DeepAI
Log In Sign Up

The Impact of Visibility on the Right to Opt-out of Sale under CCPA

06/21/2022
by   Aden Siebel, et al.
Pomona College
0

The California Consumer Protection Act (CCPA) gives users the right to opt-out of sale of their personal information, but prior work has found that opt-out mechanisms provided under this law result in very low opt-out rates. Privacy signals offer a solution for users who are aware of their rights and are willing to proactively take steps to enable privacy-enhancing tools, but this work findsthat many users are not aware of their rights under CCPA and that current opt-out rates are very low. We therefore explore an alternative approach to enhancing privacy under CCPA: increasing the visibility of opt-out of sale mechanisms. For this purpose, we design and implement CCPA Opt-out Assistant (COA), a browser extension that automatically detects when websites sell personal information and presents users with a visible, standardized banner that links to the opt-out of sale mechanism for the website. We conduct an online user study with 54 participants that finds that these banners significantly increases the rate at which users opt-out of sale of their personal information. Participants also report less difficulty opting-out and more satisfaction with opt-out mechanisms compared to the native mechanisms currently provided by websites. Our results suggest that effective privacy regulation depends on imposing clear, enforceable visibility standards, and that CCPA's requirements for opt-out of sale mechanisms fall short.

READ FULL TEXT VIEW PDF

page 3

page 4

page 5

page 6

09/16/2020

(Un)clear and (In)conspicuous: The right to opt-out of sale under CCPA

The California Consumer Privacy Act (CCPA)—which began enforcement on Ju...
04/08/2022

CookieEnforcer: Automated Cookie Notice Analysis and Enforcement

Online websites use cookie notices to elicit consent from the users, as ...
11/22/2022

Twitter has a Binary Privacy Setting, are Users Aware of How It Works?

Twitter accounts are public by default, but Twitter gives the option to ...
11/29/2018

Can Cryptocurrencies Preserve Privacy and Comply with Regulations?

Modern retail banking creates a kind of panopticon for consumer behaviou...
02/02/2022

Opted Out, Yet Tracked: Are Regulations Enough to Protect Your Privacy?

Data protection regulations, such as GDPR and CCPA, require websites and...
09/05/2019

(Un)informed Consent: Studying GDPR Consent Notices in the Field

Since the adoption of the General Data Protection Regulation (GDPR) in M...

1 Introduction

As users gain an increasing awareness of the amount and type of personal information collected, shared, and sold by websites and apps, governments have responded by passing privacy regulations (e.g., the European GDPR [gdpr] and California’s CCPA [ccpa]). One of the rights granted to California consumers under CCPA is the right to opt-out of sale of their personal information. However, prior work suggests that current implementations of opt-out mechanisms fail to effectively empower users to opt-out of sale: most websites provide this link in a small font at the bottom of the page (often only accessible after scrolling), and a users study found that people opt-out of sale significantly less frequently on websites that provide such a link than on websites that provide more visible opt-out mechanism [oconnor2021clear].

This work extends prior work by exploring how users interact with opt-out of sale mechanisms in the wild. We conduct a longitudinal observational study over one month in which we record how real users interact with existing opt-out mechanisms on the websites they visit. We also conduct an online survey with California residents about their experience with the right to opt-out of sale. Our results indicate that confirm that current opt-out mechanisms provided by websites do not effectively implement the right to opt-out of sale: 48% of users self-report that they have opted-out of sale on a website never or only a few times, and our observational study did not record any instances in which a user opted-out of sale. Many users who reported having opted-out of sale in the past found those mechanisms unsatisfactory and difficult to use.

Privacy signals, such as Global Privacy Control (GPC) [GPC], offer one approach to enhancing privacy under CCPA by giving users a mechanisms to universally signal a desire to opt-out of sale on all websites; current guidelines issued by the California Attorney General require websites to consider these signals a valid form of user opt-out. However, GPC is currently only supported by browsers with market share under 4% (e.g., Firefox, Brave, Duck Duck Go) and via Chrome browser-extensions (e.g., OptMeowt [Zimmeck20]). Moreover, past experience with privacy signals like Do Not Track (DNT) suggests that GPC will only be considered a valid opt-out signal as long as it is turned off by default and users are required to take action to turn it on. GPC therefore is—and is likely to remain—only a solution for people who (1) are aware of their right to opt-out of sale and (2) take specific, proactive steps to invoke their right to opt-out by enabling GPC. Our online survey found that 46% of users were not aware of their right to opt-out of sale, suggesting that opt-in privacy signals alone are insufficient to empower all users to invoke their right to opt-out of sale.

In this work, we investigate an alternate approach to enhancing privacy under CCPA: improving the visibility of opt-out mechanisms. We designed and implemented CCPA Opt-out Assistant (COA), a browser extension that automatically detects whether a website sells personal information and provides a simple, standardized banner that links to the website’s opt-out mechanisms and that is designed to maximize engagement. We then used COA to quantitatively evaluate the impact of this improved visibility on user behavior. We conducted an observational user study with in which we recorded user opt-out behavior when provided with clear, visible opt-out of sale mechanisms.

We found that the presence of banner-based opt-out of sale mechanisms significantly increased engagement. On average, real-world COA users opted-out of 18.8% of websites that provided an opt-out of sale link, and the majority of opt-outs used mechanisms provided by COA rather than the links provided directly by websites. COA users were also less likely to describe the opt-out process as difficult or to be unsatisfied with available opt-out mechanisms. These results suggest that enhancing the visibility of opt-out mechanisms would significantly improve privacy under CCPA.

While we have now made COA publicly available on the Chrome store, we do not consider this extension itself to be an effective tool for enhancing privacy under CCPA; in fact, extensions and browser settings that support privacy signals are probably a better solution for users who are willing and able to proactively take steps to invoke their rights under CCPA. Instead, we view our results as evidence that effectively extending privacy rights to all users depends on regulations imposing minimum visibility standards, and that CCPA’s requirement of a clear and conspicuous link on the home page falls short of this standard. Future regulations will need to provide clear and enforceable visibility requirements informed by empirical user studies in order to ensure that they actually enhance user privacy.

2 Background on CCPA

The primary goal of the CCPA is to give users more control over their personal information. This resulted in the introduction of four key rights:

  1. The right to know. Users have a right to know what personal information a business collects and how that information is used and shared. This information should be communicated in a manner that provides the user with a “meaningful understanding”.

  2. The right to delete. Users have a right to delete personal information about them (with some exceptions).

  3. The right to opt-out of sale. Users have the right to opt-out of the sale of their personal information. Businesses must provide a “a clear and conspicuous link” on the homepage of their website entitled “Do Not Sell My Personal Information” or “Don’t Sell My Personal Info” that enables users to invoke their right to opt-out of sale.

  4. The right to non-discrimination. Businesses cannot deny a service, degrade the quality of service, or change the price of a service just because a user exercises their rights under CCPA.

CCPA also broadens the definition of personal information to include any information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. This definition explicitly includes information about online activities (e.g., a user’s interactions with a website) and any inferences drawn from personal information.

Prior work has investigated how websites implement the opt-out of sale requirement, and how those implementation choices impact user privacy. O’Connor et al. [oconnor2021clear] found that just 7.8% of websites that sell data provide an opt-out link in a banner. The majority of websites (80.9%) offer an opt-out of sale link somewhere on the homepage, but that link ofter requires the user to scroll to the bottom of the page or to interact with clickable elements before it is visible [oconnor2021clear]. These links are rarely noticed by users [cranor2021informing] and result in lower engagement than banners in experimental settings [oconnor2021clear].

3 Methodology

This work had two goals (1) to quantify how people interact with opt-out of sale mechanisms in the real world and (2) to evaluate the impact of mechanism visibility on the right to opt-out of sale under CCPA. To meet these goals, we designed and implemented two browser extensions: an observational extension and a CCPA Opt-out Assistant extension (COA). We leveraged these extensions to conduct a user study with 54 total participants.

3.1 Observational Extension

Our observational extension quantifies how often California users invoke their right to opt-out of sale under CCPA. The first step is therefore to automatically detect which websites provide an opt-out of sale link. Our observational extension runs in the background of every webpage a user visits and searches for opt-out of sale links using a two-tiered approach. It first searches the webpage’s HTML source for a link that uses the legally-mandated label for an opt-out of sale link: “Do Not Sell My Personal Information”. Websites that contain such a link are considered to have valid opt-out of sale links. Since prior work found that approximately 5% of websites that sell data provide opt-out links with incorrect labels [oconnor2021clear], the extension also searches for links with a variety of alternate phrases drawn from our experience during the manual analysis (“california privacy”, “consumer privacy”, “do not sell”, and “my info”); websites that contain such a link are treated as having ambiguous links. To verify the accuracy of our link detection, we manually verified the extension on the Top 500 visited websites111This validation used the Alexa Top 500 U.S. websites from July 1, 2020. and found that it correctly identified all opt-out of sale links.

(a) Banner for a valid link.
(b) Banner for an ambiguous link.
(c) Website with a COA banner.
Fig. 1: Example popup banners generated by the COA browser extension. Banners appear in the bottom-left corner of each website.
(a) Extension toolbar on website.
(b) Closeup of extension toolbar.
Fig. 2: The COA extension toolbar provides additional options.

To measure how users interact with CCPA opt-out of sale mechanisms, the observational extension logs limited data about user behaviors to a server. On installation, each user is assigned a pseudorandomly generated unique identifier, which is stored in a browser cookie; in the version of the extension used in the MTurk user study, this identifier is also visible to the user in the extension menu. Each time a user loads a web page or utilizes the native opt-out mechanism presented on the page a log message is sent to the server. This log message contains a hash of the current website, whether or not the website contains a Do Not Sell link (valid or ambiguous), which action triggered the message, a timestamp, and the user’s unique identifier.

3.2 CCPA Opt-out Assistant (COA)

COA extends the observational extension. It uses the same logic as the observational extension to automatically detect whether a website provides an opt-out of sale link; when it finds one, it provides a direct link in a simple, standardized banner that allows the user to more easily find and access the opt-out of sale mechanism provided by the website.

If COA detects a valid opt-out of sale link on the current webpage, the browser icon for the extension changes color to bright red, and a red popup banner appears in the bottom left corner alerting users that the website they are on sells their data. This popup contains the text “This website sells your personal information. Opt out below.” and one large button with the label “Don’t Sell My Personal Info” (Figure 0(a)); if the user clicks on the button the browser is redirected to the website’s opt-out page by simulating clicking on the detected HTML element (i.e., the opt-out of sale link) provided by the native page. We adopted this design because prior work has found that standardized formats increase awareness and usability of privacy mechanisms [Habib20], and that banners with a single opt-out button (sometimes called an anti-nudging design) increase engagement with opt-out of sale mechanisms [oconnor2021clear]. An example website with a valid link, as seen when using COA, is shown in Figure 0(c).

If COA detects an ambigious link, the browser icon for the extension will change color to yellow, and a yellow popup banner will appear in the bottom left corner. This popup contains the text “This website may sell your information, but does not contain CCPA compliant warnings. You can attempt to opt out below.” and one large button with the label “Follow CA Privacy Link” (Figure 0(b)); if the user clicks on the button the browser is redirected by simulating clicking on the detected ambigous HTML element on the native page.

Users who click on the opt-out button in a COA banner do not see the banner on subsequent visits to the same site site. Users can also temporarily dismiss the popup banner using the x in the corner; however the banner will again be displayed the next time they visit the site.

In addition to the popup banners, users can also interact with COA by clicking on the browser extension icon. When the user clicks on the icon, they are presented with two buttons: one follows the opt-out link (same behavior as clicking on the button in the popup banner) and the other permanently stops the extension from showing banners on this website. This menu is show in Figure 2.

(a) Age
(b) Race
(c) Gender
Fig. 3: Self-reported demographics of participants recruited through Amazon Mechanical Turk, compared to overall California demographics reported by the American Communities Survey (ACS).

To compare how users interact with COA-generated banners compared to native opt-out mechanisms, how logs limited data about user behaviors to a server. In addition to information logged by the observational extension, COA also sends a log message to the server when the user utilizes an opt-out mechanism provided by COA (the banner or the button in the extension menu) and when a user permanently disables the banner on a site.

3.3 User Study

To understand the impact of enhancing the visibility of opt-out mechanisms (i.e., adding banners with COA) on how frequently users invoke their right to opt-out of sale under CCPA, we conducted a user study with 54 California users recruited through Amazon Mechanical Turk (MTurk).This user study was comprised of three parts:

  1. An initial survey about people’s experience with the right to opt-out of sale. This survey asked questions about opinions and awareness of websites data sale practices, awareness of CCPA and the rights endowed by it, and experience (or lack thereof) with CCPA opt-out of sale mechanisms. Users were also asked basic demographic questions. The full set of survey questions is given in Appendix A.

  2. An observational study of how people interact with opt-out of sale mechanisms. For this phase, participants were randomly assigned to one of two conditions. Half of participants were provided with instructions on how to install the observational browser extension; the other half were provided with instructions on how to install COA. All participants were instructed to keep the extension installed for at least a week, but to continue using their browser as they normally would, and interacting with the extension only as they wanted to.

  3. A follow-up study about people’s experience with the right to opt-out of sale. After one week, participants were invited to fill out a follow-up survey about people’s experience with the right to opt-out of sale. This suvery used the same questions as the initial survey (Appendix A).

Participation was restricted to California residents who actively use Google Chrome and had previously completed at least 50 HITs on the MTurk platform with at least a 95% acceptance rate.

Participants who completed the first part of the study and left the browser extension installed for at least 24 hours were compensated $5. Participants who also completed the third part of the study were paid an additional $1.

After eliminating users who did not install the browser extension or who uninstalled it after less than 24 hours, we had a dataset of 54 MTurk users. The demographics of these study participants compared to the overall California demographics as reported by the American Communities Survey (ACS) are summarized in Figure 3.222Numbers for race do not sum to 100 because participants were allowed to report more than one race. Of these users, 22 installed and used the observational extension, and 32 installed and used COA. 24 of the participants also filled out the post-survey (study Part 3); half of those had used COA for a week and half had used the control version of the extension.

3.4 Ethical Considerations

To maximize privacy and to ensure that ethical best practices were followed, no personally-identifiable information is collected or stored by either of our browser extensions. Log records are associated with a pseudorandomly-generated identifier, and the URLs of websites visited are hashed before being sent to the server. Although hashed URLs are not fully anonymous, to ensure users’ privacy we made no efforts to re-identify websites visited or analyze browsing patterns.

(a) Frequency distribution showing how many times individual COA users opted-out of sale. 12 users (36.4%) never opted-out. 21 users (63.6%) opted-out at least once for a total of 63 opt-outs; the maximum number of opt-outs for a single user was 9 unique websites.
(b) User opt-out requests broken down my mechanism used to opt-out. The majority of opt-outs (74.6%) used a mechanism provided by COA (the banner or the extension toolbar).
Fig. 4: Opt-out behavior by COA users.

Participants were informed in advance about what information would be collected and how it would be used and consented to participate in the study. These users were also informed that they had the right to opt out of the study at any time; data from users who elected to opt out would be deleted.

This user study was reviewed in advance and approved by the institutional review board at our institution.

4 Results

Our final dataset was comprised of 54 users, each of whom had installed the observational extension () or the COA extension () and used it for at least 24 hours. Across the 54 users, we logged 51,399 total logs entries and 2,264 unique websites visited.

Comfort with Data Sale.

In general, users were uncomfortable with the sale of their data. Only 6% of study participants said they were somewhat or very comfortable if websites sell their personal information; a majority (54%) said they were somewhat or very uncomfortable with the sale of their personal information.

Frequency of Opt-outs in the Wild.

None of the users who installed the observational extension opted-out of sale on any of the websites they visited. This results is consistent with prior work, which found that most websites provide this link in a small font at the bottom of the page (often only accessible after scrolling), and that opt-out rates for such mechanisms were low [oconnor2021clear]. Combined with the high reported levels of discomfort with the practice of selling information to third parties, this suggest that current implementations of opt-out mechanisms do not effectively empower users to invoke their right ot opt-out of sale under CCPA.

Awareness of the Right to Opt-out of Sale.

We found that in general, users are not well-informed about their rights under CCPA. Although 87% of users had noticed websites giving them an option to opt-out of sale of their personal information at least a few times, 46% of our survey respondents were not initially aware that they had a right to opt-out of sale of their personal information under California law.

The Effect of Visibility on Opt-out Behavior.

63.6% of participants who installed COA opted-out of sale on at least one website. While most of these COA users only opted out of sale on one or two websites, some users opted on more; the maximum number of sites on which a single user opted out of sale was 9. These opt-out frequencies are summarized in Figure 3(a). This difference in opt-out frequency between observational extension users—who only had access to the native opt-out mechanisms—and COA users—who saw a banner when they had the opportunity to invoke their right to opt-out of sale—was statistically significant (). Overall, COA users opted out of sale on 18.8% of sites that provided an opt-out of sale mechanism. These results suggest that improving visibility of opt-out mechanisms by requiring websites to display these opportunities in banners rather than conceal them behind low-visibility links might be an effective approach to improving privacy under CCPA.

Opt-out Types.

The majority of opt-outs by COA users employed an opt-out mechanism provided by the COA extension. 66.7% of opt-outs occurred by means of clicking on the button provided in the pop-up banner, and and additional 7.9% of opt-outs utilized the button in the menu accessible via the browser extension icon in the Chrome toolbar. Only 25.4% of opt-outs used the native link provided by the website (Figure 3(b)).

(a) Difficulty of opt-out
(b) Satisfaction with mechanism
Fig. 5: Usability of opt-out of sale features with COA and without COA.

The frequency with which a user visited a site was significantly correlated with opt-out of sale rates. On average, a website that provided an opt-out link was visited 8.51 times, but websites that users chose to opt out on were visited an average of 53.94 times. Users also loaded an average of 3.03 unique pages on sites on which they opted-out, compared to 1.89 pages on average.

The Effect of Banners on Opt-out Usability

To understand the effect of COA on usability, we compared responses on the follow-up survey between participants who used COA for a week and participants who used the control extension with no visible features. We found that 55% of COA user found it difficult to exercise their right to opt-out of sale; while high, this number was lower than the 72% of control users who found it difficult to opt-out of sale of their personal information (Figure 4(a)).

We also found that COA users were also more satisfied with opt-out of sale mechanisms. Only 22% of COA users reported that they were somewhat unsatisfied with opt-out of sale mechanisms and none reported that they were very unsatisfied, compared with 54% of control users who reported being somewhat or very unsatisfied with the opt-out of sale mechanisms provided natively by the websites (Figure 4(b)).

Beliefs about Data Sale.

On average, participants estimated that 66.2% of websites they visit sold their data. By contrast, we found that just 24.3% of sites visited by real-world COA users contained opt-out of sale links. This gap suggests that users significantly overestimate how common sale of personal information (as defined by CCPA) actually is.

To better understand the prevalence of sale of personal information (as defined by CCPA), we wrote a script that visited the top 5000 websites (as listed by Alexa on January 12, 2021) and classified each website according to whether it had a valid opt-out of sale link, and ambiguous link, or no link. We found that 34.2% of the Top 500 sites and 21.7% of the Top 5000 websites had a valid opt-out link on their homepage; an additional 3.5% of websites in the Top 500 and 2.7% of websites in the Top 5000 had ambiguous links. In general, frequency of opt-out links decreased with site popularity. A comparison between user perceptions about frequency of data sale and actual frequency of opt-out of sale links is given in Figure 

6. While it is likely that some lower-ranked websites are not subject to CCPA requirements—the law applies only to businesses above certain revenue or user thresholds or those that derive the majority of their profit from the sale of Californian’s information—prior work has found that most of the top sites either provide an opt-out of sale link or explicitly state in their privacy policy that they do not sell personal information as defined by CCPA [oconnor2021clear]. Since there is a significant gap between our participants’ estimates and frequency of sale even for the Top 500 sites, we believe these numbers indicate that users are significantly overestimating the fraction of sites that sell personal information as defined by CCPA.

Fig. 6: User perceptions about how many websites sell personal information compared to how many websites provide opt-out of sale mechanisms linked from their homepage.

This over-estimate might be indicative of widespread distrust and dissatisfaction with the state of their privacy; prior work has found that users feel helpless and frustrated about targeted advertising and the sale of their data [Mach20, Cranor12, Habib20]. This misconception could also stem from the somewhat esoteric distinction between data sale and the broader data economy. Despite the broad definition adopted by the California Attourney General—which specifically includes practices such as third party targeted advertising—many sites argue that their practices do not fall under the definition of sale. Certain companies—including major data brokers like Google or Facebook—appear to perform all data processing internal to the company; such practices are not subject to CCPA’s opt-out of sale requirement despite the fact that these companies benefit financially from users’ personal information. This distinction might feel unimportant to users, especially as these companies continue to grow to in size; a study of this distinction could help guide future efforts to protect user privacy with subsequent privacy regulations.

To our surprise, installing and using COA did not result in more accurate perceptions about the number of sites that sell personal information (as defined by CCPA). This might be attributed a perception bias; banner warnings on sites might have more impact on user impressions than the absence of such signals.

5 Related Work

Recent privacy regulations, notably CCPA and GDPR, have given rise to questions about how these regulations impact user privacy and how future regulations might further enhance privacy. This line of work takes place within the context of a larger body of work that has explored user attitutes and beliefs about data practices and investigated how aspects of user design affect user engagement in general and interactions with privacy mechanisms in particular.

User Beliefs about Data Practices

Privacy regulations are intended to give users increased control over their personal information. However, prior work has consistently shown that users are generally unaware of how their data is being collected and sold, which websites affect them, and what options they have to control their privacy.

Machuletz and Böhme [Mach20] showed that around 80% of users self reported knowledge around cookies, and around 68% could accurately describe them. Users in the study also generally unaware of the possible consequences of accepting cookies, and demonstrated regret in their choices after interacting with cookie options.

In a study on behavioral advertising, users were shown to be both generally uneducated about the nature of targeted ads and appalled by an increased knowledge on their function [Cranor12]. When asked about online behavioral advertising, many users were not aware of its nature or function. When shown a video that explained it to them in more detail, many users felt it was “scary” or “creepy,” and consistently demonstrated a failure to understand exactly how it worked or what their choices were. To many users, data collection and targeted advertising seem to be “black boxes.” They are aware that these mechanisms exist, but not how they work, how much they see, or what possible recourse they might have. This study suggests that the baseline of user awareness around data collection and its use in targeted advertising is generally poor, suggesting that notices that fail to accurately desribe their purpose or remain hidden on a page are unlikely to be understood or used.

Habib et al. [Habib20] conducted long form interviews with users on their data privacy choices and behavior. Users not only demonstrated a similar lack of awareness and education on the topics of cookies and their interactions with privacy mechanisms. The study asked users to interact with services like account deletion, email list opt-outs, and advertising opt-outs on various websites. Users often were unclear about how cookies worked on their different devices, with either misconceptions or a lack of general knowledge about the concept in general. Users showed not only a lack of awareness about these topics and difficulty interacting with these mechanisms, but a general dissolution and distrust that these mechanisms worked at all. To enhance privacy, they recommended standardizing interactions with privacy options.

Usability of CCPA Opt-out Mechanisms

O’Connor et al. [oconnor2021clear] investigated the impact of banners versus links on engagement with CCPA opt-out of sale mechanisms. They found that links had significantly lower engagement (and rate of opt-out) than banners, with users just 1.4% of users opting-out of sale when provided with an opt-out link compared to 12.2% of users who were shown a banner. They also investigated the effect of banner location, nudging, and inconvenience factors on opt-out rates. The design of banner implemented by COA—which adopts a single-button “anti-nudging” design—was informed by their results.

Cranor et. al. performed a series of studies examining how different taglines and icons influence user comprehension and recall of Do Not Sell links [cranor2020design, cranor2020user, cranor2020ccpa, cranor2021informing]. They found that most participants failed to notice Do Not Sell links in an image of a website, that users expect links to opt them out in a single click, and that an overwhelming majority of participants were unaware of CCPA and/or misunderstood what kinds of personal information were included in Do Not Sell—all findings that are consistent with our results; they recommended the adoption of standardized icons and placement, along with enforcement of the existing requirement for standardized language for opt-out links. However, their work did not compare the usability of current links or privacy icons with opt-out banners, and it did not consider the impact design choices after the initial opt-out link on usability.

A Consumer Reports study [mahoney2020california], which asked users to attempt to opt-out of sale on 216 websites from the California Data Broker registrar, also studied the usability of opt-out mechanisms adopted by those sites. In their study, three users were asked to attempt to opt-out of sale of their personal data on each site. They found that 31.4% of the sites studied displayed their link in such a manner that at least one out of three users was unable to find it, that more than a third of participants spent over five minutes opting out (with a maximum time of over an hour), and 14% ultimately were unable to successfully complete the process. However, the limited sample size (3 users per website) and the differences in design choices adopted by each site precluded any statistically significant results about the impact of the observed designs on users’ awareness of (and likelihood of invoking) their right to opt-out of sale.

Earlier work also consistently found that opt-out mechanisms were hard for users to understand and use [habib2020s, habib2019empirical, Leon12, Utz19, sanchez2019can, nouwens2020dark, machuletz2020multiple, sakamoto2019after]. However, those studies were conducted prior to the adoption of CCPA and focused on the usability of opt-out mechanisms under earlier laws, such as the CAN-SPAM Act and GDPR. Nonetheless, the recommendations made by those authors—including requiring specific mechanism positions, increased granularity for privacy choices, and specific text in notices—are likely relevant to CCPA.

Tools for Enhacing Privacy under CCPA

Since enforcement of CCPA began in July 2020, several tools have been release that attempt to enhance privacy under CCPA. Global Privacy Control (GPC) [GPC] is a standardized privacy signal that asks websites not to sell information about that user; California law now requires websites to respect GPC as a valid mechanism for opt-ing out of sale under CCPA. There are a variety of privacy tools that implement GPC: Firefox, Brave, and the Duck Duck Go mobile browser all offer built-in support for GPC. There are also Chrome extensions (e.g., OptMeowt [Zimmeck20]) that issue GPC signals. Opt Out [OptOut], a Chrome browser extension released by yourdigitalrights.org, sends automatically-formatted opt-out emails to website hosts that invoke a user’s rights to Data Access and Data Deletion under GDPR and CCPA, but it does not support requests to opt-out of sale. CCPA Detector [CCPAdetector] is a Chrome browser extension that detects CCPA-related privacy policies. However, it us unable to accurately detect which websites sell data, and the effect on end-user privacy has not been experimentally tested.

Privacy-related browser extensions have also been developed prior to and independent of CCPA; while such tools have the potential to enhance privacy, user studies have found that they are often confusing to users and ineffective. Leon et al. [Leon12] studied third party extensions, built in browser privacy features, and other cookie blockers. They found that users were confused by the user interface and the description provided, that users were unclear what the exact purpose of the tools was, and that users were unable to configure the tools to effectively protect their privacy.

6 Conclusion

This work conducts the first observational study of how users interact with opt-out of sale mechanisms in their daily, online behavior. Our results confirm that the rate at which users leverage existing opt-out mechanism provided by websites to invoke their right to opt-out of sale is very small, despite the fact that many users are uncomfortable with the sale of their personal information. Our results also show that a significant minority of users are still unaware of their rights under CCPA, in particular their right to opt-out of sale, which suggests that any tools that require proactive steps—e.g., downloading an extension or modifying browser settings—can only offer a partial solution.

This work therefore explores a complementary approach to enhancing privacy under CCPA: increasing the visibility of opt-out opportunities. We find that users are more likely to opt-out of sale of personal information when opt-out mechanisms are available through visible banners compared to the current opt-out mechanisms provided by websites. With a visible standardized banner, we found that our users opted-out of sale on 18.8% of the times such an option was available. Users also reported that they found banner-based mechanisms easier to use and more satisfactory compared to the (primarily link-based) mechanisms currently provided by websites. Although banner-based consent mechanisms are clearly imperfect—prior work in the context of cookie banners has found that many users just click to get rid of banners [kulyk2020has] and that dark patterns and other UI elements can manipulate user consent decisions [nouwens2020dark, bermejo2021website, habib2022okay, ma2022prospective]—we believe our results show that banner-based opt-out mechanisms would still significantly enhance privacy compared to the current state of the world under CCPA.

While we have now made COA publicly available on the Chrome store, we do not consider this extension itself to be an effective tool for enhancing privacy under CCPA; in fact, extensions and browser settings that support privacy signals are probably a better solution for users who are willing and able to proactively take steps to invoke their rights under CCPA. Instead, we view our results as evidence that effectively extending privacy rights to all users depends on regulations imposing minimum visibility standards, and that CCPA’s requirement of a clear and conspicuous link on the home page falls short of this standard. Future regulations will need to provide clear and enforceable visibility requirements informed by empirical user studies in order to ensure that they actually enhance user privacy.

References

Appendix A Follow-up Survey Questions

In this Appendix, we provide the complete set of questions asked in the preliminary survey and the follow-up survey provided to study participants recruited through Amazon Mechanical Turk.

  1. “What percentage of the websites you visit do you believe sell your personal data?” (Chosen on scale from 0-100)

  2. “If the websites you visited tracked your behavior and sold this information to third-parties, how comfortable would you be with it?” (Very Comfortable / Somewhat comfortable / Neutral / Somewhat uncomfortable / Very uncomfortable)

  3. “Are you aware that California law requires websites that sell your data to allow you to opt out?” (Yes / No)

  4. “How often have you noticed websites you visit giving you an option to opt-out of the sale of your data?” (Never / A few times / Sometimes / Often / Always)

  5. “How often do you opt-out of the sale of your data on websites you visit?” (Never Have / Have a few times / Sometimes / Usually / Always)

  6. (If did not respond “Never” to Question 5) “How difficult on average did you find it to opt-out of the sale of your data on websites you visit?” (Somewhat difficult / Neither difficult nor easy / Somewhat easy / Very easy)

  7. (If did not respond “Never” to Question 5) “How satisfied are you with the mechanisms that you have used to opt-out of the sale of your data on websites you visit?” (Very satisfied / Somewhat satisfied / Neutral / Somewhat unsatisfied / Very unsatisfied)

  8. “What is your current age?” (18-24 / 25-34 / 35-44 / 45-59 / 60-74 / 75+)

  9. “What is your gender?” (Man / Woman / Non-binary person / Other)

  10. “Choose one or more races that you consider yourself to be:” (White / Black or African American / American Indian or Alaska Native / Asian / Pacific Islander or Native Hawaiian / Other)

  11. “Do you consider yourself to be Hispanic?” (Yes / No)

  12. “In which state do you currently reside?” (50 States / D.C. / Puerto Rico / Not in US)