The new year ushered in a landmark California privacy law that gives residents more control over how their digital data is used. The Golden State isn’t the only beneficiary, though, because many companies are extending the protections — the most important being the right to see and delete the personal data a company has — to all their customers in the United States.

In the fall, I took the right of access for a test drive, asking companies in the business of profiling and scoring consumers for their files on me. One of the companies, Sift, which assesses a user’s trustworthiness, sent me a 400-page file that contained years’ worth of my Airbnb messages, Yelp orders and Coinbase activity. Soon after my article was published, Sift was deluged with over 16,000 requests, forcing it to hire a vendor to deal with the crush.

That vendor, Berbix, helped verify the identity of people requesting data by asking them to upload photos of their government ID and to take a selfie. It then asked them to take a second selfie while following instructions. “Make sure you are looking happy or joyful and try again” was one such command.

Many people who read the article about my experience were alarmed by the information that Berbix asked for — and the need to smile for their secret file.