(Un)clear and (In)conspicuous: The right to opt-out of sale under CCPA

The California Consumer Privacy Act (CCPA) -- which began enforcement on July 1, 2020 -- grants California users the affirmative right to opt-out of the sale of their personal information. In this work, we perform a series of observational studies to understand how websites implement this right. We perform two manual analyses of the top 500 U.S. websites (one conducted in July 2020 and a second conducted in January 2021) and classify how each site implements this new requirement. We also perform an automated analysis of the Top 5000 U.S. websites. We find that the vast majority of sites that implement opt-out mechanisms do so with a Do Not Sell link rather than with a privacy banner, and that many of the linked opt-out controls exhibit features such as nudging and indirect mechanisms (e.g., fillable forms). We then perform a pair of user studies with 4357 unique users (recruited from Google Ads and Amazon Mechanical Turk) in which we observe how users interact with different opt-out mechanisms and evaluate how the implementation choices we observed -- exclusive use of links, prevalent nudging, and indirect mechanisms -- affect the rate at which users exercise their right to opt-out of sale. We find that these design elements significantly deter interactions with opt-out mechanisms -- including reducing the opt-out rate for users who are uncomfortable with the sale of their information -- and that they reduce users' awareness of their ability to opt-out. Our results demonstrate the importance of regulations that provide clear implementation requirements in order empower users to exercise their privacy rights.