Delete Your Data

I'm Malcolm I'm a board board member and I'm going to be emceeing this first section of talks so it's with my uh with great pleasure that I introduce Jacob with delete your data

thank you and good morning everybody everybody hear me okay awesome uh as was stated my name is Jacob I'm a recent law graduate out of Las Vegas Nevada I am anxiously waiting the bar results which come out in four hours so if I look nervous later that's why um I mostly work in data privacy open source uh non-profit formation and a little bit of alternative dispute resolution so if you see me afterwards and want to talk about any of that I love to talk about all of those I'm also the backup plan our executive director was supposed to be here but she just started a brand new job so congrats to her she's been at least a few years to

the Portland uh b-sides so she's very sad she couldn't make it uh this time so what I'm going to talk about today or I guess I should go back and talk about delete your data generally delete your data is a non-profit that is based in Las Vegas Nevada but we operate throughout the country we do data deletion services for individuals looking to delete their data from different companies websites and that sort of thing so I'm going to kind of use delete your data to frame the laws surrounding data deletion in the United States and abroad so how we're going to do that is we're going to first talk about just how the data deletion process works and it's not

going to make much sense because it seem oversimplified so then we're going to go into the laws that support what we're doing uh and then with that legal framework we'll be able to revisit how deleteyourdata.com deletes your data and then we'll talk a little bit about why it matters and things moving forward and how we can support data privacy and data deletion uh in the future so how it works is a user reaches out on our website uh and then we have a scraping service which will scrape their information or if they just give us specific account we can delete those specific accounts and then we just request the deletions so like I said if that seems a little

bit oversimplified it definitely is that last part uh is where you need the legal framework to to get a little bit more context so there's there's multiple laws that enforce a right uh of deletion for personally identifiable information upon a user's request in order to really understand this we got to know what that personal identifiable information actually is so what is it it's any information that can be used to distinguish or trace an individual identity some common examples are names social security number uh the date and place of birth uh mother's maiden name and then also biometric records so uh anything that would identify that person as for me it'd be Jacob Jacob Smith uh

so it also includes any information that's linked to that information that could also be used to identify that person so that's really what the data deletion laws focus on is that personal identifiable information um so the gdpr which we'll talk about in a little bit gives some good examples of what is and what isn't personal identifiable information at delete your data we get a good amount of requests for that top stuff so if somebody writes a journal article about let's say a politician running for court in Nevada uh you can't really request that that be deleted that's information somebody else wrote about you but if that person were to upload a bunch of information on their

social media that can be requested to be deleted so what are the big laws that help us control our data first we have the gdpr which all of these have their limitations um and then there's also the California consumer Privacy Act uh the CCPA it operates mostly in California but there's also a bunch of other state laws that do things similar in different states and then lastly we have just enforcement of a company's privacy policies so the general data protection regulation the GPR um it's the big player in the EU the European Union um and it among other things provides a right to be forgotten um so that right to be forgotten is a right to be deleted

um so although it only applies to EUC uh citizens a lot of companies will include in their privacy policies a general right to the lesion uh that encompasses both EU citizens and abroad so uh even if you're not an EU citizen sometimes if a company is compliant with the gdpr you can still request your data to be deleted uh CCPA is kind of the like first U.S counterpart to the gdpr um it's the California consumer Privacy Act it's really limited uh to who it applies to so it only applies to for-profit businesses that collects uh or uh sell the information of California residents and they have to have one of those three so they have to have either gross annual

revenue of over 25 million they have to either buy a receiver sell the personal information of a certain number of California citizens or they have to derive at least or over 50 percent of their profit from the selling of data so yeah the CCPA states that people have a right to request that a business delete the personal identifiable information about the consumer uh which the business has collected from the consumer so again that comes from those requests so the user has to request that they get their data deleted uh and then if that company falls under the CCPA they are required to delete that data so some other big state laws uh you have Virginia which is almost identical to

the CCPA except it has different levels of control for organizations and then you have Colorado Colorado is an interesting case because it's the first one to apply to non-profits as well as for-profit businesses so a lot of the people I work with are nonprofits so they're very concerned about Colorado Colorado and Virginia I think both don't start uh becoming enforceable until 2023 so it's going to be interesting to see how that impacts the uh the legal framework surrounding data deletion so that gets us to privacy policies so a lot of companies will have the CCPA or some other Provisions tied into their privacy policies um privacy policies are tied often to terms of service and these privacy policies in terms of

service are basically a promise or an agreement between the company and the consumer that's visiting the website or engaging with the product um and the FTC Act is what allows us to uh or allows them to enforce these Provisions within a privacy policy so the FTC act prohibits unfair or deceptive Acts or practices in or affecting Commerce most of the litigation there surrounding data privacy has come from the uh deceptive acts so that's if the privacy policy promises something and the company's not doing that the FTC can come in and say you're not you're being deceptive you're lying on your privacy policy uh we're going to seek enforcement against you um so the big question here that companies

think of is you know why not just not include a privacy policy or just make the privacy policy so confusing that it's rendered useless uh so a lot of the state laws like the ccba the Virginia the VC DPA I think is the uh acronym for it they have requirements within them that the company have a privacy policy that it be easy to read and that it be easy to find on on the website um so a big thing with the readability privacy policy uh is like not using a bunch of legalese it drives a lot of the older attorneys crazy but there is a big shift to write things in plain language especially things that are like put out

to a consumer like a privacy policy or terms of service in plain language so this is the flesh reading ease test basically what it does is it using two metrics the number of words per sentence and the number of syllables per word it gives every uh you know paragraph or body of text a score and these scores relate to different grade levels so you can see uh the higher the score the more readable it is so a fifth grade reading level uh is between 100 and 90. and what they want from these privacy policies in terms of services is uh like a seventh maybe eighth grade Max but as readable as possible um so looking at this and looking at some

terms of service we can see really how they stack up uh Facebook's score on that would be a 10th to 12th grade level uh and it only goes up from there with Reddit and YouTube being uh significantly higher so these aren't very readable documents these terms of service and these privacy policies so that's why a lot of these laws like the CCPA the VC DPA the CPA which I think is a Colorado Privacy Act um these these new Clauses in them that will enforce the readability and simplicity of these terms of service and privacy policies are so important and then as far as the ease of finding the hyperlink on the website um there's a great case uh involving

Uber and their hyperlinks um they had what is it it's I think it's gray text on a white background uh for their link for their privacy policy or terms of service and so it's basically unfindable on a website so uh the Court ruled that they needed to have it in blue it needs to be distinguishable and it needs to be at the front of the website it needs to be easy to find um and this one did involve specifically the enforcement of an arbitration provision um but it's likely to see it expand to uh greater context and just being like enforceable generally so this is a great website the terms of service don't didn't read

um so it uh it's a play on the acronym tldr

and what they'll do is they will go into these really confusing terms of service or privacy policies and they'll simplify them and just provide a much simpler version of it so it's a great resource if you have terms of service or privacy policies that you need to look to like the Reddit one which is particularly confusing they'll provide a more simplified version of that this is some more grading of different websites and how well they did on their reading ease of use and everything so Facebook obviously not doing great Amazon also a grade e some good ones however as far as protecting your data privacy our start page and DuckDuckGo here's another website with a

confusingly similar name which is tosback.org this one's done by our friends over at the eff which is a great organization I highly recommend reading their blogs um so this one will give you live updates of changes to the privacy policy in terms of service as they happen great resource great organization um but let's get back to how this now that we have this legal framework how it applies to how we delete people's data so once again the user reaches out we scrape or we find the particular sources that they listed and then we request deletions but now we have a little bit more context for that last one we request the lesions either through the state laws or what we often

look to First are these privacy policies so if a user were to come to us um it's the example I have here yeah true people search so if a user came to us and said I have information on true people search um I want you to delete it uh what we would do is we would first look at the privacy policy um none of this text really helps us but it is the start of their privacy policy but as we go down to what data they collect um and what they do with that data that they collect we eventually get to this one here and this is where it's really important for us at least

um that link right there allows for a deletion request and so if a consumer or a client comes to us we will go to the company's privacy policy find if they have a link like that which is usually good news and we'll follow it uh and so here simply have to put your email in verify that you're not a robot um and then agree uh to their terms and then they sent us an email in this case with another link that we had to click on clicking on that link led us to another page where we could fill out a request to actually get the data deleted I don't think this one this one has company here

um a lot of them will ask if you're deleting data on somebody else's behalf and so if that is an option we let them know that we are deleting John Smith's information on his behalf as uh delete your data.com but not all websites and privacy policies have those um and so if we would have run into any trouble here we would have looked for this link here uh and importantly this address here uh and then we would send demand letters and that sort of thing to the company uh to try and enforce the deletion of that user's data so this outlines a couple of the other laws that are built within the CCPA and some of these

other state laws the ability to opt out of data collection a lot of different state laws require that they allow users to opt out of the collection of their data non-discrimination is a really cool one that's in the CCPA you can't treat users differently just because they decided not to get their information collected um and then a lot of people and or companies and organizations will have a specific section outlining uh if you're a California resident your rights as more and more of these states uh adopt data protection laws we'll hopefully see that uh Bridge throughout the United States and become the norm not the exception so to protect people's data what can be done besides uh just deleting the data

um so there's a big uh spicy case going on right now FTC suing kochaba which is a Data Tracking company that sells data location to other organizations and the FTC is suing them this one's kind of fun because instead of relying upon the deceptive part of the FTC act that I mentioned earlier this one actually talks about the unfair act and it says that it's unfair to track people's data because that data may lead to clinics places of Warship and other sensitive locations so hopefully that expands to where the FTC starts enforcing the unfair acts and practices as well unfortunately the only relief they were seeking in this case was kind of like blacklisting those locations so

you can't see if somebody actually goes to those locations so it's not as robust as it could be which is why the FTC could do more with better laws in place a federal data Protection Law would allow them to act a little bit more uh diligently so here's some resources just real quick monitor.firefox.com do not pay.com and then of course delete your data.com and I want to thank everybody for their time uh I am happy to answer any questions uh in person you'll see me around I'll be here all day or you can visit us at delete your data you can follow us on Twitter at delete your data you can follow me at IP Las

Vegas or you can follow my Sideshow Instagram at Yeehaw circus or you can just email me if you want so thank you all this has been wonderful I really appreciate it all right I I have a question is this mic on oh perfect okay if you want to ask a question please come up hey there I was wondering what your thoughts are on Discord on yeah because disc on Discord when you try to delete your account all your messages on Discord servers still hang around oh that's interesting yeah um I mean I don't I don't have any personal thoughts on it I think we're so far behind as far as data deletion laws go that any steps in the right direction

are great but I think something similar happens with uh Facebook groups I think it was or something like that that'll be an interesting one to get to so if you would like your information deleted off of Discord we would be happy to you know visit the website and we can see what we can do hi I'm just curious if there's ways that you can maybe proxy through uh European union and then get gdpr enforced or if there's any tricks like that I've heard of ways that you can maybe get your IP coming out of California and then do an opt out um wondering if any of those Avenues have been explored we haven't explored them yet the good

thing is a lot of I write a lot of privacy policies and stuff and that's kind of my side of things usually uh this is like a non-profit that I help as well uh and a lot of more organizations are caring about data deletion generally and so those requirements and Provisions that are in the gdpr and the CCPA are being applied across the board to all users so I think encouraging companies to do that is really our best bet um but I haven't looked into like patching people through um yeah thank you uh so my question is like with the California and Virginia one is there like a list somewhere of states that have published a law or a policy

type of thing that we could go to as a reference point yeah we have a couple um blog posts on deleteyourdata.com uh but I found a good table um like maybe a month ago but I forgot who posted it so I will track that down uh and find it and possibly repost it on our website uh hi so I was wondering with respect to the uh simplistic language so that people can actually you know understand what a privacy policy means when you're mapping from legal language which I'm assuming has a very specific intent behind a lot of words you could have a very precise meaning and in simplifying that language you might get your syllable countdown or whatever

metric you're using there uh but you might be hiding some of the actual like Precision of what the the agreement actually means uh is there a way to kind of I guess account for that without being uh falling under the category of being deceptive because it's like oh well you know you said one thing that has a common English like understanding of what it means but it it actually means something a lot more uh confining yeah it's a so there's a definite migration uh to to just like common meanings of contract terms so the first when you're doing contract interpretation one of the first things you want to do is look at the plane meaning uh and if the planning's there

and it's unambiguous then you're done like uh in most cases um so the idea that more complex language is more precise is a bit of a fallacy so you you do want to just use like plain unambiguous language hey thanks for the talk um I was just wondering if there's like one addition or change to U.S regulations with regard to people's personal data and pii and things like that like do you have one in your back pocket that you'd like recommend hey here's a policy change we could make that would protect people's privacy and help the customers you have at delete yourdata.com is like a government level or a company yeah yeah like a a lot yeah I mean as a

government level if we had a federal uh data Protection Law that wasn't didn't have a bunch of hidden stuff in it um it would allow the FTC to Greater like enforce data privacy a lot better um yeah they're kind of handcuffed by the the unfair and deceptive Acts got it thanks yeah no problem awesome thank you everyone [Applause]