The California Consumer Privacy Act (CCPA) — which began enforcement on July
1, 2020 — grants California users the affirmative right to opt-out of the sale
of their personal information. In this work, we perform a series of
observational studies to understand how websites implement this right. We
perform two manual analyses of the top 500 U.S. websites (one conducted in July
2020 and a second conducted in January 2021) and classify how each site
implements this new requirement. We also perform an automated analysis of the
Top 5000 U.S. websites. We find that the vast majority of sites that implement
opt-out mechanisms do so with a Do Not Sell link rather than with a privacy
banner, and that many of the linked opt-out controls exhibit features such as
nudging and indirect mechanisms (e.g., fillable forms). We then perform a pair
of user studies with 4357 unique users (recruited from Google Ads and Amazon
Mechanical Turk) in which we observe how users interact with different opt-out
mechanisms and evaluate how the implementation choices we observed — exclusive
use of links, prevalent nudging, and indirect mechanisms — affect the rate at
which users exercise their right to opt-out of sale. We find that these design
elements significantly deter interactions with opt-out mechanisms — including
reducing the opt-out rate for users who are uncomfortable with the sale of
their information — and that they reduce users’ awareness of their ability to
opt-out. Our results demonstrate the importance of regulations that provide
clear implementation requirements in order empower users to exercise their
privacy rights.

By admin