Now that the California Consumer Privacy Act is in place, lots of researchers and consumers are testing out their new rights under the law to find out what information data companies have about them. It’s now possible to ask companies to delete that data if you so desire, but to really scrub yourself out of the data machine, you’re going have to put in some work.
Luckily, Laura Noren, a vice president at Obsidian Security, is using her machete to hack through the data privacy jungle for us. Noren is also a security researcher at New York University and University of California, Berkeley. Noren has been going to the source — the many many data brokers that gather, maintain and sell information about us to advertisers and social media companies. I asked her first what she’s trying to do. Below is an edited transcript of our conversation.
Laura Noren: I was pretty excited [to] live in California, and California is the first state to give me some rights to ask companies what they know about me and ask them to delete what they know about me. I used the only public registry of data brokers available in the U.S., which is put together by the state of Vermont. I gathered up 157 email addresses of privacy contacts at these companies and emailed them and asked them to know what they know about me. For the most part, I still don’t know. They have a long time to respond.
Molly Wood: So they have a long time under the law to respond?
Noren: Under the law, they have 10 days to let me know that they even received my email. They have another 45 days to respond to that email. Because it’s the first year of the law, they have an additional 45 days if they can’t quite get it together in the first 45 days.
Wood: If you’re a California consumer, and you really do want to try to turn off the spigot of information as much as you can, is this the place to start — with 150 emails to 150 data brokers?
Noren: I would say, yeah, it’s not a bad place to start. I’d also add that Google, Apple, Twitter and Facebook — none of those companies were in this list of 155. So if you’re truly trying to be more private, I would advise people to go ahead and delete their accounts of all the major social media platforms, because that’s a lot of the places where the data brokers are scraping this information and validating it to begin with. And then data brokers as a step two.
Wood: Let’s say you’re not in California. Is any of this process that you’re going through now useful to people across the country who might at least want to try to contact these data brokers and find out what information they have about them?
Noren: Yes, a lot of the big legal advisers have advised their companies just to go ahead and follow these practices for anyone in the U.S. I haven’t done this yet, but I’m sure someone will come out with a list of all the companies that will take these requests from anyone. There are some other steps anyone in the U.S. can follow that don’t rely on CCPA. You can already opt yourself out of receiving direct marketing, and it has nothing to do with CCPA.
Wood: I want to circle back to something you said earlier. You said that data brokers often have far more information about you than you expect, but you mentioned that they might have far less. What makes you think that? What’s been your experience in that regard?
Noren: I got a fair number of responses back from companies that just said, “You’re not even in our database.” I tend to believe them. Maybe I’m too gullible, but I have done this for a long time, and I think there’s been a maturation process for me. I moved from academia to working in industry. And in academia, there’s a great capacity to imagine all of the things that could be happening with our data and all of the record linkage that could happen to give this very, very complete image of a person with their DNA profile and everything they have ever typed into a Google search bar and everything they ever did on Tinder, or Grindr, or whatever it might be. That is really not happening with most of these data brokers or any of the other companies that hold a ton of data. There’s a few companies that have a maximum amount of data, and even they don’t have complete records like that. Some of them do have far less. Maybe they have some ancient address for me, and they’ve linked it through my email address, and that’s about all they have. That makes me feel a little bit better and also just a little bit worse, because we’re going to get a lot of poorer-quality companies out there that are hawking data. That concerns me because at least the ones that are accurate, you feel like they have some controls in place. The ones that are inaccurate and incomplete, [they] concern me.
Wood: On the other hand, it is a good thing to validate someone’s identity before you hand over a lot of personal information about them, right?
Noren: Absolutely. I do tend to like the validation process used by one of the companies, which just asks me a bunch of questions about the data record they think is mine. They’re asking me to validate what streets I lived on or the people who are likely to be related to me. That made more sense to me because it’s tied very closely to their records and what they think they know. It doesn’t ask me to give any additional information, besides what they already have.
