VICEROY: GDPR-/CCPA-compliant Enforcement of Verifiable Accountless Consumer Requests

Jordan, Scott; Nakatsuka, Yoshimichi; Öztürk, Elif; Paverd, Andrew; Tsudik, Gene

doi:10.48550/arxiv.2105.06942

Cited by 1 publication

(1 citation statement)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In their follow-up work [18], they proposed alternative approaches to authenticating data subjects that can help businesses strengthen their SAR mechanisms by reducing the likelihood of leaking subjects' personal data when responding to data access requests made by adversaries. Jordan et al [31] focused specifically on addressing the problem of how organizations can respond to data access requests that do not have corresponding user accounts.…”

Section: Efficacy Of Subject Access Requestsmentioning

confidence: 99%

Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)

Samarin

Shayna

Zaina

et al. 2023

PoPETs

View full text Add to dashboard Cite

The California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to "verifiable consumer requests" (VCRs) by disclosing personal information that they have collected, used, or shared about consumers for a business or commercial purpose. We compared the actual network traffic of 109 apps that we believe must comply with the CCPA to the data that apps state they collect in their privacy policies and the data contained in responses to "right to know" requests that we submitted to the app's developers. Of the 69 app developers who substantively replied to our requests, all but one provided specific pieces of personal data (as opposed to only categorical information). However, a significant percentage of apps collected information that was not disclosed, including identifiers (55 apps, 80%), geolocation data (21 apps, 30%), and sensory data (18 apps, 26%) among other categories. We discuss improvements to the CCPA that could help app developers comply with "right to know" requests and other related regulations.

show abstract

Section: Efficacy Of Subject Access Requestsmentioning

confidence: 99%