything. It's just gone from here to gone.
14:56:27 From dsearls : See http://www.bing.com/search?q=google+graveyard
14:57:48 From dsearls : http://killedbygoogle.com/
14:59:08 From dsearls : I think the GDPR and the CCPA are red herrings for developers, and for users as well. Very distracting, away from work that needs to be done.
15:00:17 From dsearls : I actually don't want to change our relationship with anything through the mechanisms of existing laws. it's the wrong approach.
15:01:19 From dsearls : I came over from another session on SSI wallets. Good invention, once we have ones we can use. I don't think anybody working on those is thinking about the GDPR or the CCPA. They just want to make wallets for verifiable credentials.
15:04:20 From dsearls : I consulted Axciom years ago, and advised them to make all the data they collected on people available to them. When they finally did that (after firing the guy who hired me), I was amazed at how totally wrong much of it was. Maybe most of it. Age, residence, phone numbers, licenses held, number of kids, cars, places I shop, loyalty memberships... amazingly wrong. Their system invited me to correct the data, and for yuks I tried correcting a small subset. None of the changes stuck. When I checked again, it was just as wrong.