Seun Solomon Bakare,Adekunle Oyeyemi Adeniyi,Chidiogo Uzoamaka Akpuokwe,Nkechi Emmanuella Eneh

DOI: https://doi.org/10.51594/csitrj.v5i3.859

2024-03-09

Computer Science & IT Research Journal

Abstract:This Review provides an overview of the comparative review of data privacy laws and compliance, focusing on the European Union's General Data Protection Regulation (EU GDPR) and data protection regulations in the United States. The analysis explores key similarities and differences, emphasizing their implications for businesses and individuals. The EU GDPR, implemented in 2018, stands as a landmark regulation governing data protection and privacy for individuals within the European Union and the European Economic Area. In contrast, the United States lacks a comprehensive federal data privacy law. Instead, it relies on a patchwork of sector-specific laws and state regulations, such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA). One major distinction lies in the overarching principles of these regulations. The EU GDPR adopts a comprehensive and rights-based approach, emphasizing individual rights to privacy, data portability, and the "right to be forgotten." In contrast, the U.S. system often focuses on specific industries or types of data, leading to a more fragmented regulatory landscape. Both regulatory frameworks incorporate principles of transparency, consent, and data breach notification. However, differences in enforcement mechanisms and penalties exist. The EU GDPR imposes significant fines for non-compliance, reaching up to 4% of a company's global annual revenue. In the U.S., penalties vary by state, and enforcement is often reactive, triggered by data breaches. Businesses operating globally must navigate these distinct regulatory landscapes, necessitating a nuanced approach to data privacy compliance. Multinational corporations must adhere to the more stringent requirements when handling EU citizens' data while also considering the diverse regulations within the U.S. This review underscores the ongoing evolution of data privacy laws worldwide and the critical importance for organizations to stay abreast of these developments. It emphasizes the need for a proactive and adaptive approach to data privacy compliance, taking into account the unique requirements and expectations of both the EU GDPR and U.S. regulations. Keywords: Data Privacy, Laws, Compliance, EU GDPR, Regulations.

DOI: https://doi.org/10.1108/oxan-db247805

2019-11-15

Abstract:Subject Californian and US data privacy law. Significance On January 1 next year, California’s data privacy law takes effect. The law is the first such state statute and is likely to become a bellwether for the rest of the country. Impacts Other states are likely to pass similar statutes to California’s; New York is debating a stricter such law. Larger firms that have already complied with the EU GDPR privacy regulations have a business advantage. Some companies may struggle to comply in time with California’s new data privacy requirements.

Van Tran,Aarushi Mehrotra,Marshini Chetty,Nick Feamster,Jens Frankenreiter,Lior Strahilevitz

DOI: https://doi.org/10.1145/3613904.3642597

2024-03-26

Abstract:The widespread sharing of consumers personal information with third parties raises significant privacy concerns. The California Consumer Privacy Act (CCPA) mandates that online businesses offer consumers the option to opt out of the sale and sharing of personal information. Our study automatically tracks the presence of the opt-out link longitudinally across multiple states after the California Privacy Rights Act (CPRA) went into effect. We categorize websites based on whether they are subject to CCPA and investigate cases of potential non-compliance. We find a number of websites that implement the opt-out link early and across all examined states but also find a significant number of CCPA-subject websites that fail to offer any opt-out methods even when CCPA is in effect. Our findings can shed light on how websites are reacting to the CCPA and identify potential gaps in compliance and opt-out method designs that hinder consumers from exercising CCPA opt-out rights.

Human-Computer Interaction,Cryptography and Security,Computers and Society

Rex Chen,Fei Fang,Thomas Norton,Aleecia M. McDonald,Norman Sadeh

DOI: https://doi.org/10.1145/3463676.3485

2021-09-28

Abstract:Vagueness and ambiguity in privacy policies threaten the ability of consumers to make informed choices about how businesses collect, use, and share their personal information. The California Consumer Privacy Act (CCPA) of 2018 was intended to provide Californian consumers with more control by mandating that businesses (1) clearly disclose their data practices and (2) provide choices for consumers to opt out of specific data practices. In this work, we explore to what extent CCPA's disclosure requirements, as implemented in actual privacy policies, can help consumers to answer questions about the data practices of businesses. First, we analyzed 95 privacy policies from popular websites; our findings showed that there is considerable variance in how businesses interpret CCPA's definitions. Then, our user survey of 364 Californian consumers showed that this variance affects the ability of users to understand the data practices of businesses. Our results suggest that CCPA's mandates for privacy disclosures, as currently implemented, have not yet yielded the level of clarity they were designed to deliver, due to both vagueness and ambiguity in CCPA itself as well as potential non-compliance by businesses in their privacy policies.

Computers and Society

Chris Jay Hoofnagle,Bart van der Sloot,Frederik Zuiderveen Borgesius

DOI: https://doi.org/10.1080/13600834.2019.1573501

2019-01-02

Abstract:This paper introduces the strategic approach to regulating personal data and the normative foundations of the European Union’s General Data Protection Regulation (‘GDPR’). We explain the genesis of the GDPR, which is best understood as an extension and refinement of existing requirements imposed by the 1995 Data Protection Directive; describe the GDPR’s approach and provisions; and make predictions about the GDPR’s implications. We also highlight where the GDPR takes a different approach than U.S. privacy law. The GDPR is the most consequential regulatory development in information policy in a generation. The GDPR brings personal data into a detailed regulatory regime, that will influence personal data usage worldwide. Understood properly, the GDPR encourages firms to develop information governance frameworks, to in-house data use, and to keep humans in the loop in decision making. Companies with direct relationships with consumers have strategic advantages under the GDPR, compared to third party advertising firms on the internet. To reach these objectives, the GDPR uses big sticks, structural elements that make proving violations easier, but only a few carrots. The GDPR will complicate and restrain some information-intensive business models. But the GDPR will also enable approaches previously impossible under less-protective approaches.

Richmond Y. Wong,Andrew Chong,R. Cooper Aspegren

DOI: https://doi.org/10.1145/3579515

2023-04-14

Proceedings of the ACM on Human-Computer Interaction

Abstract:Power exercised by large technology companies has led to concerns over privacy and data protection, evidenced by the passage of legislation including the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). While much privacy research has focused on how users perceive privacy and interact with companies, we focus on how privacy legislation is discussed among a different set of relationships-those between companies and investors. This paper investigates how companies translate the GDPR and CCPA into business risks in documents created for investors. We conduct a qualitative document analysis of annual regulatory filings (Form 10-K) from nine major technology companies. We outline five ways that technology companies consider GDPR and CCPA as business risks, describing both direct and indirect ways that the legislation may affect their businesses. We highlight how these findings are relevant for the broader CSCW and privacy research communities in research, design, and practice. Creating meaningful privacy changes within existing institutional structures requires some understanding of the dynamics of these companies' decision-making processes and the role of capital.

Simon Gunst,Ferdi De Ville

DOI: https://doi.org/10.54648/eerr2021036

2021-10-01

European Foreign Affairs Review

Abstract:In 2018, the Californian government adopted a new data protection framework. The flagship of this framework is the California Consumer Privacy Act (CCPA). As this new framework is widely considered to resemble the European Union’s (EU’s) General Data Protection Regulation (GDPR), this article intends to investigate whether the Brussels Effect could explain this resemblance. We apply process-tracing to test if the Brussels Effect causally connects the GDPR with the CCPA. The analysis is based on a careful evaluation of three sets of evidence. Firstly, privacy policies of Apple, Facebook, and Google are examined. Secondly, lobbying concerning the alignment of the implementation of the CCPA with the GDPR is scrutinized. Lastly, it is investigated whether the Californian government has used arguments linked to the Brussels Effect while drafting the CCPA and its subsequent implementing regulations. It is concluded that the Brussels Effect has indeed played a role in the adoption of the CCPA. Nevertheless, it has become clear that the impact of the Effect varies depending on exactly which provision of the GDPR is examined. Brussels Effect, process-tracing, California, CCPA, European Union, GDPR, Data Protection, Lobbying, Big Tech

Lothar Determann,Zhenyu (Jay) Ruan,Tingting Gao,Jonathan Tam

DOI: https://doi.org/10.69554/gmhh7774

2021-06-01

Abstract:In October 2020, China published a draft of the Personal Information Protection Law of the People’s Republic of China (PRC) for public comment. The draft law is intended to be the first consolidated and comprehensive law targeting the protection of personal information in China. If enacted in its current form, the law would introduce a suite of obligations that apply to organisations in both the private and public sectors and individuals that process Chinese residents’ personal information. The scope, structure and substance of the draft law not only resemble that of the European Union (EU) General Data Protection Regulation (GDPR) in a number of key ways but also diverge from the GDPR in many respects. The draft Chinese law also has some similarities with various US privacy laws, although the United States has not enacted a comprehensive federal privacy law that applies across the country. Despite the variations among the regimes of China, the EU and the United States, organisations that do business in these geographies can leverage the privacy compliance programmes they may have established for the United States and EU to prepare for the implementation of the draft Chinese Personal Information Protection Law. This paper summarizes the key requirements of the draft Chinese law and provides high-level observations regarding its similarities to and differences from the GDPR and key US privacy laws.

Sean Sirur,Jason R. C. Nurse,Helena Webb,Jason R.C. Nurse

DOI: https://doi.org/10.48550/arXiv.1808.07338

2018-08-22

Computers and Society

Abstract:The EU General Data Protection Regulation (GDPR), enforced from 25th May 2018, aims to reform how organisations view and control the personal data of private EU citizens. The scope of GDPR is somewhat unprecedented: it regulates every aspect of personal data handling, includes hefty potential penalties for non-compliance, and can prosecute any company in the world that processes EU citizens' data. In this paper, we look behind the scenes to investigate the real challenges faced by organisations in engaging with the GDPR. This considers issues in working with the regulation, the implementation process, and how compliance is verified. Our research approach relies on literature but, more importantly, draws on detailed interviews with several organisations. Key findings include the fact that large organisations generally found GDPR compliance to be reasonable and doable. The same was found for small-to-medium organisations (SMEs/SMBs) that were highly security-oriented. SMEs with less focus on data protection struggled to make what they felt was a satisfactory attempt at compliance. The main issues faced in their compliance attempts emerged from: the sheer breadth of the regulation; questions around how to enact the qualitative recommendations of the regulation; and the need to map out the entirety of their complex data networks.

Sanchit Alekh

DOI: https://doi.org/10.48550/arXiv.1806.03253

2018-06-01

Computers and Society

Abstract:The GDPR, or the Datenschutz Grundverordnung (DSGVO) in German, is an EU Law which addresses the subject of safeguarding privacy of personal data of the citizens of the EU and EEA. It also specifies how data the collected data might be transported out of the EU/EEA. It is the first genuine effort to unify the plethora of disparate privacy regulations put forward by different regulatory bodies. The GDPR aims to not only give more control over their personal data to the citizens, but also make conformance for businesses easier by defining unified guidelines. It also presses businesses, especially those dealing with sensitive personal data, to build their information systems in a way that confirms with Privacy by Design. These regulations aim to ensure a more transparent handling and processing of personal data, and create an environment of trust and awareness on both sides, i.e., the data owner as well as the controllers/processors.

François Gilbert

2012-05-01

Abstract:The proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for a comprehensive reform of the data protection rules in the European Union. The new data protection framework would be based on two documents: a Regulation, (1) which would address the general privacy issues, and a Directive, (2) which would address the unique issues associated with criminal investigations. The proposed legislative texts are intended to redefine the legal framework for the protection of personal data throughout the European Economic Area. (3) The vision revealed in the documents published on January 25, 2012 (4) is generally consistent with the plan of action that was presented in late 2010. (5) What is new, or was not clearly specified in 2010, is the shift to a single law that would be common to all of the Member States. (6) The publication of the Proposed Regulation and Proposed Directive signals a very important shift in the way data protection will be handled in the future throughout the European Union. If the draft legislative texts are adopted in a form substantially similar to that which was presented on January 25, by 20157, the European Union Member States will be operating--for most types of activities--under a single data protection law that applies directly to all entities and individuals. (8) In many cases, companies will no longer have to suffer the fragmentation resulting from the significant discrepancies in the manner in which the 27 Member States interpreted and implemented the principles set forth in Directive 95/46/EC to create 27 different sets of national laws. (9) A single set of rules on data protection, valid across the EU, would make it easier for companies to know and understand the rules. Unnecessary administrative burdens, such as notification requirements for companies, (10) would be abolished. (11) Instead, the proposed Regulation provides for increased responsibility and accountability for those processing personal data. (12) In the new regime, organizations would only have to deal with a single national data protection authority in the EU country where they have their main establishment. (13) Likewise, people would be able to refer to the data protection authority in their country, even when their data are processed by a company based outside the EU. (14) The proposed reform would create more obligations for companies (15) and more rights for individuals, (16) while removing some of the administrative burdens that currently cost billions of Euros to companies.17 However, numerous additional requirements would come instead. While the new data protection regime would reduce red tape, it would require entities to be more accountable, (18) to have in place written procedures and processes that they actually use, (19) and to be able to show that they do comply with the applicable legal requirements. (20) Entities would be responsible for conducting privacy impact assessments in some circumstances, (21) to comply with individual requests to exercise their "right to be forgotten," (22) and to notify data protection authorities and individuals in the event of a breach of security. (23) U.S. companies that do business in or with the European Economic Area should start preparing for this dramatic change in the data protection landscape. Some of the provisions will require the development of written policies and procedures, documentation, and applications as necessary to comply with the new rules. Security breaches will have to be disclosed, (24) and incident response plans will have to be created accordingly. The development of these new structures will require significant investment and resources. IT and IS departments in companies will need to obtain greater, more significant budgets in order to finance the staff, training, policies, procedures and technologies that will be needed to implement the new provisions. …

Business,Law

Sean O'Connor,Ryan Nurwono,Aden Siebel,Eleanor Birrell

DOI: https://doi.org/10.48550/arXiv.2009.07884

2021-07-14

Abstract:The California Consumer Privacy Act (CCPA) -- which began enforcement on July 1, 2020 -- grants California users the affirmative right to opt-out of the sale of their personal information. In this work, we perform a series of observational studies to understand how websites implement this right. We perform two manual analyses of the top 500 U.S. websites (one conducted in July 2020 and a second conducted in January 2021) and classify how each site implements this new requirement. We also perform an automated analysis of the Top 5000 U.S. websites. We find that the vast majority of sites that implement opt-out mechanisms do so with a Do Not Sell link rather than with a privacy banner, and that many of the linked opt-out controls exhibit features such as nudging and indirect mechanisms (e.g., fillable forms). We then perform a pair of user studies with 4357 unique users (recruited from Google Ads and Amazon Mechanical Turk) in which we observe how users interact with different opt-out mechanisms and evaluate how the implementation choices we observed -- exclusive use of links, prevalent nudging, and indirect mechanisms -- affect the rate at which users exercise their right to opt-out of sale. We find that these design elements significantly deter interactions with opt-out mechanisms -- including reducing the opt-out rate for users who are uncomfortable with the sale of their information -- and that they reduce users' awareness of their ability to opt-out. Our results demonstrate the importance of regulations that provide clear implementation requirements in order empower users to exercise their privacy rights.

Cryptography and Security,Computers and Society,Human-Computer Interaction

Excel G Chukwurah

DOI: https://doi.org/10.51594/csitrj.v5i4.1047

2024-04-17

Computer Science & IT Research Journal

Abstract:As data privacy concerns become increasingly prevalent, especially in the U.S. where regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) are setting new standards, technology companies must adopt advanced risk management strategies to ensure compliance and protect consumer data. This review explores the concept of proactive privacy and outlines key strategies for integrating privacy considerations into product development processes. The review begins by highlighting the growing importance of data privacy in the U.S. tech industry, emphasizing the need for proactive approaches to privacy management. It then introduces the concept of proactive privacy, which involves identifying and mitigating privacy risks early in the product development lifecycle. The review emphasizes the importance of adopting a privacy-by-design approach, where privacy considerations are integrated into every stage of product development. The review then outlines several advanced risk management strategies for proactive privacy. This includes conducting thorough privacy impact assessments (PIAs) to identify potential privacy risks associated with new products or services. It also emphasizes the importance of implementing privacy-enhancing technologies, such as encryption and anonymization, to protect consumer data. Furthermore, the review discusses the importance of establishing a culture of privacy within tech companies, where privacy is viewed as a fundamental value and employees are educated about privacy best practices. It also highlights the benefits of engaging with privacy experts and regulators to stay informed about evolving privacy regulations and industry standards. In conclusion, the review emphasizes the importance of proactive privacy in product development and highlights key strategies for integrating privacy considerations into the development process. By adopting advanced risk management strategies and prioritizing privacy throughout the product lifecycle, U.S. technology companies can enhance consumer trust, ensure compliance with regulations, and mitigate privacy risks. Keywords: Proactive Privacy, Risk Management, Strategies, Product Development, Advanced

Jan Charatan,Eleanor Birrell

DOI: https://doi.org/10.56553/popets-2024-0042

2024-04-01

Proceedings on Privacy Enhancing Technologies

Abstract:The California Privacy Rights Act (CPRA) was a ballot initiative that revised the California Consumer Privacy Act (CCPA). Although often framed as expanding and enhancing privacy rights, a close analysis of textual revisions---both changes from the earlier law and changes from earlier drafts of the CPRA guidelines---suggest that the reality might be more nuanced. In this work, we identify three textual revisions that have potential to negatively impact the right to opt-out of sale under CPRA and evaluate the effect of these textual revisions using (1) a large-scale longitudinal measurement study of 25,000 websites over twelve months and (2) an experimental user study with 775 participants recruited through Prolific. We find that all revisions negatively impacted the usability, scope, and visibility of the right to opt-out of sale. Our results provide the first comprehensive evaluation of the impact of CPRA on Internet privacy. They also emphasize the importance of continued evaluation of legal requirements as guidelines and case law evolve after a law goes into effect.

English Else

Chen Jian,Dan Dan

DOI: https://doi.org/10.11648/j.ajmse.20240903.11

2024-08-20

American Journal of Management Science and Engineering

Abstract:Customers today are increasingly demanding a personalized shopping experience, coupled with stringent data security measures and prompt responses. As the landscape of online privacy evolves, particularly with the anticipated sunset of third-party cookies by 2024, businesses face a critical imperative to revamp their customer data management strategies. The emergence of Customer Data Platforms (CDPs) stands out as a pivotal solution in this evolving ecosystem. This article undertakes a detailed critique of CDPs, starting with insights gathered from both users and industry experts, and subsequently examining consumer perceptions and behaviors in the digital realm. At the heart of contemporary consumer expectations lies the desire for tailor-made interactions that reflect their preferences and behaviors. This demand necessitates robust data management tools capable of aggregating, analyzing, and activating customer data across multiple touchpoints. CDPs have emerged as a central tool in this endeavor, offering businesses a unified platform to integrate disparate data sources and derive actionable insights in real-time. By leveraging comprehensive customer profiles built from first-party data, CDPs enable businesses to deliver personalized experiences that foster customer loyalty and drive revenue growth. Moreover, the impending demise of third-party cookies, compounded by stringent data protection regulations like GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act), underscores the urgency for businesses to adopt privacy-centric data practices. CDPs play a crucial role in this paradigm shift by empowering businesses to ethically collect and utilize customer data, thereby enhancing transparency and trust. However, challenges persist, including the complexity of integrating CDPs into existing infrastructures and ensuring compliance with evolving regulatory frameworks. From a consumer standpoint, attitudes towards data privacy are evolving, with an increasing emphasis on transparency and control over personal information. Consumers are more inclined to engage with brands that demonstrate a commitment to data security and ethical data usage practices. This shift necessitates a nuanced approach from businesses using CDPs, emphasizing not only personalization but also data protection and consent management. While CDPs offer substantial benefits in navigating the complexities of modern data management and meeting consumer expectations for personalized experiences, their successful implementation hinges on addressing technical, regulatory, and ethical considerations. By doing so, businesses can not only adapt to the evolving landscape of digital privacy but also foster enduring customer relationships grounded in trust and mutual value.

J. Noar,N. Hemmings

DOI: https://doi.org/10.12968/ORTU.2018.11.3.110

2018-07-02

Orthodontic Update

Abstract:Abstract: The General Data Protection Regulations (GDPR) govern the use of personal data within the European Union as from 25th May 2018. This supersedes the legislation of the Data Protection Act (DPA). Whilst it has many similarities to the DPA, it has significant enhancements that require active engagement to ensure compliance. It is a requirement for practices to appoint a Data Protection Officer, pay the Information Commissioners Office (ICO) fee, update their privacy notices, create written contracts between controllers and processors, identify and document the lawful basis for processing data, and comply with the rights of individuals. CPD/Clinical Relevance: Data protection regulations have changed as part of EU legislation. These changes applied from 25th May 2018 and are applicable to all.

Business,Law

Weber Philip Andreas,Zhang Nan,Wu Haiming

DOI: https://doi.org/10.1007/s10660-020-09422-3

2020-01-01

Electronic Commerce Research

Abstract:The growth of e-commerce and other platforms has significantly increased the amount of personal data that is shared and submitted online; however, the adequate and secure collection and processing of these data is of great concern. With the EU’s implementation of a new data protection regulation in 2018, the development of personal data protection globally has reached an important turning point and has sparked the interest of scholars and businesses. Text coding was employed to compare the current personal data protection regulation landscape in the EU and in China to discover the differences between the General Data Protection Regulation and the personal data protection regulations of the fastest-growing economy in e-commerce. The results show that while there are several similarities in regard to general requirements, such as principles of data processing and basic rights for data subjects, China’s personal data protection regulations tend to lack specific operational requirements and strong legal enforcement. Based on the research results, implications and recommendations for the government and companies are provided.

Excel G Chukwurah,Samuel Aderemi

DOI: https://doi.org/10.51594/csitrj.v5i4.1044

2024-04-17

Computer Science & IT Research Journal

Abstract:Data protection compliance is a critical issue for U.S. technology companies, especially in light of increasingly stringent regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). Achieving compliance requires a harmonized approach that aligns internal teams and processes with regulatory requirements. This review explores strategies for U.S. technology companies to harmonize teams and regulations to ensure data protection compliance. The first key strategy is to establish a cross-functional team dedicated to data protection compliance. This team should include representatives from legal, IT, security, and other relevant departments. By bringing together experts from different areas, companies can ensure a comprehensive approach to compliance that takes into account legal requirements, technical capabilities, and organizational policies. Secondly, companies should invest in training and education for all employees on data protection principles and compliance requirements. This includes raising awareness about the importance of data protection, as well as providing specific training on how to handle personal data in accordance with regulations. By ensuring that all employees are informed and knowledgeable about data protection, companies can reduce the risk of non-compliance. Another important strategy is to implement privacy by design and by default principles in product development and business processes. This means building privacy considerations into products and services from the outset, rather than trying to retrofit them later. By incorporating privacy into the design process, companies can ensure that their products and services are compliant with regulations and protect user data. Finally, companies should establish a culture of continuous improvement and accountability when it comes to data protection compliance. This includes regularly reviewing and updating data protection policies and procedures, as well as conducting regular audits and assessments to identify and address compliance gaps. By making data protection a priority at all levels of the organization, companies can reduce the risk of data breaches and non-compliance with regulations. Keywords: Data Protection, Compliance, Strategies, Technology, Regulations.

Van Hong Tran,Aarushi Mehrotra,Ranya Sharma,Marshini Chetty,Nick Feamster,Jens Frankenreiter,Lior Strahilevitz

2024-09-14

Abstract:To protect consumer privacy, the California Consumer Privacy Act (CCPA) mandates that businesses provide consumers with a straightforward way to opt out of the sale and sharing of their personal information. However, the control that businesses enjoy over the opt-out process allows them to impose hurdles on consumers aiming to opt out, including by employing dark patterns. Motivated by the enactment of the California Privacy Rights Act (CPRA), which strengthens the CCPA and explicitly forbids certain dark patterns in the opt-out process, we investigate how dark patterns are used in opt-out processes and assess their compliance with CCPA regulations. Our research reveals that websites employ a variety of dark patterns. Some of these patterns are explicitly prohibited under the CCPA; others evidently take advantage of legal loopholes. Despite the initial efforts to restrict dark patterns by policymakers, there is more work to be done.

Human-Computer Interaction

Maaz Bin Musa,Steven M. Winston,Garrison Allen,Jacob Schiller,Kevin Moore,Sean Quick,Johnathan Melvin,Padmini Srinivasan,Mihailis E. Diamantis,Rishab Nithyanand

2024-10-05

Abstract:The development of tools and techniques to analyze and extract organizations data habits from privacy policies are critical for scalable regulatory compliance audits. Unfortunately, these tools are becoming increasingly limited in their ability to identify compliance issues and fixes. After all, most were developed using regulation-agnostic datasets of annotated privacy policies obtained from a time before the introduction of landmark privacy regulations such as EUs GDPR and Californias CCPA. In this paper, we describe the first open regulation-aware dataset of expert-annotated privacy policies, C3PA (CCPA Privacy Policy Provision Annotations), aimed to address this challenge. C3PA contains over 48K expert-labeled privacy policy text segments associated with responses to CCPA-specific disclosure mandates from 411 unique organizations. We demonstrate that the C3PA dataset is uniquely suited for aiding automated audits of compliance with CCPA-related disclosure mandates.

Computation and Language,Information Retrieval