Back in January, we evaluated a number of websites in light of the updated CCPA requirements becoming effective. Since then, additional states’ data privacy laws have become effective, and so we decided to run a similar scan (of roughly 500 websites) in July, reviewing the sites for potential compliance issues.
The states we selected were Colorado and California, the former being one of the newer states to enact their laws (the Colorado Privacy Act) and the latter being a good benchmark to see how much (or little) sites had improved in their compliance activities over the past six months.
We conducted our evaluation over a Virtual Private Network (VPN) that caused us to appear as if we were in California or Colorado as needed. This addressed any potential for false readings, as we would accurately fall within any geofencing logic that may be present. We analyzed results in the second week of July 2023.
Always be up to date with the Further Data Privacy Newsletter.
Data Privacy Compliance Survey Findings
Here is what we found and some of our most significant causes for concern.
1. Consent Management
During this evaluation, we reviewed each site to determine if it had a consent management system.Just over half (53.1%) lacked any sort of consent management feature, including a consent banner, present. While the total remains above 50% lacking this feature, this was a minor improvement (2%) from the review we did six months ago.
Without some sort of technical mechanic to honor the user’s desire to opt out of data collection, sites may be incapable of complying with the user’s wishes, and as a result, continue to collect data despite their desire not to be tracked.
2. Banner User Experience
Banner user experience covers items such as dark patterns, button prominence, and related content. Requirements for this area were drawn from a review of both California’s finalized Regulations (which have yet to enter enforcement) and Colorado’s regulations.
California
With California’s standard applied, 64.73% of sites had some issue related to the UX requirements outlined in the regulations. This was an improvement over the previous six months (6.7%) indicating that the industry is taking notice of the CCPA and California’s willingness to conduct enforcement sweeps.
Colorado
When we looked at Colorado, things were slightly worse, banner-wise, with 69.96% lacking some item from the Colorado Privacy Act regulations (which are slightly different from CCPA). This delta of 4.77% shows the difficulty of complying with the patchwork of State privacy laws we find ourselves in. What may work in one State, may not meet standards in another.
If we take a step back, we can see that slowly, items appear to be improving. But the question remains: What will it take to see notable improvements, with the majority of banner experiences considered compliant with the various state agencies?
3. Banner Functionality
Banner functionality testing was an evaluation of the banner doing what it says on the tin. For example, if we, the user, opted out of data collection, was data still collected?
California
Unfortunately, we found that in 72.67% of tests, it didn’t matter that we opted out of collection. Our data continued to be collected. This puts affected businesses on a collision course with regulators, who treat that scenario as a deceptive trade practice.
Under California law, additional enforcement may come from having a non-functional opt-out process. This was a minimal improvement over our scan six months ago (only 0.8%), indicating that this continues to be a challenging area for organizations three years after the enactment of the CCPA.
Colorado
In Colorado, things were again slightly worse, functionality-wise, with 74.81% of tested experiences not modifying their data collection when we denied consent, making it worse than what we tested in California six months prior. This likely reflects that while California and the CCPA get the focus of attention from organizations, proper geofencing for Colorado has yet to be established to modify the experience for Colorado users.
4. Privacy Policy Updates
When it came to Privacy Policy updates, we looked for a bare minimum of items. We checked for an updated date (that is, the date it was last updated), descriptions of data retention, a section for how California or Colorado residents could execute their rights, and whether there was a form to opt out of the sale of personal data.
California
While most sites (but not all) had a privacy policy, a sizable 67.25% were missing items we expected to be there. This document must be accurate and complete because this is one of the standards businesses are evaluated against regarding compliance enforcement.
All in all, this category saw the second-best improvement behind Banner UX for gains, with a 5.88% improvement over six months ago. Due to the fact that the privacy policy is often updated by Legal teams, it does hint that process work may be being completed, even if the technical execution (based on the other categories) is often lacking.
Colorado
Colorado is one of the States that requires allowinga user to submit an appeal in the event the company refuses to honor a Data Subject (end user requesting the change) request. When searching for references to how this appeal process may work, we found that 78.88% of sites contained no reference to this process.
When taken together, this shows while privacy notices are (in general) improving as time goes on, work needs to be done to integrate all the new items being introduced by the various States (such as an appeal process).
5. Global Privacy Control Compliance
Added as a new requirement for CCPA compliance in 2021, the Global Privacy Control (GPC) is a browser-level signal that the website should monitor for and treat as a valid opt-out request. GPC signal compliance gained notoriety in late 2022 when it was cited in the case against Sephora for non-compliance. While the case made headlines, it does not appear to have altered how businesses handle processing the GPC, even a year after that enforcement action.
We found that 86.63% of companies (6.57% improvement) did not properly detect the presence of the GPC nor undertake any action to modify data collection and opt-out behavior when presented with a browser broadcasting the signal. This metric continues to be the worst among what we look at for CCPA compliance.
As we know, the GPC will have increased focus in the coming years. Our findings indicate that most businesses continue to be ill-prepared to comply with the GPC signal and risk enforcement action from the California Privacy Protection Agency.
6. Opt-Out Linkage
Lastly, under California regulations, a site must have a link in the site footer, allowing users to opt out of the sale of their personal information. Non-compliance on link placement reached 75.19% (1.56% improvement), resulting in less than a quarter of businesses having the required linkage. Non-compliance in this area remains high considering the time that has passed since the CCPA entered enforcement in 2020.
As the link is required to allow consumers easy access to opting out of the sale of data, a missing link may subject the company to an increased risk of enforcement by the California Privacy Protection Agency.
Conclusion and Recommendations
Regulatory compliance can be challenging and will continue to become more complex, given that twelve states have passed comprehensive data protection laws. This round of review shows that while minimal gains are happening, massive improvements are still required (particularly in technical integration) for the majority of affected organizations.
We recommend working with Further’s privacy team to conduct a complete assessment of your site for data privacy and regulatory compliance. While the audit we conducted for this study focused on critical issues, our comprehensive assessment checks over 100 at-risk areas. We provide a detailed roadmap for correcting compliance issues that we find.
We invite you to review a complete list of our data privacy, regulations compliance, and tracking prevention solutions.
Worried about compliance and the potential consequences of not getting privacy and consent quite right? We can help. Reach out today.