On July 30, 2021, the Center for Long-Term Cybersecurity hosted a research symposium to examine and compare how firms, consumers, and other stakeholders have responded to the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
The working papers presented at the symposium represent an emerging body of trans-Atlantic research focused on the ground-level impacts of the GDPR and CCPA, the world’s first economy-wide digital privacy regimes. A key goal of the symposium was to nurture a community of researchers who can continue to work together on empirical studies of privacy and data protection regulations.
These studies, as well as future work, will be critical for informing policy debates, particularly as privacy laws continue to evolve in multiple jurisdictions. This research is also essential for improving understanding among policy-makers and the public about the promise and limitations of existing privacy regimes, and for developing new design tools to help organizations respond to current and emerging privacy legislation.
The papers presented were chosen following a request for proposals disseminated in late 2020. As the GDPR came into effect in 2018 and the CCPA followed in 2020, we sought research papers that addressed such topics as:
- How have organizations changed their structures and processes in responses to these regulations?
- How have the new regulations led to changes in technical design and development processes within organizations?
- What new business models and practices have emerged as a result of the GDPR and CCPA?
- What changes in political engagement and contestation have resulted from these regulations?
- How have social norms and behavior changed in the wake of the implementation of the GDPR and CCPA?
The symposium allowed scholars to present 10 in-progress research papers, and brought together interdisciplinary perspectives on a variety of important issues related to the impacts of these privacy and data protection laws. The papers are briefly summarized below.
Technical Design, Implementation, and Users
Investigating the Compliance of Android App Developers with the California Consumer Privacy Act (CCPA)
In their paper, Nikita Samarin, Shayna Kothari, Primal Wijesekera, Serge Egelman, et al. evaluate whether (and how) 160 different apps comply with the CCPA’s requirements to provide consumers with accurate privacy notices and respond to requests about what personal information that they have collected, used, or shared.
The early findings suggest that many apps fail to comply with the CCPA’s requirements and that the process of gaining access to what apps are doing is onerous for consumers; however, the researchers noted that, because the CCPA is not actively enforced, there are few legal or market ramifications for the developers.
When Law Makes Code: The Timing and Content of Technical Responses to GDPR and CCPA
Aileen Nielsen’s paper examines the relationship between law and computer code by investigating how and when legal regulations get translated into code.
The abstract explains, “This paper presents initial results from an empirical study of how two data protection statutes, GDPR and CCPA, have manifested in issue filing in open source repositories [i.e. GitHub]…. A preliminary assessment suggests that key legislative dates serve as strong signaling and deadline mechanisms for the technical community, but also that more compressed statutory timelines could provide benefits to the public sooner without creating undue hardship for technical communities.”
Beyond Opt In and Opt Out: Publisher and Advertiser Approaches to Targeted Advertising Under the GDPR and CCPA
In her paper, Maureen Mahoney examines how different online publishers and advertisers in California and Europe allow users to limit how they are targeted for advertising. Mahoney has found that the consent interfaces are primarily based on opt-out, rather than opt-in approaches, and are “typically onerous and confusing.”
Even then, there is some blurring between the opt-in and opt-out models of user cookie controls (e.g., a website that gives users two buttons, “Accept All Cookies” and “Manage Settings,” instead of “Decline All Cookies,” is not fully opt-in or opt-out). Mahoney concludes that “despite the efforts to introduce consumer-friendly controls over these practices, the default for many companies is to allow data sharing and raise roadblocks for consumers seeking to protect their privacy.”
Enforcement and Regulatory Actors
The Hidden Harms of Expanding Privacy Penalties
In her paper, Mary Fan argues that the regulations and penalties in comprehensive privacy laws are generally presumed to be aimed at large firms, but in fact can be used against “small-fry individuals and entities, who may be from disfavored or marginalized groups.” Drawing on privacy cases under the GDPR, her article offers cautionary lessons for the United States, as it argues that “amorphously worded obligations coupled with the ease of hauling people into penalty proceedings can lead to targeting and harassment harms against disfavored groups with limited resources, such as migrants caught in the backlash against multiculturalism.”
The article offers a set of principles to protect against discretionary and potentially discriminatory targeting harms: it argues against vague, overly broad language in framing penalty-backed obligations to curb discretion to harass or selectively target disfavored groups; it argues for a regulatory model in which the enforcement agency has an explicit advisory role, rather than a predominantly quasi-prosecutorial role; and it argues in favor of safe harbors or exemptions for individuals and small businesses, and a complementary understanding that even seemingly minor penalties can carry major and severe collateral consequences.
Enforcing European Privacy Regulations from Below: Transnational Fire Alarms and the General Data Protection Regulation
This paper by Abraham Newman and Woojeong Jang draws attention to a less explored provision of the GDPR, Article 80, which, the authors explain, “allows third parties including non-governmental organizations to bring complaints for investigation.”
“Empirically, the article demonstrates how NGOs are playing a bottom-up role in transforming policy implementation. Theoretically, the article suggests that the legislation offers a novel governance tool — transnational fire alarms — in which third parties enhance accountability in the enforcement phase of the multilevel governance process.” The paper is responding to a long-term criticism that the GDPR relies too heavily on a top-down and legalistic approach, and demonstrates that individuals and DPAs do not have to be the only actors that can “activate the GDPR.”
Biased Privacy Enforcement? A Comparative Analysis of Post-GDPR Enforcement Styles
In his paper, Ido Sivan-Sevilla reveals national divergence in enforcement styles, against “Eurolegalism’’ expectations. Based on a questionnaire answered by 17 Data Protection Authorities (DPAs), interviews with DPAs’ employees, and secondary sources on GDPR implementation, this study tests how micro and meso mechanisms — such as issue saliency, organizational capacity, and independence — impact agencies’ behavior. This study shows how current policy implementation mechanisms in this space are lacking, and raises questions about top-down policy enforcement in the digital space.
Data Access and Policies
Measuring Privacy Law Diffusion Across U.S. State Legislatures
In their paper, Aniket Kesari and Jae Yeon Kim examine how privacy legislation diffuses across U.S. state legislatures. The researchers scraped legislative text across privacy topic areas and measured text reuse to examine how privacy law is shared and adopted across geographies.
The paper primarily concerns how privacy laws are formed: do states act as laboratories of democracy in privacy legislation, or do they copy legislative text from one another? And what role do private interests (i.e. interest groups and lobbyists) play in forming these laws? “This study examines the extent to which states experiment with novel privacy laws, or simply piggyback off other legislatures,” the authors wrote in their abstract. “Combining this comprehensive dataset of state privacy legislation with existing datasets on company privacy policies, this study then looks at whether companies change compliance strategies across different states.”
Data Access as Evidence Access
This paper by Yan Fang examines the connections between data-access rights provided to consumers under the GDPR and CCPA with the processes by which law enforcement agencies gain access to digital evidence.
Drawing on roughly 15 semi-structured interviews with police investigators and in-house legal and compliance professionals, Fang argues that there is a surprising symmetry between the experiences of law enforcement agents seeking digital evidence using formal legal processes, such as search warrants, and those of consumers seeking information under data-access rights. In some cases, police have used data downloaded by consumers and found it to be more usable and interpretable than what they obtain through search warrants.
Data Sharing for Social Science Research
In their paper, Brandie Nonnecke, Camille Carlton, and Varsha Vaidyanath provide recommendations to ensure that platform data is made available for scientific inquiry. Prior to the passage of the GDPR, Facebook and other platforms worked in collaboration with social scientists in sharing data, but after the law’s passage, they scaled back their sharing.
“Legislation introduced in the EU and the US seeks to streamline consent processes for data re-use, establish intermediaries to collect data for research purposes, and obligate platforms to make certain data available to support oversight,” the authors wrote in their abstract. “While promising, these Acts have unintended consequences for the research community by narrowly scoping who can access the data and the types of data to be made available.” The paper aims to help establish “guardrails” to inform how companies can share data with researchers in compliance with privacy laws.
The Right to Data Access: A Million-Website Comparative Analysis of GDPR and CCPA Implementations
For their paper, Ross Teixeira, Gunes Acar, and Jonathan Mayer are conducting a large-scale comparative analysis of active GDPR and CCPA Subject Access Requests (SAR) practices, as well as security considerations regarding SAR authentication. For example, when a user sends in a request, what information do firms use to validate users? What data are they willing to provide to users in response? And will companies honor requests if a user is from a different jurisdiction?
By sending out informational request emails on a massive scale, the researchers are gathering metadata that shed light on the companies’ authentication procedures, such as how long it takes companies to respond; whether they send short or long responses; whether the responses are specific or vague; who is responding to the email; etc. Part of the goal of the study is to understand, as more states start to build up privacy legislation, what effects they have on other states and countries that do not yet have those laws.
To close out the symposium, participants reflected on what research questions could be pursued in the future; what practical problems could be solved through continued research; and what resources would be needed to build a robust field of empirical studies that could serve both. Following are some of the key takeaways:
Design matters: How consumers and firms interact with these regulations is an important variable. The usable privacy and security literature should be used more in these studies. That said, how norms related to design can or should be prescribed in legislation remains an open question.
Failure to comply: It is unclear to what extent firms are intentionally not complying with these regulations, and to what degree they are simply oblivious, inexpert, or lack the resources necessary for compliance. Learning more about firms’ practices (or lack thereof) could be an interesting area of investigation.
Enforcement remains a major challenge: Participants in the symposium noted that the regulations are largely not enforced, or are enforced unevenly, and raised the question of how academic research could support attorneys general (or others) in enforcing privacy laws.
A need for a nexus: There is too often a disconnect between what researchers are doing, how firms behave, what is depicted in the media, and what privacy-related issues draw the attention of policymakers. The symposium participants expressed a desire to better connect the work of the research community with the ongoing efforts of firms and regulators alike.
A need for a general taxonomy: A shared vocabulary and/or taxonomy for describing concepts in privacy regulation could help standardize research, and promote greater synergy across projects that could help feed into a research pipeline. Creating standardized forms of segmentation (such as geography, industry type, firm size, etc.) could also help bridge research projects’ diverse data sets.
Culture matters: The privacy laws expose the role of cultures, from corporate cultures to national cultures, in shaping how the regulations are carried out in practice. Possible future research could ask, what is the culture of the developer community when it comes to what we build and how it shapes the choices of bosses up the chain, and how do the cultural contexts of different firms, regions, or nations shape how privacy laws are realized?
Overall, this first-of-its-kind symposium highlighted the diverse array of research questions that have emerged — and that will undoubtedly continue to emerge — as more governments wrestle with the implementation of data protection and privacy regulations.
The Center for Long-Term Cybersecurity is proud to be playing a role in convening scholars from around the world who are beginning to tackle these vital issues, and we hope to serve as a hub for future dialogue not just among academic researchers, but also with policymakers, institutional leaders, and other key stakeholders. Such collaboration is crucial, as the question of how governments choose to regulate data protection and privacy over the next five to ten years will likely have ramifications for generations to come.