Skip to content

Instantly share code, notes, and snippets.

@natanlao

natanlao/ccpa.md

Last active April 14, 2021 18:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save natanlao/6e6a15d884f20c020224f417c1f21a8e to your computer and use it in GitHub Desktop.
Save natanlao/6e6a15d884f20c020224f417c1f21a8e to your computer and use it in GitHub Desktop.
Download ZIP
CCPA wall of shame
Raw
ccpa.md

Over the last few months, I've been cleaning up after myself and filing CCPA requests where I can. Here are some of the less-friendly companies that I've encountered in this process.

Sift

Signed me up for marketing emails using the email address I provided for my CCPA request.

Equifax

The worst one of them yet.

I filed a request. A few days later, they notified me that my request for data was fulfilled, then did not allow me to access that data (asking me to call a customer support line). The customer support representative was unable to access the data and filed a new request with a different account, and enrolled me for Equifax Core Credit without my consent.

About a week and a half after that, the request was finally fulfilled. And... the exact same problem. The portal did not allow me to access the requested data, and again asked me to call a customer support line.

The best part is, about half of the times that I had to call the CCPA customer support line, my call was directed to a representative who was not one of the staff that could handle CCPA requests. The representative offered to connect me to the relevant department, at which point the call would play hold music then disconnect.

They also started sending me "educational" emails that I could not opt out of.

QuestBridge

Opened a ticket on January 3. As of March 31st, they haven't responded...

Update, 2 April 2020: They responded, claiming that they are not bound by the CCPA (or GDPR) but indicated that they would delete my information anyway. They said they would contact me with confirmation, so I'm waiting on that.

Update, 24 Oct 2020: I asked for confirmation on 10 Oct. They still haven't responded. I'm still getting emails to my Questbridge email address four years after I used Questbridge...

Update, 14 Apr 2021: They finally responded and confirmed my request. Props for tying it up (eventually...).

Imprint.com

Filed several requests with them, both to their general customer service and to privacy@imprint.com, starting from at least 31 Dec 2019. All my tickets opened with general customer service were closed due to inactivity, and my attempts to reopen them were ignored. My emails to privacy@imprint.com have also thus far been ignored.

Riskified

I sent several requests between 12 Dec 2019 and today, 1 Oct 2020. My request still has not been fulfilled, and they've stopped responding to my emails altogether.

TransUnion

Asked for more time to process my request, never followed up at the end of their requested extension, and their CCPA portal now shows an error when I try to access it, referring me to their phone support (with, as they claim, extroardinary wait times) or their social media accounts. No email support available.

Bonobos

I've been trying to file a deletion request for at least a month now. More than that. (I'm writing this near the end of October 2020.) The request portal has told me multiple times that it can't identify me based on the provided data despite

  1. Asking me a bunch of "verification" questions such as what my birthstone is. (I had to look this up.)
  2. Taking my phone number, email address, and physical address that match what is recorded in my account.
  3. Recognizing that I am currently logged in to my Bonobos account by autofilling my email address.

Whatever I do, I get this form email:

Thank you for contacting Bonobos to exercise privacy rights in accordance with the California Consumer Privacy Act (CCPA). We have been unable to identify information related to you based on our identity matching process and the details you provided in your request form.

It links to a FAQ page that, unsurprisingly, provides absolutely no recourse for those unrecognized by their automated system.

The one silver lining is that they usually deny my request within the hour, which is cool, I guess.

Best Buy

Best Buy's form to submit a CCPA request is initially easy. The tricky part is verification: they require verification via mail which points you to a confirmation form at https://bby.us/CCPADelete. At time of writing, this link appears to be broken; the link returns a 301 to https://www.bestbuy.com (as does https://bby.us/does-not-exist-foo-bar-baz-484). Their support (CaliforniaPrivacyRights@bestbuy.com) pointed me to the shortened link's destination (https://www.bestbuy.com/sentry/confirm?type=delete) which works for me.

RedBox

Allows submission of CCPA requests through OneTrust, but they

  1. require submission of a signed affidavit (as PDF) to process the request, and

  2. will only remove your data if you are a California resident, which is poor practice.

If you have the misfortune of having to suffer through this process, note that to upload a file to a OneTrust ticket, you need to press the "Reply" button the enter text before OneTrust will let you upload a file.

Xfinity

An Xfinity representative promised me, after disconnecting service, that my account with them would automatically be clsoed within some 30 days. That ended up not happening, so I attempted to file a CCPA deletion request using their online form.

Since I had terminated service and moved addresses, their system failed to verify me as the account holder (as the address on my driver's license was different than the original service address). It's worth noting here that the DMV does not issue new drivers licenses, even when a change of address is filed with the DMV.

To rectify this, I contacted Xfinity support:

  1. I contacted Xfinity support through their live chat system. They told me that, as the billing department, they were unable to address privacy issues, and directed me to a general customer support line.

  2. I called the customer support line, and was transferred to their billing department again. After some consternation, the representative tried to transfer me to their loyalty department. The call dropped.

  3. I called the customer support line again and reached their loyalty department. The loyalty representative transferred me to "CSA" (which I infer to be some security-adjacent department).

  4. I waited for a few minutes on hold for the security department. Their callback system offered to set up a callback (whereby they would call me when a representative was available). I accepted, and before the system was done confirming the callback, I received a call from another 800 number -- which was the callback I had literally just requested. Which would be fine, except for the fact that the new call put me on hold again.

  5. The security department transferred me back to their loyalty department.

  6. The loytalty department transferred me to the "Privacy Center."

  7. THe Privacy Center representative informed me that there was no way to excercise my rights as a California resident if I didn't have a current ID at the original service address.

The takeaway here is that if you want to connect with someone who can actually help you with privacy issues at Xfinity, you want to be transferred to the Privacy Center.

Update: I was able to get this issue resolved by contacting the Privacy Center via email at Comcast_Privacy@comcast.com. For propriety, you can call the Privacy Center by phone directly at (844) 963-0138.

@natanlao
Copy link
Author

natanlao commented Apr 4, 2020
edited

Office Depot actually made their request form notably easy and accessible.

@natanlao
Copy link
Author

natanlao commented Jan 3, 2021
edited

Best Buy and O'Reilly both had super easy forms; though it remains to be seen if they will follow through.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment