At the end of February, I visited a government site that asked me security questions that I had not provided answers to. My account was locked because I answered the questions "wrong". The site's support responded, to a query, that they sourced the questions and answers from LexisNexis.
I wanted to avoid such issues in the future, so using the LexisNexis CCPA request web form, I checked the boxes on all three of, request a) a copy of the data they had collected, b) they not sell my data, and c) they delete the data they already had collected. In early March, I got confirmation of my request and an extensive report of the data they had collected on me.
The data was extremely unreliable containing many errors. It was no wonder I could not answer the security questions "correctly".
In mid July, I had to use that government web site again, and was again prompted with security questions I had not provided answers for (this time, however, I was able to answer the questions "correctly" using the CCPA report as an answer key). I contacted the site again, and they confirmed that the questions and answers were exclusively sourced from LexisNexis, and that they did not cache / store any of this information-- that the website queries LexisNexis in real time at the time the questions are posed to the visitor.
This seems to indicate that LexisNexis did not, in fact delete my data, and Lexis Nexis is continuing to sell my data.
If you have placed CCPA requests, what have been your experiences? And, were my expectations that the CCPA would prevent LexisNexis from continuing to retain and sell my data not in line with what the CCPA actually provides?
Once your request is verified by Lexis-Nexus, they should have kicked off multiple work streams (disclosure, limited purpose, deletion) which may resolve in different orders, but must resolve in 'x' days, where 'x' is related to the duration defined by law, plus any extra extensions they may have notified you of, this may mean that the entire request could reasonably take upwards of 90 days, depending on the specific scenario. Note that some data may qualify as exempt from deletion requests, when they are required by other laws (such as gun sale records) the specifics are very context dependent.
If, after that time you believe that Lexus-Nexus did not comply with the request, then they may be in violation. Currently, for California residents, that means you can file a formal complaint with the CA Attorney General (https://oag.ca.gov/contact/consumer-complaint-against-busine...).
Note that this process will change on January 1st 2023 when the amendments of the CPRA will go into effect and enforcement authority shifts to the California Privacy Protection Agency (https://cppa.ca.gov/). This will also subject Lexis-Nexus to additional requirements and more strict definitions of terms such as 'sale'.
No consumer benefit at all.
My data is still everywhere any constantly shared as before, and the issue aren’t cookies.