Thursday, November 7, 2019

How PrivacyCheq's PFIN Handles CCPA's New Notice Requirements

On October 10, 2019, the California Attorney General issued a proposed text of regulations detailing how CCPA will be implemented starting January 1, 2020.   A major feature of this announcement was a heightened focus on Notices to Consumers. In particular, the regulation enumerates and defines four distinct types of CCPA notice, three of which are new:

(1)  Notice at Collection of Personal Information (new)
(2)  Notice of Right to Opt-Out of Sale of Personal Information (new)
(3)  Notice of Financial Incentive (new)
(4)  Privacy Policy (not new, every business has a blanket Privacy Policy)

A careful reading of the three new Notice to Consumers specifications reveals that in addition to making substantial changes to existing blanket Privacy Policy statements, many CCPA-exposed businesses will need to post time-of-collection disclosure notices and dialogues to operationally comply with new "DO NOT SELL MY INFO," Opt-Out/In, and related CCPA consumer rights processes.

Indeed, paragraph 999.305(a)(5) of the proposed regs explicitly states: "If a business does not give the notice at collection to the consumer at or before the collection of their personal information, the business shall not collect personal information from the consumer.

The new regs also set forth a quality standard for giving notices, specifying that each notice should be "designed and presented to the consumer in a way that is easy to read and understandable to an average consumer,” using "plain, straightforward language,” using "a format that draws the consumer's attention to the notice and makes the notice readable, including on small screens,” and to "be accessible to consumers with disabilities." Given the fact that a large percentage of consumers’ online activity occurs on mobile devices, CCPA notices now need to be automatically adaptive and readable on a wide range of devices.  AG Becerra is placing a high priority on quality disclosure for California’s consumers.

Based on all of the above, PrivacyCheq believes that CCPA has raised the bar for B2C privacy disclosure beyond the scope of the traditional blanket Privacy Policy.  A new, just-in-time interactive format is needed for consumer privacy communication to augment and extend the traditional privacy policy.

Using Privacy-by-Design principles, PrivacyCheq has created a new paradigm for notice delivery that meets these transparency requirements.

Privacy Facts Interactive Notice (PFIN) to the rescue ..

Our new PFIN technology is purpose-built to facilitate a clear, concise, and transparent exchange of information between business and consumer as personal information is gathered and managed.

PFIN’s simplicity, flexibility, and adaptability across desktops, laptops, and mobile devices can best be understood by viewing working examples of its use. We've created samples demonstrating PFIN compliance with CCPA’s 1798.100(b) notice requirements.

PFIN - Sample CCPA Use Case - Notice at Collection

In this use case, a fictitious marketing website is collecting consumer's personal data for marketing purposes. At the time of collection, CCPA requires a privacy notice stating the categories of personal data to be collected, and the purposes for which the information will be used. A simple link from any landing page triggers a Privacy Facts Interactive Notice (PFIN) which fulfills this requirement of the regulation.

Click here for a video of this PFIN notice in action.
Click here to see how it looks to the consumer (and be sure to click the blue links to drill down).

PFIN - Sample CCPA Use Case - Notice of Right to Opt-Out of Sale of PI

In this use case, a consumer visits a fictitious marketing website desiring to opt-out of the sale of their personal data. As the consumer opts-out using a link at the bottom of the webpage, the CCPA requires a privacy notice enumerating the consumer’s rights under the regulation, then detailing how the consumer may exercise those rights. The Privacy Facts Interactive Notice (PFIN) fulfills this requirement of the regulation and records the consumer’s choices with respect to their rights.

Click here for a video of this notice in action.
Click here to see how it looks to the consumer (and be sure to click the blue links).

Topping the list of PFIN’s many unique features is the fact that it is interactive.  A displayed PFIN inherently sets up a dialog between business and consumer.  The consumer easily controls agenda, pace, and scope of that dialog, clicking on blue text keys to self-brief in real time. Interactivity is the key to solving Privacy’s age old “Post and Hope” conundrum.

PrivacyCheq believes that our new PFIN technology may be of interest if your organization is considering implementing CCPA compliance and the B2C dialogs mandated by the 10/10 regs.

Contact us at to discuss specific use cases.

Thanks for your time and attention.

Dale Smith, CIPT

Tuesday, February 19, 2019

The Trouble With Transparency

The Trouble With Transparency

By Dale Smith, CIPT

Every privacy professional knows by now that on January 21, 2019, CNIL, France’s Data Protection Agency (DPA), imposed a fine of 50 million Euros against GOOGLE for violating “the obligations of transparency and information” rules imposed by the EU’s General Data Protection Regulation (GDPR). LINK

Since tens of thousands of complaints have been submitted to EU DPAs against GDPR-exposed companies since May of 2018, this action against GOOGLE does not come as a complete surprise, considering their massive market presence and activity around the collection of personal data.  What does come as a surprise (maybe even to GOOGLE), is the fact that their alleged failure to provide proper transparency to EU data subjects is the centerpiece of CNIL’s action.  With all due respect to GOOGLE, their EU-facing privacy policy currently runs to 29 pages and is a masterpiece of proactive abundant disclosure and respect for GDPR compliance. It is very, very well done, by current privacy policy standards.

Yet CNIL as a regulator is clearly not satisfied.  What is the trouble here?  What are the “obligations of transparency” that CNIL believes are missing from GOOGLE’s lavish recital of privacy policy information?  In CNIL’s words the answer is “… the information provided by GOOGLE is not easily accessible to users.”   CNIL goes on to state – “Indeed, the general architecture of the information chosen by (GOOGLE) does not … respect the obligations of the Regulation.  Essential information such as the purposes for which the data is processed, the length of time the data is stored, or the categories of data used to personalize the advertisement, are excessively scattered throughout several documents, which include buttons and links that it is necessary to activate to read additional information.  Relevant information is accessible only after several steps, sometimes involving up to five or six actions.”

Summarizing, CNIL has judged GOOGLE’s transparency efforts on the basis of how well they serve the needs of GOOGLE’s customers, also known as EU citizens.  The GDPR’s Article 12.1 yard stick mandating that privacy information shall be provided “… in a concise, transparent, intelligible, and easily accessible form, using clear and plain language … “ has been applied.

 To those of us tasked with delivering adequate transparency under GDPR and other new and emerging privacy laws, this a teachable moment.  The lesson: beginning in 2019, the effectiveness of privacy transparency will be judged from the point of view of how well it serves the needs of data subjects (users, customers, citizens, etc.), and no longer from the point of view of how well it serves the purposes of the data controller’s business.  The days of “Post and Hope” are over.

This is a major concern. If GOOGLE can’t get transparency right, who can?  Is this transparency Armageddon?  In this writer’s opinion, it is not.  On the contrary, it is a strong signal for positive change.  It is a signal that the consumers’ helpless feeling in the “Check the I Agree Box or Go Away” moment while viewing a legalistic privacy policy and/or a no-choice, off-topic cookie banner could be at an end.  It is a signal that GDPR-grade transparency is here to stay. Legalistic privacy policies will always be with us of course, but the privacy world is currently primed to embrace a new “layered notice” paradigm for delivering privacy information to users on their terms.

What form would a new paradigm for transparency take?  What is a real-world example of how enterprises regularly inform citizens of copious and complex information in a way that is explicit, specific, intelligible, concise, and easily accessible?  The answer can be found in the aisles of the world’s grocery stores.  It is the ubiquitous Nutrition Facts-style label.   Consider this generic example:

This Nutrition Facts title name and font are familiar and iconic around the world.  The label’s gridded framework supports clear and plain language presenting a prospective buyer/user with a select, concise list of best questions about this specific product. Each issue or question prompts a clear and explicit answer.  The user can digest every detail of the information (unlikely), focus in on a fact of particular interest (calories, sodium, carbs?) or choose to ignore the notice completely (I trust this company, and know that the facts are here if I ever need them).   

The nutrition facts information format goes a long way to meeting the transparency requirements of GDPR and its many derivative regulations that are springing up around the world.  But two major concepts are missing that would make this disclosure format ideal for privacy notices.

First, privacy is much more complicated than food.  Single digit or single word right-hand “answers” to elements of the framework are often inadequate to describe privacy concepts.  For privacy facts, each answer needs to have “drill down” capability to present multiple sublayers of information on request.  Secondly, unlike the flat visual nutrition presentation, a Privacy Facts Notice needs to be interactive.  It needs to place digital control into the hands of the user to navigate, view, select, drill down on, expand on, respond to, and exit or ignore the presentation.    

Fully enhanced with “drill down” and interactive functionality, here’s a sample of how a Privacy Facts Interactive Notice (PFIN) looks in the digital world, poised for interaction with a user.

One more major benefit emerges from marrying nutrition label simplicity with modern digital technology.  The resulting consumer-paced dialogue now becomes operational across the full spectrum of consumer-facing touchpoints (websites, tablets, smartphones, mobile apps, IoT devices, venue signage, QR codes, etc.).

Like nutrition facts labeling, the simplicity and familiarity of PFIN notices build trust between data controllers and data subjects, enterprises and citizens, suppliers and consumers.  Implementation of this new notice paradigm can go a long way towards eliminating the decades-old trouble with transparency for enterprises and users alike.

Questions and comments can be directed to Dale Smith at  For a live, remote, demonstration of PFIN and its associated authoring templates and tools, contact 

Dale Smith, CIPT is a co-founder and Futurist at PrivacyCheq with 38 years of experience in designing and implementing consumer-facing digital technology.

Sunday, January 28, 2018

GDPR’s “Last Mile” - Implementing the Compliant UI/UX

From an IT technicians point of view, those of us tasked with operationalizing GDPR's mandated transparency and consent requirements before the 25May2018 enforcement threshold face a formidable challenge.

While EU users and regulators will be able to evaluate our compliance with new GDPR rules by simply viewing any of our public-facing data ingestion screens, as IT staff (who craft and maintain those screens), we lack concrete requirements as to what actually needs to be changed and/or added at our existing user touchpoints to achieve and demonstrate compliance.

Experience tells us that IT implementations based upon ill-defined and amorphous specs often end poorly, yet the May deadline looms, and a strategy of inaction risks heavy sanctions as well as brand damage for the enterprise.

What to do?

For an answer, it is useful to step back and analyze the GDPR regulation holistically, and from the standpoint of the EU leaders who drafted and enacted it in 2016.  What were the overriding goals they sought to achieve through this legislation?  In terms of privacy protection for their EU citizen constituents, what are the most important long-term outcomes that will act to make this regulation an unqualified success for regulators and a privacy win for EU citizens?

First, look at the negative pronouncements in GDPR. The framers explicitly sought to eliminate the common practice of citizens giving up personal information without first being properly informed (see Article 12).   They explicitly sought to eliminate the reality of citizens left without effective and informed choice (Article 7).  And they sought to eliminate data controllers and processors acting without appropriate permission, leaving citizens with no control as their personal data was transferred to third parties and beyond (Rec. 32). 

On the positive side, they defined new standards for defining, obtaining,  and maintaining consent (Articles 4,6), they codified a number of new individual privacy rights for citizens, and they mandated that citizens be advised of those rights on a regular and fully visible basis (Articles 12-21).

There is a common thread running through each of these initiatives.  It is that these new GDPR mandates all imply a bidirectional conversation or “touchpoint dialogue” between enterprise and user.  No longer can an inscrutable privacy policy and a pre-ticked “I Agree” box serve as adequate permission for processing personal information.  No longer is personal information gathering “the sound of one hand clapping”.  Now the user has a seat at the table (figuratively speaking) and can/must participate as an active party in the PI exchange.

Returning to the question of what can IT do today as the compliance deadline approaches ... this writer believes that implementing a touchpoint dialogue structure at the enterprise’s public-facing personal data ingress contact points is a practical and essential initial step in implementing and demonstrating GDPR compliance.

Implementing such dialogue capability publicly demonstrates solid commitment to the spirit of the Regulation, while putting the framework into  place for expanding and optimizing the enterprise’s compliant UI/UX as guidance and codes of conduct become better defined over time.  It signals publicly that our enterprise cares about citizens’ privacy and is reaching out as a best practice to build user trust.

So what are the steps to implementing such a dialogue framework at my enterprise?  

One Solution is to build it internally.

A second solution is to employ purpose-built, commercially available software; then use included toolsets, templates, and generic models to tailor to enterprise’s specific operating environment.  If appropriate, a consultant may be employed to help with the tailoring.

A robust GDPR Consent Management solution will include live, fully developed generic implementation of compliant touchpoint transparency/notice support, an application programming interface (API) to facilitate integration with existing enterprise infrastructure, full Article 6 processing basis flexibility, comprehensive consent flow support, individual rights presentation and negotiation support, user dashboarding, administrative dashboarding, dialogue event logging and DPO/DPA accountability reporting.

PrivacyCheq has built comprehensive solutions for large and smaller enterprises.  Training, consulting, and LiveStart services, are available to facilitate rapid implementation.  A GDPR last mile live demo can answer many implementation team questions. 

Dale Smith, CIPT