DON'T SELL OUR DATA: EXPLORING CCPA COMPLIANCE VIA AUTOMATED PRIVACY SIGNAL DETECTION

The California Consumer Privacy Act is one of the first major U.S. laws to address contemporary privacy and tracking rights. However, a multitude of Do Not Sell opt- out avenues exist for users to exercise the rights guaranteed to them under the law. Following Zimmeck and Alicki's proposal for an opt-out standard (2020), the Global Privacy Control signal was introduced to address the lack of a simple standard in expressing a Do Not Sell or Share preference. The signal has since been christened by the California Attorney General with a legal binding tying it to the right to opt-out of the sale of personal information under the CCPA. As of March 2022, GPC is under review for explicit addition to other proposed U.S. and international draft privacy legislation. In this work we develop an artifact, the OptMeowt browser extension "Analyis Mode," to automate the study of GPC signal acceptance. We then test this browser extension across a selection of randomized sites from the top 1,000 Tranco list to measure its performance for future studies and enforcement. We conclude by analyzing the data collected and construct a picture of current site compliance with GPC, and by extension, the CCPA.