 So yeah, I'm Yael. I'm an investigative tech reporter and I live in Phoenix. I've been writing about technology for about 11 years for a bunch of different sites, including the Intercept, Motherboard, Wired, Wirecutter, Arts, Technica, Consumer Reports. And you can find me on Twitter at Yaelbrides. So about four or five years ago, I started writing about data brokers, which is a bunch of sites that collect information about people. Basically, everything you do online leaves a paper trail, whether you're using a search engine or making a purchase. And even stuff you do offline, like getting married, buying a house, it all kind of leaves a paper trail. And I found out that these sites that I hadn't even heard of were just sharing this information and selling it to other sites and creating data profiles. So that's, so I became interested in that back then and started looking into ways to kind of try to mitigate that a little bit or even understand the risks of what information they have and what they can do with it. So there's basically three different types of data brokers. There's people search sites, which is when you plug in somebody's, maybe their name or where they live, their email address or just any information about them. And it pulls up a bunch of other information. Sometimes it will show you like home addresses, other addresses, relatives and that kind of information. Sometimes it'll show you different social media sites that they use under different names just across the internet going back like decades. And so those were the ones that I found personally the most concerning. But there's also marketing sites and a lot of the marketing data brokers will create a profile of people based on information that you search for or purchase. And they do this to be able to sell kind of groups of names of people that are interested in certain products or maybe fit certain profiles. And it can be kind of like a lot of people that seem that think that it seems pretty harmless because they're just you know, giving you better deals based on information that you're interested in. But it can actually be kind of nefarious because sometimes something that you're searching for will make you look like you're higher risk or like you have a medical condition and it can cause you to have higher rates for stuff or not be able to kind of access the types of services you needed, the prices that you would normally get. And then some people just find it kind of creepy. There's been like Facebook and some other sites have allowed you to see which kind of groups you're placed in. And it's something that some people find uncomfortable with are uncomfortable with. And sometimes information isn't accurate. And it's not always easy to kind of get it removed because like people are selling, they're not just selling the raw data, but algorithms that they created based on that data. So they'll put you in these categories, and they'll sell the actual categories. And so it's easier to sell that. And it's difficult for the people who are placed in these groups that they don't even know about to kind of be able to pull that information back. And then the third type of data broker is risk mitigation firms, which is probably the least harmful. They're basically checking for fraud. But it can be harmful sometimes if say you're living in an address that's associated with fraud and you're not able to make purchases that you want because they're incorrectly associating you with that address. So that is the third type of data broker. And then some of the risks that have come up aside from people just thinking, it's creepy to be marketed to based on these categories. And also some of the information is incorrect. Some of the other risks is identity theft. If people can find that information about you, it makes it easier for them to try to steal your identity. And also like stocking, people are really concerned about people being able to find their contact information, everything that they've ever written on any social media site, going back decades, and their home address. And that's probably the emails that I get the most from people who are concerned about this is they're worried about people being able to find them, find out where they live or their phone number and that kind of thing. But actually another risk that I haven't talked about is data breaches. So like even if the material isn't available publicly, sometimes people can just, even if you've opted out of having it displayed publicly, which we'll talk about optouts a little bit later, there's just been these exorbitant data breaches of some of these companies, where they're just able to get tons of information about everybody and share that. So that's something else to worry about because we saw like with Equifax and we've seen with Axiom and other companies that sometimes they don't secure the information to the level you want. So basically they're collecting information about people in many cases without their knowledge, let alone consent, and they're not keeping it insecure in some cases. So there are some restrictions for what people can do with information. And that's mostly based on credit or consumer reporting agencies. So if you have a credit report and people are using that credit report to decide whether to give you a job or to give you credit, you can't you have the ability to access and report and correct any errors. And the companies that are trying to get that information, they can only do it like in some cases, they need you to sign up on it, or they can only access it in really specific circumstances. And there's also another restriction is the Federal Trade Commission Act, the FTC Act has Section 5, and that prohibits unfair or deceptive acts. So basically if a site is making misleading statements or causing injury to you, and you can prove that then the FTC can take some action. But it's really hard to kind of prove harm. And there's been some losses with the companies that have done this. So it's really hard to prove that like this person got my information from your site and then did X. So there are some restrictions, but they're just a little bit more limited than people would like. And one of the more frustrating things about covering this is that there was this amazing report that the FTC wrote in May 2014, 110 pages, and they had all these suggestions for what data brokers should do for improved transparency and accountability. They said you should share with people what data you're going to share and with who. They should be able to opt out. There should be a single portal that they can opt out nationally. And they had some other ideas and they wrote this great report and none of it was implemented. And some people thought it would be implemented after the Equifax data breach, but it wasn't. So the report's still there, it's still relevant, and there hasn't been any national legislation in the US based on it. So then that leaves it to individuals to try to figure out like what am I going to do about all this information about me that's online. And you can try to opt out of some of these sites for the marketing sites. It's a little bit easier. You can freeze your credit. So basically like companies that want to give you credit can access information in your credit report, but not if your credit is frozen. So that's something that you can do. You just have to like unfreeze it before you want to use it again. So it can be a little bit of a hassle. You can file an FTC complaint if you do find that a site is misusing your information in a way that's misleading and harmful. And then just being careful about giving out information. But that's again, that's really challenging because you leave a paper trail everywhere you go. A lot of this information is public. Like voter in many states in the US voter records have your mailing address and those are public or easy to access. And like buying a house, buying real estate, a lot of it is publicly accessible. So there's only like so much you can really do to avoid giving out information. And then for people search sites specifically, and that's what a lot of people contact me about because they want to make sure their address isn't online, especially if they're in a public facing position or maybe they do activism or some kind of reporting or something like that where they have people that don't like them online and they don't want them to know where they live. And you can actually remove those. And I actually have a guide called the big ass data broker opt out list. And it has a bunch of information on how to remove your data from these different sites. The only problem is that it's tedious and time consuming. And sometimes it reprilibrates because they're pulling that information from public sources. And, and they'll keep doing that. So you have to repeat this process. You know, every maybe three to six months, probably. You can also pay somebody to take it down for you. And there's different organizations to do that. I've used Delete Me and Privacy Doc and there's a few others that will do that. But it does cost money and it's not completely comprehensive. Because some sites will like tell you that you can take your information down only if you do it yourself. They won't let anybody else do it on your behalf. And so, and you have to kind of go through and check to make sure it's actually being taken down sometimes. And so like, for example, my list of of takedown sites is more comprehensive than Delete Me. So even though I've used Delete Me, I'll still go through and try to find my information on sites that haven't taken it down. And they're constantly changing like they're they buy each other out or they change how you can opt out or they have different sites. So when I update my list, like I check this every six months and I'm always it's kind of like a like a game to try to figure out like oh here's the new way to opt out because they don't make it easy or friendly for people. And not all sites will even let you take take your information down. There's also like some and you'll talk about this more but there are some states that do have some local laws that allow you to make this a little bit easier for you to do that some people in those states can take advantage of. Oh, yeah. And there's one other thing about this too is that if you're if you do find your address that's posted on on social media or in a search engine, you can get it removed. You can file a complaint on Twitter and they'll usually take it down or on Facebook. And then in search engines, there's actually like a couple of links that you can use to try to get it removed by just telling them this is my personal data I want to take it down. So it might still end up on like a shadowy site that posts these things but it won't show up in a search engine when people Google your name, which can be can be helpful. So I talked a little bit about the biggest data broker opt out list that I've maintained. I try to update it every six months or so. A lot of these sites will ask for more information before you opt out. And so what I do is I make sure my name is already on there before providing more information to them. There's some that charge money for access to removal, which I don't personally I've never paid for that because I'm just not going to pay somebody for it. Like what if they put it back up again? Some of them make you actually write a letter and send it in by mail. Some of them have you use a fax machine. Some of them will require more information, which personally like for me if my goal is to get my information taken off of the web then I'm okay with providing some information. But I'll cross out anything else that they don't need. Like for example, if they ask for a driver's license, I might send them a copy of my driver's license, but I'll cross out the ID number and any other information because they are reasoning as they say they want to make sure to verify that you are the person whose information they're removing is actually asking for it. But yeah, we do have this list and try to make it a little bit easier even though it is still like a time consuming and tedious process. And these are some of the links of articles that I've written in that are online about data brokers. The first piece by the data broker call for transparency and accountability from the FTC, which is that 110 page report that wasn't followed. But I do think it has like a blueprint for what states can do and what you know the federal government could do in the future if they decide to do it. And then the opt-out list, I have it on both Google Docs and GitHub. And then there's this really great article about getting that Maria has sent off wrote about trying to get your name off of people search sites for consumer reports. And they also link to a sort of how-to guide for deleting information that I wrote, which links to the opt-out list but just provides more information about the process. And yeah, I'll be available to answer questions. Hi everyone. My name is Ginny Foss. I'm a social entrepreneur and I work at the intersection of technology and policy. I've worked on a number of different tech policy projects, but recently I've been laser focused on data privacy and consumer rights. And so I'm really interested and excited to be here with you all today talking about tools for making data rights meaningful for everyday people and how kind of tooling and products can fill the gap between what policy provides and what everyday people are realistically able to take action on. So the big question that I'm focused on right now is how might we meaningfully expand data rights to individuals, to everyday people. And in the US there's this new tool that makes this question particularly compelling or possible to explore. And it's a piece of legislation called the CCPA, the California Consumer Privacy Act, which is a really exciting milestone for us here in the US because it's the first comprehensive commercial privacy law in the States. It was signed into law in 2018 and implementation began this year in 2020. And it's making a lot more possible as far as individuals' ability to meaningfully exercise their data rights. So what is the CCPA and why should we be excited about it? So there are a few main privacy rights that the CCPA extends. The first is the right to know the personal information that a company has on file about you. And practically that means that individuals should be able to retrieve a copy of the data that a company has on file. There's the right to delete personal information that a company has on file about you. If you don't trust this company or don't want them to have your data anymore, then you have the right to request that they wipe it from their databases. And then finally, there's what Gael was speaking about earlier as far as the right to opt out of the sale of your personal information by companies. I think most consumers or everyday people might not be aware of the extent to which companies sell data about them. And under the CCPA, any individual can opt out of the sale of their data such that companies aren't able to monetize on the activity and personal information that everyday people are sharing with platforms and products they use. Or platforms and products that get their information some other way. They may not even be a user of those products, as is the case with data brokers. So this seems great, right? Like we have this great new privacy law. We have all these rights. What's the problem? Well, the problem is that these rights practically are actually just very challenging to use. Gael mentioned the list that she has, this big ass data brokers opt out list, which every six months she's going through and for these dozens of companies, she's updating how one might opt out of the sale of their data by these companies and even maintaining that's a challenge. But then as an everyday person who's not a privacy expert or privacy professional, who may have never heard of a data broker or never really understood what it means to opt out of their data being sold, maybe they don't even know that data is sold about them. And so there's this big gap between what policy allows and what everyday people would reasonably be able to do if they cared about their own privacy, or even just how much they would have to know in order to take action towards their own privacy. Consumer Reports published just last month at the beginning of October, a study in which they recruited a few hundred volunteers to start issuing request to companies, request to opt out of the sale of data, request to know the data companies have about them, etc. And it turns out that everyday people have a really hard time using these new rights because for the most part it's still really early days for CCPA. Companies have set up really different processes for handling these requests. They don't always make it easy to submit the request. They don't always know how to process the request. And so for any person off the street, these privacy rights are sometimes a little bit more hypothetical than they are actionable. So what tools might exist to help people exercise their privacy rights? One initiative that launched a few weeks ago that's really exciting is this global privacy control initiative, which works with a browser signal. So the idea is that you could create settings in your browser about your privacy preferences and that any business whose website you visit would have to respect those privacy preferences that you have designated up front. This is a consumer product. It's a technology. It's a tool that lives in the browser. It can and will be very helpful to a number of people. But it doesn't account for the fact that there are all of these industries and companies that are selling personal data. And everyday people don't even know that these companies exist, that they have their data, that they're selling their data. Data brokers obviously are, you know, any company listed on the California data brokers list is a company where probably most people off the street don't realize that that company exists, that company has their data, etc. And so a solution like global privacy control starts to break down when you consider companies that maybe aren't consumer brands or that just aren't popular in consumers awareness. So what else can be done? There's a provision in the CCPA called the authorized agent provision. And the idea is that, you know, there are these rights extended in the CCPA, the right to know, the right to delete, the right to opt out of the sale of your information. But practically, since it's hard for everyday people to take those actions, the CCPA says that an authorized agent can make these requests on behalf of consumers. And an authorized agent is pretty loosely defined in the CCPA. It's any third party. So it could be an outside organization, it could be my mother, it could be, you know, an individual I know who I would trust to make a data request for me. But, but because of this provision in CCPA, essentially, there's an allocation for somebody who's more of an expert to make requests for you. And that's what I'm really interested in exploring right now. So right now, I'm working with a team at the Digital Lab at Consumer Reports, and we're working on trying to create authorized agents that take actions for individuals on their behalf in risk, in regard to their data. So just a few weeks ago, pretty recently, we launched our first experiment of being an authorized agent. And so what this experiment is, is we have recruited some volunteers to help participate. We have 110 consumers who have signed some legal paperwork. And the paperwork says, I designate the Consumer Reports organization to act as an authorized agent on my behalf and to submit data requests on my behalf. We are now currently representing these 110 consumers before 21 companies. So we selected this list of 21 companies for the pilot based on a number of criteria. We wanted a mix of companies that were popular consumer brands, as well as major data brokers, as well as a mix of industries. So we have some retail brands, we have some food and beverage brands, we have supermarkets, we have e-commerce. We really tried to, it's only 21 companies, but we tried to get as much diversity as possible in the sorts of business models and even consumer awareness. And over the past few weeks, we've issued 210 opt-out requests to these companies. So each company in the cohort has received 10 requests from Consumer Reports saying we are opting this consumer out of the sale of their data by your company. So essentially what this means at a high level is that we as Consumer Reports have created a technology by which we are acting as a virtual assistant to individuals who have desires for their data, but maybe don't know enough to act on it, maybe don't have enough time to act on it, maybe just are too busy to act on it. We're doing the work for them and making their data rights actionable by taking on responsibility of representing them to companies over concerns related to their data. And it's been really fun acting as an agent. And I would say in general authorized agent is a pretty nascent part of CCPA. There are other parts of the law that maybe have more in common with GDPR and other major privacy laws around the world. And so companies have a little bit more experience with how they might implement those parts of CCPA, but authorized agent is really singular to CCPA so far. And so when we submit these requests to companies, there is often a little bit of confusion about what this request is, like what part of the law is referring to how to take action on it. And so part of this pilot also has just been developing a better understanding of where industry is and starting to be able to implement the requirements of CCPA. And frankly, even beginning the conversation with companies or DSAR providers who are data subject access request professional groups that sometimes process requests on behalf of companies, we're starting to have a conversation more broadly in the industry of what's currently possible under authorized agent and what should be possible. And kind of we're all learning and exploring together what this often overlooked part of the CCPA privacy law might mean for individuals and for corporations who will need to be prepared to receive these requests. So this is what an agent request looks like in case you're curious. The CCPA really doesn't specify very many requirements about how authorized agents make requests. So our team has created a request format that seems to be working with the companies that we're reaching out to. But in order to be an authorized agent, you have to have the consumers information on files. So all of the consumers who have signed up for this pilot have provided their email and phone number. And then we've also verified their email and phone number so that we have confidence that the consumer is who they say they are. We've asked every participant in this pilot to sign a permission letter. And this is it's kind of a form legal document. And the permission letter says I, Ginny Fos is an individual authorized consumer reports to act as an agent on my behalf. And those letters are signed and dated and provided to companies when we make these requests is evidence that we have, you know, we are not fraudulent and that we really are representing the consumer. And then finally, because we're an organization that's making these opt out requests for everyday people, we need to prove that we are organization in good standing that we pay our taxes, those sorts of things. And so in the agent request, we also provide a certificate of information of consumer reports, which is just paperwork that demonstrates that we're an organization with license to operate in California. So again, we've sent out 210 of these so far to 21 different companies. And seeing the responses back has been really interesting. In general, what I'm really interested in right now and what the team at CR is working on as well, is this question of how might we meaningfully extend data rights to individuals. And we're very early in building tools that do that from the global privacy control solution I mentioned earlier that is the browser signal to this authorized agent idea of becoming an assistant that does work for everyday consumers who may not have as much context or time to deal with their own privacy. So these are just kind of our first two ideas. And so as we enter into Q&A and start to have a broader conversation, I'm really interested to hear from all of you about other ideas you have for tools that will help everyday people meaningfully exercise privacy rights that they are afforded by law, but that maybe are not practical to access. And I provided links to some of the materials I've referenced in case people want to dig deeper and understand some of what we've been working on. So yeah, that's everything from me. You can find me on Twitter via email and look forward to hearing your questions and having a broader conversation with you all about this as well.