 I live in Phoenix. I've been writing about technology for about 11 years for a bunch of different sites, including the Intercept, Motherboard, Wired, Wirecutter, Ars Technica, Consumer Reports. And you can find me on Twitter at yaelbrights. So about four or five years ago, I started writing about data brokers, which is a bunch of sites that collect information about people. Basically, everything you do online leaves a paper trail, whether you're using a search engine or making a purchase. And even stuff you do offline, like getting married, buying a house, it all kind of leaves a paper trail. And I found out that these sites that I hadn't even heard of were just sharing this information and selling it to other sites and creating data profiles. So that's, so I became interested in that back then and started looking into ways to kind of try to mitigate that a little bit or even understand the risks of what information they have and what they can do with it. So there's basically three different types of data brokers. There's people search sites, which is when you plug in somebody's, maybe their name or their where they live their email address or just any information about them. And it pulls up a bunch of other information. Sometimes it will show you like home addresses, other addresses, relatives, and that kind of information. Sometimes it'll show you different social media sites that they use under different names just across the internet, going back like decades. And so those were the ones that I found personally the most concerning. But there's also marketing sites and a lot of the marketing data brokers will create a profile of people based on information that you search for or purchase. And they do this to be able to sell kind of groups of names of people that are interested in certain products or maybe fit certain profiles. And it can be kind of like a lot of people that seem to think that it seems pretty harmless because they're just, you know, giving you better deals based on information that you're interested in but it can actually be kind of nefarious because sometimes something that you're searching for will make you look like you're higher risk or like you have a medical condition and it can cause you to have higher rates for stuff or not be able to kind of access services you needed the prices that you would normally get. And then some people just find it kind of creepy there's been like Facebook and some other sites have allowed you to see which kind of groups you're placed in and it's something that some people find uncomfortable with are uncomfortable with and sometimes information isn't accurate and it's not always easy to kind of get it removed because like people are selling, they're not just selling the raw data but algorithms that they created based on that data. So they'll put you in these categories and they'll sell the actual categories and so it's easier to sell that and it's difficult for the people who are placed in these groups that they don't even know about to kind of be able to pull that information back. And then the third type of data brokers risk mitigation firms, which is probably the least harmful. They're basically checking for fraud. It can be harmful sometimes if say you're living in an address that's associated with fraud and you're not able to make purchases that you want because they're incorrectly associating you with that address. So that is the third type of data broker. Some of the risks that have come up aside from people just thinking, you know, it's creepy to be marketed to based on on these categories, and also some of the information is incorrect. Some of the other risks is identity theft if people can find that information about you it makes it easier for them to try to steal your identity. And also like stalking people are really concerned about people being able to find their contact information, everything that they've ever written on any social media site going back decades, and their home address. And that's probably the emails that I get the most from people who are concerned about this is they're worried about people being able to find them find out where they live or their phone number and that kind of thing. And actually another risk that I haven't talked about is data breaches. So, like, even if the material isn't available publicly, sometimes people can just, even if you've opted out of having a display publicly which we'll talk about opt out a little bit later there's just been these exorbitant data breaches of some of these companies, where they're just able to get tons of information about everybody and share that. And that's what we've lost to worry about, because we saw it like with Equifax and we've seen with Axiom and other companies that sometimes they don't secure the information to the level you want. So basically they're collecting information about people in many cases without their knowledge, let alone consent and they're not keeping it secure in some cases. There's restrictions for what people can do with information. And that's mostly based on credit or consumer reporting agencies. So if you have a credit report and people are using that credit report to decide whether to give you a job or to give you credit. You can't you have the ability to access and report and correct any errors. And the companies that are trying to get that information, they can only do it like in some cases they need you to sign up on it, or they can only access it in really specific circumstances. And there's also another restriction is the Federal Trade Commission Act, the FTC Act had Section 5, and that prohibits unfair or deceptive acts. So basically if a site is making misleading statements or causing injury to you, and you can prove that then the FTC can take some action. But it's really hard to kind of prove harm. And there's been some losses with the companies that have done this. So it's really hard to prove that like this person got my information from your site, and then did X. So there are some restrictions, but they're just a little bit more limited than people would like. And one of the more frustrating things about covering this is that there was this amazing report that the FTC wrote in May 2014 110 pages, and they had all these suggestions for what data brokers should do for improved transparency and accountability. They said you should share with people what data you're going to share and with who they should be able to opt out there should be a single portal that they can opt out nationally. There were some other ideas and they wrote this great report and none of it was implemented and some people thought it would be implemented after the Equifax data breach but it wasn't. So the reports still there it's still relevant and there hasn't been any national legislation in the US based on it. So then that leaves it to individuals to try to figure out like what am I going to do about all this information about me that's online. And you can try to opt out of some of these sites for the marketing sites it's a little bit easier. You can freeze your credit so basically like companies that want to give you credit can access information in your credit report, but not if your credit is frozen. So that's something that you can do you just have to like unfreeze it before you want to use it again. So it can be a little bit of a hassle. If you do find that a site is you know misusing your information in a way that's misleading and harmful. And then just being careful about giving on information, but that's, again, that's really challenging because you leave a paper trail everywhere you go a lot of this information is public like voter in many states in the US voter records have your mailing address and those are public or easy to access and like buying a house buying real estate. A lot of it is publicly accessible. So there's only like so much you can really do to avoid giving out information. And then for people search sites specifically and that's what a lot of people contact me about because they want to make sure their address isn't online, especially if they're in a public facing position or maybe they do activism, or some kind of reporting or something like that where they have people that don't like them online and they don't want them to know where they live. And you can actually remove those and I actually have a guide called the big ass data broker opt out list, and it has a bunch of information on how to remove your data from these different sites. The only problem is that it's tedious and time consuming and sometimes it re proliferates because they're pulling that information from public sources, and, and they'll keep doing that so you have to repeat this process. You know, every, maybe three to six months probably. You can also pay somebody to take it down for you. And organizations that do that I've used delete me and privacy doc and there's a few others that will do that, but it does cost money and it's not completely comprehensive, because some sites will like tell you that you can take your information down, only if you do it yourself they won't let anybody else do it on your behalf. And so, and you have to kind of go through and check to make sure it's actually being taken down sometimes. For example, my list of take down sites is more comprehensive and delete me. So even though I've used delete me I'll still go through and, and try to find my information on sites that haven't taken it down. And they're constantly changing like they're, they buy each other out or they change how you can opt out or they have different sites. So when I update my list. I think I check this every six months and I'm always it's kind of like a, like a game to try to figure out like oh here's the new way to opt out because they don't make it easy or friendly for people. And not all sites will even let you take, take your information down. There's also like some and you'll talk about this more but there are some states that do have some local laws that allow you to make this a little bit easier for you to do that some people in those states can take advantage of. Yeah, and there's one other thing about this too is that if you're if you do find your address that's posted on on social media or in a search engine you can get it removed you can file a complaint on Twitter and they'll usually take it down. Or on Facebook, and then in search engines there's actually like a couple of links that you can use to try to get it removed by just telling them this is my personal data I want to take it down. You might still end up on like a shadowy site that posts these things but it won't show up in a search engine when people Google your name, which can be, can be helpful. So I talked a little bit about the biggest data broker opt out list that I've maintained. I try to update it every six months or so. A lot of these sites will ask for more information before you opt out. And so what I do is I make sure my name is already on there before providing more information to them. I charge money for access to removal which I don't personally I've never paid for that because I'm just not going to pay somebody for it like what if they put it back up again. Some of them make you actually write a letter and send it in by mail. Some of them have you use a fax machine. Some of them will require more information which personally like for me if my goal is to get my information taken off of the web that I'm okay with providing some information, but I'll cross out anything else that they don't need like for example if they ask for driver's license I might send them a copy of my driver's license but I'll cross out the ID number and any other information. Because that they are reasoning as they say they want to make sure to verify that you are the person whose information they're removing is actually asking for it. So we do have this list and try to make it a little bit easier even though it is still like a time consuming and TDS process. And these are some of the links of articles that I've written in that are online about data brokers. The first piece for advice, the data broker call for transparency and accountability from the FTC which is that 110 page report that wasn't followed. I do think it has like a blueprint for what states can do and what you know the federal government could do in the future they decide to do it. And then the opt out list I have it on both Google Docs and GitHub. And then there's this really great article about getting that Maria has sent off road about trying to get your name off of people search sites for consumer reports. And they also link to a sort of how to guide for deleting information that I wrote, which links to the opt out list but just provides more information about the process. And yeah I'll be available to answer questions. Hi everyone. My name is Ginny Foss. I'm a social entrepreneur and I work at the intersection of technology and policy. I've worked on a number of different type policy projects but recently I've been laser focused on data privacy and consumer rights. And so I'm really interested and excited to be here with you all today, talking about tools for making data rights meaningful for everyday people and how kind of tooling and products can fill the gap between what policy provides and what everyday people are realistically able to take action on. So, the big question that I'm focused on right now is, how might we meaningfully expand data rights to individuals to everyday people. In the US there's this new tool that makes this question particularly compelling or possible to explore. And it's a piece of legislation called the CCPA, the California Consumer Privacy Act, which is a really exciting milestone for us here in the US because it's the first comprehensive commercial privacy law in the states. It was signed into law in 2018 and implementation began this year in 2020 and it's making a lot more possible as far as individuals ability to meaningfully exercise their data rights. So, what is the CCPA and why should we be excited about it. There are a few main privacy rights that the CCPA extends. The first is the right to know the personal information that a company has on file about you. And practically that means that individuals should be able to retrieve a copy of the data that a company has on file. The right to delete personal information that a company has on file about you. If you don't trust this company or don't want them to have your data anymore then you have the right to request that they wipe it from their databases. And then finally there's what what L was speaking about earlier as far as the right to opt out of the sale of your personal information by companies. I think most consumers are everyday people might not be aware of the extent to which companies sell data about them, and, and under the CCPA any individual can opt out of the sale of their data such that companies aren't able to monetize on the kind of activity and personal information that that everyday people are sharing with platforms and products they use or platforms and products that get their information some other way. So you may not even be a user of those products, as is the case with data brokers. So this seems great right like we have this great new privacy law we have all these rights, what's the problem. Well, the problem is that these rights practically are actually just very challenging to use. I just mentioned the list that she has this big ass data brokers opt out list which every six months she's going through and for these dozens of companies she's updating how one might opt out of the sale of their data by these companies and maintaining that's a challenge but then as an everyday person who's not a privacy expert or privacy professional who may have never heard of a data broker or never really understood what it means to opt out of their data being sold. They don't even know that data is sold about them. And so, so there's this big gap between what policy allows and what everyday people would reasonably be able to do if they cared about their own privacy, or even just how much they would have to know in order to take action towards their own privacy. So this report's published just last month at the beginning of October, a study in which there they recruited a few hundred volunteers to start issuing a request to companies request to opt out of sale of data, you know request to know the data companies have about them etc. And it turns out that everyday people have a really hard time using these new rights because for the most part it's still really early days for CCPA companies have set up really different processes for handling these requests. They don't always make it easy to submit the request. They don't always know how to process the request. And so for, for any person off the street, these privacy rights are sometimes a little bit more hypothetical than they are actionable. So what tools might exist to help people exercise their privacy rights. One initiative that launched a few weeks ago that's really exciting is this global privacy control initiative, which works with a browser signal. So the idea is that you could, you know, create settings in your in your browser about your privacy preferences, and that any business whose, whose website you visit would have to respect those privacy preferences that you have designated upfront. This is, you know, it's a consumer product, it's a technology, it's a tool that lives in the browser. It can and will be very helpful to a number of people. But it doesn't account for the fact that there are all of these industries and companies that are selling personal data. And everyday people don't even know that these companies exist that they have their data that they're selling their data. Data brokers obviously are, you know, any any company listed on the California data brokers list is, is a company where probably most people off the street don't realize that that company exists that that company has their data, etc. And so a solution like global privacy control starts to break down when you consider companies that maybe aren't consumer brands or that just aren't popular in consumers awareness. So what else can be done. There's a provision in the CCPA called the authorized agent provision. And, and the idea is that, you know, there are these rights extended in the CCPA the right to know the right to delete the right to opt out of the sale of your information. But practically, since it's hard for everyday people to take those actions, the CCPA says that an authorized agent can make these requests on behalf of consumers. An authorized agent is pretty loosely defined in the CCPA. It's any third party. So it could be an outside organization. It could be my mother, it could be you know an individual I know who I would trust to make a data request for me. But, but because of this provision in CCPA. Essentially, there's an allocation for somebody who's more of an expert to make requests for you. And that's what I'm really interested in exploring right now. So right now I'm working with a team at the digital lab at consumer reports. And we're working on trying to create authorized agents that take actions for individuals on their behalf in risk in regard to their data. And so just a few weeks ago pretty recently we launched our first experiment of being an authorized agent. And so what this experiment is is we have recruited some volunteers to help participate we have 110 consumers who have signed some legal paperwork. The paperwork says I designate the consumer reports organization to act as an authorized agent on my behalf and to submit data requests on my behalf. We are now currently representing these 110 consumers before 21 companies. We selected this list of 21 companies for the pilot, based on a number of criteria. We wanted a mix of companies that were popular consumer brands, as well as major data brokers, as well as a mix of industries. So we have some retail brands we have some food and beverage brands we have supermarkets we have e commerce. It's only 21 companies but we tried to get as much diversity as possible in the sorts of business models and even consumer awareness. And over the past few weeks we've issued 210 opt out requests to these companies so each company in the cohort has received 10 requests from consumer reports, saying, we are opting this consumer as a virtual assistant of the sale of their data by your company. So essentially what this means at a high level is that we as consumer reports have created a technology by which we are acting as a virtual assistant to individuals who have desires for their data, but maybe don't know enough to act on it maybe just are too busy to act on it, where we're doing the work for them and making their data rights actionable by taking on responsibility of representing them to companies over concerns related to their data. And it's been really fun acting as an agent. We have. And, and I would say in general authorized agent is a pretty nascent part of CCPA. There are other parts of the law that maybe have more in common with GDPR and other major privacy laws around the world and so companies have a little bit more experience with how they might implement those parts of CCPA but authorized agent is really a singular to CCPA so far and so when we submit these requests to companies there is often a little bit of confusion about what this request is like what part of the laws referring to how to take action on it. And so part of this pilot also has just been developing a better understanding of where industry is and starting to be able to implement the requirements of CCPA. So basically even beginning the conversation with companies or DSAR providers who are data subject access request professional groups that sometimes process requests on behalf of companies. We're starting to have a conversation more broadly in the industry of what's currently possible under authorized agent and what should be possible. And so learning and exploring together what this often overlooked part of the CCPA privacy law might mean for for individuals and for corporations who will need to be prepared to receive these requests. So this is what an agent request looks like in case you're curious. The the CCPA really doesn't specify very many requirements about how authorized agents make requests. So our team has has created a request format that that seems to be working with the companies that we're reaching out to. For an authorized agent you have to have the consumers information on file. So all of the consumers who have signed up for this pilot have provided their email and phone number. And then we've also verified their email and phone number so that we have confidence that the consumer is who who they say they are. So every participant in this pilot to sign a permission letter. And this is it's kind of a form legal document. And the permission letter says I, Jenny Foss is an individual authorized consumer reports to act as an agent on my behalf. And those letters are signed and dated and and provided to companies only make these requests as evidence that we have. We are not fraudulent and that we really are representing the consumer. And then finally, because we're an organization that's making these opt out requests for everyday people. We need to prove that we are organization and good standing that we pay our taxes those sorts of things and so in the agent request we also provide a certificate of information of consumer reports which is just paperwork that demonstrates that we're an organization with license to operate in California. So, again, we've been that we've sent out 210 of these so far to 21 different companies and seeing the responses back has been really interesting. In general, what what I'm really interested in right now and what the team at CR is working on as well or is this question of how might we meaningfully extend data rights to individuals. And we're very early in building tools that do that from the global privacy control solution I mentioned earlier that is the browser signal to this. It's an enterprise agent idea of becoming an assistant that does work for everyday consumers who may not have as much context or time to deal with their own privacy. So, so these are just kind of our first two ideas. And so as we enter into Q&A and start to have a broader conversation and really interested to hear from all of you about other ideas you have for tools that will help everyday to really exercise privacy rights that they are afforded by law but that maybe are not practical to access. And I provided links to some of the materials I referenced in case people want to dig deeper and understand some of what we've been working on. So that's everything from me. You can find me on Twitter via email and look forward to hearing your questions and having a broader conversation with you all about this as well. Okay. Hello, I'm Anand, a security researcher, and also currently the CFO has geek, and I will be moderating the sessions today and get your questions to both you and Kenny, right. So we're going to go over questions that were first asked in the Hasgeek.com page. And we have three questions from Rohit Jofi. His first question is, what are some of the new challenges to the data brokering model that has been brought by the tightening of data protection and privacy acts in the world. I kind of mostly looked at this from the perspective of the consumer. And I think it's what companies should be doing in the first place to use data with consent and allow people to opt out make it easy to opt out. Let people know what you have and how you're using it, and then of course securing the data you do have so that other people don't get access to it. So I think the challenges are the same as any other regulation there was sort of a scramble for GDPR. And I think that it's sort of a scramble to do what companies should have been doing in the first place. Yeah, I would add that like companies aren't used to needing to be transparent right data brokers have been able to kind of operate in the shadows for many years. And policies like the CCPA, the California data brokers registry, as well as policies in Vermont and the data brokers registry there have meant that data brokers have had to, you know, put their names on a website that's open to the public and their business models are exposed to the public and, and even you know that whether or not they process opt outs in Vermont is part of what they expose so. And for an industry that's used to really operating beyond the realm of consumer awareness just the fact that everyday people are starting to have conversations about what is a data broker and what does that mean for me and my personal data like that, that kind of being out in the open is a threat to their business. I would also say that opt out processing is a threat to the products that data brokers offer right like if, if the whole purpose of their product is to sell data about large flaws of consumers and consumers are starting to be aware of this business model and are starting to say you know what I don't want to be part of that. Data that data brokers sell is a lot less robust. So, so in that sense there's there's a threat to kind of the, the reputation of what they do and the more people are aware of it as well as just the actual product they're able to offer to companies if, if long like big big collections of consumers start to leverage opt outs then that product is not going to be as powerful as it has been in the past. The second question is also from Robert Jofi and he says, in the United Kingdom, Information Commissioner's office recently showed an enforcement notice against some credit reference agencies, ordering them to make some fundamental changes on how they use people's personal data with their offline data-breaking business for direct marketing purposes. Does the new data broker law put in place at State of Vermont give consumers a right to access and review what data is stored and sold about them or to know how the data was obtained, who's buying it? Also, does the new data broker law bill require any form of consumer content for the collection of? Okay, so it's just to, I'm not a lawyer, so this is just kind of my understanding, but I know that there, the laws in the States are pretty limited. Like for example, in California there's an exemption for information that's publicly available through public records, so that's like a huge exemption. In Vermont, like the law really just says like data brokers have to register with the Secretary of State. They have to have minimum data security standards and they can't use personal information obtained through fraudulent means or for the purpose of like stalking and harassment. And so there's a registry that's set up, but there's no requirement. Like even if there's a registry, it doesn't require the companies to honor consumer requests permanently. So if I say I want this taken off and never put back, they don't have to actually honor that. But it's, and so it's kind of limited and I have some links I can share. Another thing that another limit is that it doesn't include what's called first party data mining. So if a company has a relationship with a consumer, it doesn't stop them from, you know, mining their data in ways that people might not want or find creepy or whatever but maybe aren't ready to stop using that company because we've seen this a lot with Facebook where like, people do not like their information collected in the way that Facebook has done and they don't necessarily want to stop using Facebook. And there's some steps you can take to get some information removed but it keeps adding back on some guessing that that's probably the same problem and then there was reporting in the Washington Post about how, and this is in 2019 so I don't know if it's changed this then but it said that even though firms have registered, a lot of them haven't made it clear like what they do with the data and whether you can remove yourself. So even though it's really, really great that we have these laws they don't do as much as I think we want them to do. I'm going to address the part of the question about access and deletion in particular. Like access and deletion aren't covered under Vermont law, they are covered under the CCPA the California law, but the Vermont laws is more about kind of transparency and that companies, you know, they have to register in the data broker registry. They don't have to say whether or not they offer an opt out. But, you know, there's nothing in the law saying they need to offer an opt out for example like I think the Vermont policy is more about transparency and it's less actionable than the CCPA. And so that's a big place for the two, for the two diverge. I will say as well though that there was actually a study that just came out this week by the interactive advertising bureau they're like legal affairs council did a study about how common is it that the CCPA this California law is able to be actioned upon by consumers living in other states. And it was actually found so so this this wasn't a conference of consumer survey but basically they collected 80 privacy lawyers that represent a large number of companies and of these privacy lawyers. And they revealed that about 60% of the companies they work with honor the CCPA no matter where the consumers request is coming in from. So this law in California can and in some cases does affect the privacy rights of people living in other parts of the US. Legally, you know, it's not in law that it must apply to a broader swath of consumers but certain companies are deciding to just kind of have standard implementation of CCPA that would apply to any American making a data request. Okay. We have two questions from Venkat up and got me. He says, how complex is the paper work. And I'll let Jenny talk about how complex it is as an authorized agent but I know from updating the data broker guy that it's, it's, I wouldn't say it's complex but it's annoying to figure out like where do you opt out and what are all the steps like, like first you have to go to the site to find your information and then if they have your information you might have to go to a different, a different page to get it removed and then like sometimes there's like two different. There's a premium listing and a regular listing and you have to do it in both places and these companies are constantly buying each other or like being sold and so like, a lot of times their pages are outdated and it's, it's like I have help on it because I have that page up on GitHub and I have people sending me information but even with that it's still kind of annoying to figure out how to do. I think annoying is the keyword that yeah I'll use like it's, it's not rocket science to opt out like you know it's the processes are often on companies websites it's a lot of just kind of doing the paperwork but the big problem is it's not scalable like, you know, if it takes me let's say it takes me five or 10 minutes to opt out of every individual company. For all the data brokers listen the 400 data brokers listed on the California data brokers registry that would amount to 33 hours of work for me to opt out of data brokers right like that, that's just, it's completely impractical that everyday people would choose to spend 33 hours with their lives opting out of data brokers. And so that's that's why this authorized agent provision is such an important affordance in the CCPA right this authorized agent says you could designate a third party to make these requests for you, and then you don't have to spend your own time doing it. And, you know, in a perfect role that third party would be issuing requests at a large enough scale that they're able to be smart about how they submit the request to make the process more efficient to make to make it more likely that the request come back with, you know, the opt out being fulfilled or the data that you requested access to being delivered back to you. So, so this idea of an authorized agent or a third party that's able to make these requests on consumers behalf is about making this, you know, the, the law more practical and such that people wouldn't have to spend so much time figuring out every way to make this unique process. I think in the years ahead, we, we hope and expect that there will be some standardization of how these requests are issues so that it's not so much as a catch and catch can have like, you know, you need resources like Yael's amazing list to figure out for these companies how to go through it for every single one in a different way. So I think standardization is a trend we'll see that will make it easier for people but also, you know, ideally there will be more agents and third party organizations, serving consumers by making these requests on their behalf. Okay. This next question, Venkata asks, Bengali asks, what's the likelihood that the browser plugin will be blocked. She needed you want to take that. I mean, look, the like the browser plugin is a great tool. It's an important tool for opting out of companies consumers know about. I think what's, what's really interesting and what these new data broker conversations are making more part of the public consciousness is, you know, there are tons of websites that have information about you that you've never visited, that you've visited, that you've never visited, and so how do you make sure that those, those organizations aren't abusing your data, right, and a browser plugin isn't going to be able to help with that. Yael, do you have anything to add. I mean, I don't, I don't think I would have to kind of look into this but I don't think that the data brokers, like it's the people blocking it would be the browsers themselves right. Yeah, so I'd have to think about how that how that would interact but I mean there's a lot of sketchy plugins out there and this isn't one of them so I don't think it's not likely but I don't really know. Okay. If there are more no more questions coming on other places so. Oh, I think that was one. I saw about the key issues that companies need to consider. I kind of answered it on the first question. I was looking into that because I, you know, if you look at it from the perspective of the user whose data is being used like I think companies can choose to not use any data acquired in an unethical way or like get answers on how it's collected and use that to guide where they are. And so that's one of the really cool things I think about GDPR is that we've seen that some companies will let everybody opt out, even if they're not required to. And Judy mentioned that for California also. And I think that that would be a really cool way for companies to lead on this issue is like we're going to follow the strictest state laws for everybody. And even some of the demands that are not codified in law like that EFF another nonprofits of me. So, like, we're going to let people know where information comes from we're going to make it easy to opt out permanently, and we're going to spend time and resources to secure that data. That's, I think how you can lead on that from the perspective of the consumer. And frankly, like investing in an opt out product is strategic for companies right because if consumers feel that they can't opt out easily, they can't access their data easily. That breeds skepticism and fear about what the company might be doing and I think that will incite more delete requests, and which which you know leads to a much greater loss from a company's perspective as well so I do think there are incentives for companies to operationalize and product ties. Some of these opt out and access flows, such that consumers are satisfied enough that they choose not to take more drastic action. And we've seen this with like ad blockers like if you look at the ad industry that there's sort of like an arms race between like, oh I have an ad and add and here's an ad blocker here's a blocker blocker and like, I think the best way to deal with it is to kind of be like oh how can we get people's information that they clearly don't consent to us getting or send them information they clearly don't consent to like, like I think that's a bad way of looking at it. Okay, no questions in YouTube which means I can now ask all the hard questions to both of you. All right. Okay. So coming back, right. So the reason why I was very interested in in the third party agent kind of an affidavits role that you're playing is that if you watch the Batman movie. They say that. Well, you buy Kevlar, they buy armor piercing grounds, and there is this collection what they're going to do about it. Right. You remember that. Right. So in a very similar way what we've seen, do you think that that could happen in the sense that they can just go nuclear on people by just putting so many impediments for the third parties to do deletion that you would even give up. I just want to make sure I understand the question so the question is could companies put up so many obstacles to execute on these requests that even an agent wouldn't be able to overcome them. Yeah. The law prevents them from doing it. Well, what what does prevent that is, frankly, studies like the one we're working on right now so like one of the, you know, we've been doing this authorized agent study through the digital lab at Consumer Reports, which is a major consumer protection nonprofit with an 80 year history in the US and with really strong connections that attorney general's office and with other enforcement officials to make sure that these laws that are on the books that protect consumers actually are able to operate in the way they were intended. So one of the things of kind of the work we're doing right now in addition to just practicing the muscle memory of acting as an agent is we're, we're being very communicative and public about what we learn and, and one of the audiences me intend for our learnings is the attorney general of California who has authority to enforce the CCPA so so part part of what we intend to deliver as a list of recommendations for how the authorized agent ecosystem can be more functional and actionable for consumers. And then the attorney general's office has the authority to actually write different implementing regulations for the CCPA or make adjustments to the actual policy on the books to ensure that it's working the way it's supposed to. So, I would say you know the companies can put up a lot of obstacles but like eventually, if government policies become more granular and detailed, and, and make it clear what's allowed and not allowed and then companies are paving and ways that are not allowed then there can be lawsuits and there will be other kind of ways to penalize companies who are really trying to dodge the regulations. Okay, Zana has a question she asks outside of social media and explain what is the situation with data brokerage and threats to personal data production and other business to mine. I guess like for me what what people contact me the most about is like, can people find out where I live and that can be really dangerous if you know they have a soccer or there maybe journalists or activists or just whatever situation they don't want people to know where they live and in the US, people can look up your address in many states if you register to vote like though like they can pay for it, voter roles and find out where people live. And there's some exemptions in some states but not all of them. People can also look up your address in a lot of places if you buy a home. So if you purchase real estate and there's ways around it but they're annoying like you have to open up like a, you have to open up like a trust and buy it on behalf of the trust and nobody. I don't know anybody has actually done that even though I know a lot of people who talk about doing it because when you're closing on a home like, there's some time pressure and it's just extra steps that you might not want that extra friction. So I think that's the biggest threat that people don't think about and there's ways to protect yourself from that but in many states but you have to actually have a restraining order or like, like it's not as preventive. So for me, I think that's the scariest situation. And then it depends on the individual what they're most concerned about because some people really are worried about like oh social media companies think that like they're going to charge me more for health insurance because I like motorcycles on a social media page or whatever. And that can be obviously harmful but like personally like the people contact me the most are worried about like, like, are people going to find out where I live and that's why it's so infuriating that it's so time consuming and difficult to get your address removed from some of these sites. And then even if you are able to do that that there's these other, like if you buy a home or register to vote that people might be able to find it out that way. The other question that I'm asked is, are we saying that CCP implementation will eventually come to the agenda and organizational process and culture broken because data is the other. Yeah, I can kick off with this. I think that organizational cultures and processes don't know how to handle this because it's really early days, like this is a CCPA is a new law on the books like it's the first commercial privacy law in the US companies are learning for the first time what the regulations are how to comply like GDPR was a similar effort right like when that came out a few years ago it was a huge organizational effort and kind of change management effort within companies to make all of the updates required to be compliant and so I mean I, I like to think that the behavior isn't entirely malicious a lot of it is just about like how do we get our legal team, our engineering team, our product team or customer support team like all working together and figuring out how we actually implement this. The enforcement will come from the train general and I think that that will play an important role for standardization as well as for calling out the companies who are kind of trying to cut corners here. But I just think in general within a particularly large organizations, making sure that the left hand is talking to the right hand and the teams that are all necessary to be around the table are actually coming up with solutions for this is, you know it's something that companies are still learning how to do. I kind of go back and forth on like like in, like right now legally companies will tell you we're allowed to share and sell data from public sources which is true, and they use that as an excuse to stop you from opting out. And I find that infuriating, but at the same time it is a courtesy right now in places still do let you opt out even though they're not legally obligated to like some of them make it annoying and difficult but you know they are doing some of it so I think it's a good thing to retain it all with a broad brush because like some organizations maybe do care and haven't bought it out and some organizations don't care they only care about the law and not the ethics behind it. But yeah I do think legislation is the best solution because it's like who's going to pressure, you know, hundreds of different companies to keep, like shadowy companies to keep getting by and sold by other companies to like make these broad changes, unless there's, you know, repercussions Yeah, and I also think that as tooling develops, there will be continued learnings that can be funneled back to regulators right and that we need to kind of, you know, as as people on the ground who care about privacy we need to make sure we're testing out what we can do for us because without kind of the early adopters who care about testing out these new provisions like there's not going to be good feedback back to people who have the authority to make changes to make the law work better. Okay. You know, nothing else on YouTube. How are we doing on time maybe another 10 minutes. Okay. I have another perspective. You may probably be not able, but you can just give it a try. So the idea that is being floated around in some of the studies that I've seen in India and Kenya replaces is that you can give some kind of compensation people for opting in to give their data. Okay. And then basically come back and say look, we want to we want to compensate you for using your data, because we are a database, you're running a database. And have you ever seen that kind of talk go on US by saying don't opt out, but I'll give you $100 is give me please give me your data. I've seen some stuff like that where it's like watch this ad and save a dollar. But I'm hesitant like I think it's I've heard it more talked about than I've actually seen it done. And I kind of hesitate because I feel like people who are the biggest victims of data brokers are not people who are tech savvy is usually like poor people. And so like how will this impact like how will this create a bigger digital divide between people who, you know, have more resources and knowledge and the ones that don't. Okay, does the CPA and the very one blog talk about asymmetry, but we need a brokers and people in general, or do you see that as some kind of a effort to level it off a bit. I mean obviously because being an educator data, they have much more than what you would know. So is is one way of thinking about the CPA is about, you know, just ensuring the asymmetry doesn't just doesn't become too big. It's not the right way to think about it. I'm not sure I understand the question. Okay. There's an information asymmetry between a data broker, and, and the people whose data they have. Right. I'm not even know that I mean like the Washington post example is that I may not even know how many people hold my data. Right. Is the right way to think about these laws is about leveling the asymmetry of it, or it is not the right way of looking at it. Yeah, no, I think that's part of the motivation for these laws right like we've arrived at a point where companies often have access to far more data than individuals do even about their own activity. You know, in in enabling access to data ability to opt out of your data being sold even the ability to delete your data. Yeah, like that's definitely restoring some power to individuals who are engaging with tech companies. I think there's a bigger question and kind of a more fun question to play with regarding this as far as like, so what does collective power looks like right like, I think, right. Like legislation like the CCPA restores some individual power of the ability for, for everyday people to have more knowledge of what data companies have about them. But I think in order to like truly challenge the, the power that's been amassed by these large technology companies sitting on vast troves of data there needs to be some sort of collective action on the consumer side that would counter that in order to meaningfully to go into the power and so it's kind of fun to dream big about what that could look like now that we have some policy tools to start to put that in action. Okay. The other user data that I had come across is, is what is called as community labeling. I think that means that they will go back and say this place this is called this bunch of people, I will not give a loan or it has a high interest kind of a thing. It does the law allow that kind of bargaining where all the residents in as it could come back and say now you have to delete all the data that you have on the database about this resident about this particular week. So I think if those requests were coming from individuals who have chosen as a collective to make similar types of requests based on geography or you know whether it's people who went to a certain school or people who use a certain product that had a data breach or whatever it is like, I think that's all possible under CCPA and I think, you know, CCPA hasn't been on the books for that long so what will be really interesting and cool to observe is over time. What are the creative ways that individuals choose to organize and kind of pool together the power that they have as consumers to start to make those requests in a coordinated way where there might be something really substantial to be learned. The reason why I asked is because if you look at the offerings mechanism that you guys researched, which is you have a third party agent will just go and do all the work, right, for individuals who don't have the time to get opt out requests. It's a kind of a, I mean third party union, or come some kind of collection action. I mean you just basically one step on the process by saying that look you don't have the time. I have the time to coping all these people and get your stuff deleted. I mean, it is kind of natural that some point of time the bigger the problem of data broker and people understand how data can bring down democracies, which we see nowadays often every place. Do you see that happening as a logical extension of many communities organizing themselves. I mean, coming and giving a single agent and say now you just got to delete everything about my that would be the dream right like that would be amazing because right now there's like, like aside from the authorized agent there are places you can pay to remove data for you but like they're not as effective as they could be. Because there's no law so these companies can say like no we like we don't allow you to opt out on behalf of somebody else or whatever so like, yeah I think that would be great if it was just like, you know an authorized agent just said all these people don't want anything. And like you would have to negotiate him and come to the table with them like that would be amazing it is kind of like a union I guess except for that. You know it's not really worker based. Okay. Yeah. I mean, you can just joke it as data worker union or something data subject unions. Right. It was just a matter of time because I mean it's just a matter of the law is there and the procedures in process of being rolled out it is just a matter of creative use and these things ever over time my situation is what's basically why one of us. Anything else we have three more minutes. I guess I still hold out hope against hope that there should be like national legislation, like that we don't have to kind of look at state laws and hope that some states follow those laws for people in other states like that, like I still hold out hope that the 2014 FTC report like that those guidelines will eventually be followed even though there was legislation that was proposed it wasn't passed federally but I still think it would be amazing if it was. Yeah, and I will say I mean so we haven't talked that much about the CPRA in this panel but this is proposition 24 which was on the ballot in California just this past November and the CPRA is a privacy law. In the philosophy of CCPA in many ways but it kind of clarifies definitions of sale of data and has some more granular implementation requirements that will come on the books in a few years. And I would say that not just you know the passage of the CCPA which was this kind of landmark event and and privacy law in the United States but also this quick follow on with this additional privacy regulation. There's at least talk that the you know the promising signs of two major laws in California in a short amount of time provide good traction for a lot of these principles to become federally mandated and so I think that's something you know people are excited about and kind of seeing in the future. All right, you're almost out of time. All right, since we have no more time and I will just say this. So what we haven't has because the that we have a whole bunch of things on the stock topic called privacy mode, and anyone who was patient enough to watch this until the very end, feel free to come and the, you know, talk about anything about the work they're doing on privacy technology law, and they can also some intercession areas and has people com slash privacy mode. And that is about it, and you'll be very happy to host anyone who's doing any work on this. Thank you so much for having us. Thank you. Yeah, no, this was great. What a good conversation. Thank you. Bye.