January 18, 2023

How we’re thinking about the impact of your data rights requests

Margaret Oates

Maggie Oates is an online privacy researcher. Outside of her work supporting data rights for consumers, she focuses on the impact of surveillance in the arts and on marginalized sexual communities.

Managing your privacy is time-consuming. That’s the whole reason we started Permission Slip, a service to help consumers send data rights requests to hundreds of companies. We’re constantly trying to figure out how to help everyday people get the most out of any privacy action they choose to take.

What action makes an impact?

Privacy actions affect each person differently. In order to figure out what’s most impactful for you, you need to first reflect on the risks you’re trying to address. For example, if you hate targeted ads and junk mail, your priorities might be different from someone who is trying to keep their new phone number away from a bad ex. Both goals are important, but they illustrate how there is no one-size-fits-all when it comes to managing our data.

However, there are some general rules of thumb to help us think about the impact of a data rights request:

Do-not-sell requests (also called opt-out-of-sale) are usually the quickest to complete. These requests help keep your data from getting spread to third parties. On occasion, these can be time-consuming for companies that require you to fiddle with cookie settings on multiple devices for a complete opt-out.

Deletion requests are often more time-consuming to complete. Because you might be deleting your entire user account, companies reasonably want to make sure that’s something you actually want. These requests are ideal if you are sure you don’t want to interact with the company in the near future. Deletion requests are great for reducing your attack surface for hackers; if your data isn’t there, it can’t get hacked! However, even if you send a successful deletion request, in many cases companies are allowed to “soft delete” data and keep it for business or retention purposes. Because of this, deletion requests aren’t always very effective for preventing data leaks or hacking.

Which companies to target for more impact?

When we help consumers manage their data through Permission Slip, our goal is to provide as much privacy impact to as many people as we can. As a baseline, we look for companies that collect and retain consumer data that is covered by major state privacy laws (health, finance, insurance data is often exempt since special federal laws apply), and we aim for “green zone” companies (we’ll explain) that have manageable processes.

We could maximize privacy impact by focusing on companies that have data on lots of consumers (e.g., websites with millions of accounts, giant data brokers). On the other hand, we could also be more selective and focus on companies that have sensitive data (e.g., dating sites, menstrual trackers). The “holy grail” company would have sensitive data on lots of consumers, and also fit our other criteria. The “green zone” is our approach to balance both strategies, putting companies on a map between “lots of data” and “sensitive data.”

A quadrant chart titled “Aiming for the green zone for privacy impact” by Consumer Reports, 2023. The x-axis goes from “Less sensitive data” to “More sensitive data”. The y-axis is from “Few consumers” to “more consumers.” Each quadrant of the chart contains examples of companies that might collect consumer data. Quadrant 1 (more consumers, less sensitive data, light green) contains “Data brokers selling your email address, Starbucks, Smart TVs.” Quadrant 2 (more consumers, more sensitive data, dark green) contains “Budget trackers, porn sites, dating sites.” Quadrant 3 (less few consumers, less sensitive data, white) contains “yoga studios.” Quadrant 4 (few consumers, more sensitive data, light green) contains “Menstrual trackers, LGBT dating sites, DNA data.”

If a company falls in Corner 2, it’s a holy grail, a high priority. After that, we try to balance a mix of companies in Corner 1 (boring data, more consumers) and Corner 4 (sensitive data, fewer consumers) among the companies we offer in Permission Slip.

As mentioned, we also pay attention to whether a company’s data rights process is usable for consumers. We want to maximize the chances that the requests we send for you are processed successfully. If a process is too hard, we try to work directly with the company or with regulators to change that.

How do you measure privacy impact? (It’s tricky!)

Measuring the direct impact of a data rights request is difficult. One challenge is that the process is a black box; unlike testing a stove or car, we don’t have much visibility into what actually happens behind the scenes after a company fulfills your request. For example, we can ask a company to stop selling your data, but we can’t usually get specifics about how many customers were buying your data. Another challenge is that consumers have very different digital footprints and priorities. This is an open problem in the privacy community, one that we’re excited to keep researching.

What about our collective impact?

Even if we can’t measure the direct impact of a single request, we also know that each data rights request is a piece of a larger story. One single data rights request is a drop, but the hundreds of users on Permission Slip make a pretty big bucket. Consumer collective action is part of a larger dream of shifting the data marketplace to be one that benefits consumers rather than hoovering our data without providing value. Our collective data future is another area of thinking we’re always keen on investigating more.

Even though Permission Slip only launched recently, we’re already seeing the impact of our work. Sending hundreds of requests seems to effectively grab the attention of companies. They are often willing to open a dialogue about how to improve their practices. In just a few months, we’ve already reached out to dozens of companies that have since made their request process easier for consumers, upgraded the security of their websites, or fixed inaccurate information in their policies. And we’re just getting started.

What do you think?

Try out Permission Slip, send some data requests, and let us know what brands or types of companies you think we should prioritize.

If you’re a researcher interested in working on these topics, please reach out! We would love to hear about your interests and explore if there are ways for us to work together..

More From Digital Lab

Edit This
Bitnami