Although the CCPA is supposed to make it easy for California residents to opt out of companies sharing or selling their data, it hasn’t all been smooth sailing. California residents have come across roadblocks, such as companies lacking links to tell companies “do not sell my data,” even though they’re required to by the law. Beyond that, the process can be cumbersome and time-consuming.
With his friction in mind, James Carney, Joanne Jia, Archana Kulkarni and Cameron Lopez, a team of grad students at UC Berkeley’s School of Information began development on PrivacyBot: a free, open source tool to automate part of the process. PrivacyBot is a capstone project meant to allow people to send requests to have their information deleted from a list of data brokers and people search sites.
PrivacyBot does have some limitations. To use it, you need to have a Gmail account, and you’ll need to have Python 3, pip3 and node installed on your computer. You’ll also need some level of familiarity with using the command line, either using a split terminal or two terminals so you can run the Flask app on one and the React app on another.
Users can choose between three different types of requests: top choices, which sends out 91 emails, including the biggest data brokers and their subsidiaries as well as companies that require little or no follow-up; all people search sites, which sends out 164 emails in total; and exhaustive deletion, which sends up to 500 opt-out emails.
“We’re hugely enthusiastic about PrivacyBot because we believe automating the sending of requests is a big win for consumers,” said Ginny Fahs, Consumer Reports’ Data and Privacy R&D lead. “We share the vision that it should be easier for consumers to send data requests, and to send them in bulk instead of needing to approach companies one-by-one.”
Consumer Reports has been running pilots of an authorized agent service that submits requests for consumers and alleviates the burden of submitting requests individually. While PrivacyBot works by having users authorize the tool, allowing the tool to compose and send emails from the users’ own email account, Consumer Reports sends requests on people’s behalf with a legal document attached showing that the consumer provided permission for the requests. The data protection tool Privacy Bee, for example, is a commercial product also taking the authorized agent approach.
While the process to opt out with PrivacyBot is incredibly quick for users compared to sending emails for dozens or hundreds of data brokers, it’s more time consuming than simply filling out a form and pressing send.
Emails sent show up in your Gmail sent account, tagged with a PrivacyBot label, but incoming replies aren’t automatically threaded. And companies can ask people to fill out a form or make a phone call, so there is some follow-up required. Users are only required to fill out their first and last name, email address and state of residence, but omitting information will require more follow-up.
A similar service to PrivacyBot is Mine, an app which is currently free but will eventually become a subscription model. PrivacyBot, on the other hand, will always be free and open source, which means that it’s a building block that can be expanded or built into other services that grow the ecosystem.
“The free element is really important to us,” said Joanne Jia, who points out that current opt-out options either cost time or money. “From conducting surveys within the Privacy-related Reddit community and talking to privacy experts that we know, it sounds like most of them stopped after making a couple of requests just because the process is insanely difficult, and they didn’t actually want to pay a really high amount for monthly fees for a service. This is a way for us to give back to the community.”
Cameron Lopez said the open source philosophy aligns with what the group was trying to accomplish as people who support the democratization of privacy rights. “What we wanted to accomplish was to make this a way for anybody to be able to do this and also to provide a way for it to be continued after we’re done. We think this is something that could probably be really useful for people further down the line, to expand and be a useful tool worldwide for GDPR and other state laws like CCPA,” he said.
The team is open to contributions from the community. Some possibilities for the tool include turning it into an installer, so it’s easy to run even for people who may not be inclined to open up a source-code editor, and to have an opt-in scripting process built in, which will allow users to submit data for analysis, if they choose. This would allow researchers to track the compliance rate with the requests after 45 days, to see if companies are following the law.