Managing your privacy is time-consuming. That’s the whole reason we started Permission Slip, a service to help consumers send data rights requests to hundreds of companies. We’re constantly trying to figure out how to help everyday people get the most out of any privacy action they choose to take.
What action makes an impact?
Privacy actions affect each person differently. In order to figure out what’s most impactful for you, you need to first reflect on the risks you’re trying to address. For example, if you hate targeted ads and junk mail, your priorities might be different from someone who is trying to keep their new phone number away from a bad ex. Both goals are important, but they illustrate how there is no one-size-fits-all when it comes to managing our data.
However, there are some general rules of thumb to help us think about the impact of a data rights request:
Do-not-sell requests (also called opt-out-of-sale) are usually the quickest to complete. These requests help keep your data from getting spread to third parties. On occasion, these can be time-consuming for companies that require you to fiddle with cookie settings on multiple devices for a complete opt-out.
Deletion requests are often more time-consuming to complete. Because you might be deleting your entire user account, companies reasonably want to make sure that’s something you actually want. These requests are ideal if you are sure you don’t want to interact with the company in the near future. Deletion requests are great for reducing your attack surface for hackers; if your data isn’t there, it can’t get hacked! However, even if you send a successful deletion request, in many cases companies are allowed to “soft delete” data and keep it for business or retention purposes. Because of this, deletion requests aren’t always very effective for preventing data leaks or hacking.
Which companies to target for more impact?
When we help consumers manage their data through Permission Slip, our goal is to provide as much privacy impact to as many people as we can. As a baseline, we look for companies that collect and retain consumer data that is covered by major state privacy laws (health, finance, insurance data is often exempt since special federal laws apply), and we aim for “green zone” companies (we’ll explain) that have manageable processes.
We could maximize privacy impact by focusing on companies that have data on lots of consumers (e.g., websites with millions of accounts, giant data brokers). On the other hand, we could also be more selective and focus on companies that have sensitive data (e.g., dating sites, menstrual trackers). The “holy grail” company would have sensitive data on lots of consumers, and also fit our other criteria. The “green zone” is our approach to balance both strategies, putting companies on a map between “lots of data” and “sensitive data.”
If a company falls in Corner 2, it’s a holy grail, a high priority. After that, we try to balance a mix of companies in Corner 1 (boring data, more consumers) and Corner 4 (sensitive data, fewer consumers) among the companies we offer in Permission Slip.
As mentioned, we also pay attention to whether a company’s data rights process is usable for consumers. We want to maximize the chances that the requests we send for you are processed successfully. If a process is too hard, we try to work directly with the company or with regulators to change that.
How do you measure privacy impact? (It’s tricky!)
Measuring the direct impact of a data rights request is difficult. One challenge is that the process is a black box; unlike testing a stove or car, we don’t have much visibility into what actually happens behind the scenes after a company fulfills your request. For example, we can ask a company to stop selling your data, but we can’t usually get specifics about how many customers that were buying your data. Another challenge is that consumers have very different digital footprints and priorities.This is an open problem in the privacy community, one that we’re excited to keep researching.
What about our collective impact?
Even if we can’t measure the direct impact of a single request, we also know that each data rights request is a piece of a larger story. One single data rights request is a drop, but the hundreds of users on Permission Slip make a pretty big bucket. Consumer collective action is part of a larger dream of shifting the data marketplace to be one that benefits consumers rather than hoovering our data without providing value. Our collective data future is another area of thinking we’re always keen on investigating more.
Even though Permission Slip only launched recently, we’re already seeing the impact of our work. Sending hundreds of requests seems to effectively grab the attention of companies. They are often willing to open a dialogue about how to improve their practices. In just a few months, we’ve already reached out to dozens of companies that have since made their request process easier for consumers, upgraded the security of their websites, or fixed inaccurate information in their policies. And we’re just getting started.
What do you think?
If you’re a researcher interested in working on these topics, please reach out! We would love to hear about your interests and explore if there are ways for us to work together..