Thursday, January 9, 2020

PrivacyCheq Supports Articl8 ePR Initiative

PrivacyCheq, together with twelve other companies, is a party to an open letter dated 8 January 2020 urging EU member states to include strong privacy safeguards in the new Privacy and Electronic Communications Regulation (ePrivacy Regulation).  The letter is an initiative of Articl8, an industry group of pro-privacy companies focused on privacy as a business case and on protecting the fundamental privacy rights of citizens.

In the letter, we express our support for a strong ePrivacy Regulation that compliments the principles and achievements of the GDPR. It is our belief that a tighter legal framework will not only better protect the privacy and confidentiality of electronic communications, but also foster competitiveness and innovation in the Digital Single Market.

Text of the letter is reproduced below:

Open letter to EU member states from Articl8 Members and supporting organisations urging for a privacy focused ePrivacy Regulation 

Stockholm, January 8th 2020


Dear Prime Minister,

We, the members of Articl8 – an industry group of privacy friendly companies – strongly support the European Commission’s proposal for a Regulation of the European Parliament and of the Council concerning respect for internet users’ private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications, hereinafter “ePrivacy Regulation”).

However, the latest suggested compromises at the Council are threatening the strong principles and achievements of the GDPR rather than completing it. Extensive, in particular third-party, online tracking is an attack to Internet users’ fundamental rights. Therefore, it must be legally limited rather than expanded.

It seem that our concerns are shared by several Member States as the Permanent Representatives Committee of the Council of the European Union (COREPER) voted to reject the Council draft of the Regulation on 22nd November.

In light of recent case law from the Court of Justice of the European Union in relation to the applicability of the General Data Protection Regulation (2016/679) and the ePrivacy Directive (2002/58) with regards to the use of online tracking and profiling technologies, Articl8 members feel it is more important than ever to finalise the draft of the ePrivacy Regulation, including strong safeguards to protect personal data, completing the regulations provided in the GDPR.

We believe that a strong, privacy focused ePrivacy Regulation will foster trust, innovation, and competition in the digital environment. It will increase consumer choice allowing users to select those applications and devices that fit their needs while protecting their privacy and security.

This will ensure the protection of the sensitive data which are part of any communications (both content or metadata), which is especially important for the most vulnerable members of our population (people with disabilities, refugees, journalists and children, among others) and thereby protect the fundamental rights to privacy and data protection as afforded to all citizens under the Charter of Fundamental Rights of the European Union (Articles 7 & 8), as well as various international laws and treaties.

In addition to this, we believe that by having a strong ePrivacy Regulation Europe can improve competition and innovation in the Digital Single Market, moving us away from a market controlled and distorted by data-hungry, dominant companies. By boosting this market, publishers will also benefit from a more even playing field, in which they can have the leverage to negotiate freely with advertisers who do not track or profile their readers.

Because of all of the above, we would like to show our support for an ePrivacy Regulation which contains strong safeguards to protect the privacy and confidentiality of electronic communications, including ensuring the following aspects:

● A ban on “tracking walls”.

● Free and informed consent as the only legal ground to process communications data, due to their sensitive nature.

● Privacy by design and by default in hardware and software.

● A prohibition of undermining encryption by not allowing the use of backdoors in software and hardware.

Yours sincerely,

Alexander Hanff, Managing Director, Articl8

On behalf of the following organisations:
ThinkPrivacy,
Startpage
eyeo GmbH
EAID
usercentrics
Chino.io
Piwik PRO
FriendUp
MediaTest
Dilecy
PrivacyCheq
Idka
Amari Inc

=================================================================
Dale Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com

Wednesday, December 11, 2019

CCPA December 6, 2019 Comments

On October 10, 2019, California's Attorney General published a Proposed Text of Regulations for the California Consumer Privacy Act.  Interested parties were invited to publicly comment on the proposed regulations during the period ending December 6th 2019.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on December 5th:

----------------------------------------------------------------------------------------------------------------
December 5, 2019

The Honorable Xavier Becerra
Attorney General
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013
Comments on Proposed Regulations

Dear Mr. Becerra:

 lI am writing on behalf of PrivacyCheq, a Pennsylvania corporation.  We specialize in the design and implementation of transparency and consent management software solutions embracing consumer privacy.

In our work, we focus squarely on optimizing the consumer’s overall privacy experience as they interact with businesses to share personal information.

As such, we wish to commend you on the “consumer friendliness” of the proposed regulations, noting our agreement with the following concepts in particular:

The regulations clearly set forth that there is a difference between a privacy policy  and a privacy notice .  A clear distinction is drawn between the purpose of the privacy policy  and the purpose of the Notice at Collection  relating to their respective use during data collection.  The regs make it clear that the privacy policy document is static and all-inclusive, while the notice is designed to support and promote “just-in-time” individual interactivity.

In defining and specifying three new types of notices  designed to better inform the consumer, the regulator has obviated the “click the I AGREE box or go away” model for transparency at consumer touchpoints.  This is a huge benefit to California consumers.

The regulations clearly state the requirement for Notice at Collection of Personal Information  prior to collecting PI.  As well, they set forth the need for notices to be in plain, straightforward language, avoiding technical and legal jargon, in a readable format (including on smaller screens), accessible to consumers with disabilities, and useful with venue signage.  This is another major bonus for California consumers.

Using Privacy by Design  principles, drafters of the regulations have leveraged important relevant research . The resulting “performance-based” notice design raises the bar for privacy regulation well beyond California’s borders as the privacy world looks for thought leadership in how to effectively communicate privacy information to consumers.

But the October 10th regulations stop short of prescribing or even suggesting what format the new notices might take in actual operation.

PrivacyCheq believes that over time, the presentation of just-in-time privacy notice information will evolve to a loose standard.  We believe that CCPA has a golden opportunity at this time to provide general guidance around what an acceptable paradigm for “just in time” notice delivery might look like.  It is in that spirit that we present the following analysis and suggestion:

What form would a new paradigm for transparency take?  What is a real-world example of how enterprises regularly inform citizens of copious and complex information in a way that is explicit, specific, intelligible, concise, and easily accessible?  We believe that one example of such a paradigm is the ubiquitous Nutrition Facts-style label (Figure 1).

The Nutrition Facts title name and font are familiar and iconic around the world.  The label’s gridded framework supports clear and plain language presenting a prospective buyer/user with a select, concise list of best questions about this specific product. Each issue or question prompts a clear and explicit answer.  The user can digest every detail of the information (unlikely), focus in on a fact of particular interest (calories, sodium, carbs?) or choose to ignore the notice completely (“I trust this business, and know that the facts are here if I ever need them”). 

This nutrition facts information format goes a long way towards organizing the transparency requirements of CCPA, but two major concepts are missing that would make this disclosure format ideal for operational privacy notices.

First, privacy is much more complicated than food.  Single digit or single- word right-hand “answers” to elements of the framework are often inadequate to describe privacy concepts.  For privacy facts, each answer needs to have “drill down” capability to present multiple sublayers of information on request.

Secondly, unlike the flat visual nutrition presentation, a privacy facts notice needs to be interactive.  It needs to place digital control into the hands of the consumer to navigate, view, select, drill down on, expand on, respond to, and exit or ignore the presentation.

Both of these issues can be overcome by purpose-built Privacy-by-designed application software, wherein “drill-down” simplicity and user interactivity become key features.  For our purposes, PrivacyCheq has named the resulting tool a Privacy Facts Interactive Notice or PFIN.

Fully enhanced with drill down and interactive functionality, here are three successive screenshots of how a PFIN might look on a mobile device as a California consumer first views the Notice at Collection (Figure 2), chooses to learn about categories (Figure 3), then chooses to investigate purposes (Figure 4).


A major benefit emerges from marrying nutrition label simplicity with modern digital technology.  The resulting consumer-paced dialogue now becomes operational across the full spectrum of consumer-facing touchpoints (websites, tablets, smartphones, mobile apps, IoT devices, venue signage, QR codes, etc.).

This concept places privacy control into the hands of the consumer to navigate, view, select, drill down on, expand on, respond to, and exit or ignore the presentation. 


Like nutrition facts labeling, the simplicity and familiarity of PFIN notices operate to build trust between business and consumers.  Implementation of this new notice paradigm could go a long way towards simplifying and standardizing businesses’ compliance with CCPA … a major benefit to California consumers.

In summary, PrivacyCheq is enthusiastic about operationalizing CCPA under the proposed regulations to deliver on Californians’ right to privacy by giving consumers positive and effective control over their personal information.

Additionally, we have proposed an open paradigm for notice delivery that we believe could be useful as CCPA regulations face operationalization in the real world.  Thank you for the opportunity to comment.   We stand ready to help however we can.

Sincerely,

Dale R. Smith, CIPT
Futurist
drs@privacycheq.com
 via email to: PrivacyRegulations@doj.ca.gov
------------------------------------------------------------------------------------------------------------------

Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission. 

Thursday, November 7, 2019

How PrivacyCheq's PFIN Handles CCPA's New Notice Requirements

On October 10, 2019, the California Attorney General issued a proposed text of regulations detailing how CCPA will be implemented starting January 1, 2020.   A major feature of this announcement was a heightened focus on Notices to Consumers. In particular, the regulation enumerates and defines four distinct types of CCPA notice, three of which are new:

(1)  Notice at Collection of Personal Information (new)
(2)  Notice of Right to Opt-Out of Sale of Personal Information (new)
(3)  Notice of Financial Incentive (new)
(4)  Privacy Policy (not new, every business has a blanket Privacy Policy)

A careful reading of the three new Notice to Consumers specifications reveals that in addition to making substantial changes to existing blanket Privacy Policy statements, many CCPA-exposed businesses will need to post time-of-collection disclosure notices and dialogues to operationally comply with new "DO NOT SELL MY INFO," Opt-Out/In, and related CCPA consumer rights processes.

Indeed, paragraph 999.305(a)(5) of the proposed regs explicitly states: "If a business does not give the notice at collection to the consumer at or before the collection of their personal information, the business shall not collect personal information from the consumer.

The new regs also set forth a quality standard for giving notices, specifying that each notice should be "designed and presented to the consumer in a way that is easy to read and understandable to an average consumer,” using "plain, straightforward language,” using "a format that draws the consumer's attention to the notice and makes the notice readable, including on small screens,” and to "be accessible to consumers with disabilities." Given the fact that a large percentage of consumers’ online activity occurs on mobile devices, CCPA notices now need to be automatically adaptive and readable on a wide range of devices.  AG Becerra is placing a high priority on quality disclosure for California’s consumers.

Based on all of the above, PrivacyCheq believes that CCPA has raised the bar for B2C privacy disclosure beyond the scope of the traditional blanket Privacy Policy.  A new, just-in-time interactive format is needed for consumer privacy communication to augment and extend the traditional privacy policy.

Using Privacy-by-Design principles, PrivacyCheq has created a new paradigm for notice delivery that meets these transparency requirements.

Privacy Facts Interactive Notice (PFIN) to the rescue ..

Our new PFIN technology is purpose-built to facilitate a clear, concise, and transparent exchange of information between business and consumer as personal information is gathered and managed.

PFIN’s simplicity, flexibility, and adaptability across desktops, laptops, and mobile devices can best be understood by viewing working examples of its use. We've created samples demonstrating PFIN compliance with CCPA’s 1798.100(b) notice requirements.

PFIN - Sample CCPA Use Case - Notice at Collection

In this use case, a fictitious marketing website is collecting consumer's personal data for marketing purposes. At the time of collection, CCPA requires a privacy notice stating the categories of personal data to be collected, and the purposes for which the information will be used. A simple link from any landing page triggers a Privacy Facts Interactive Notice (PFIN) which fulfills this requirement of the regulation.

Click here for a video of this PFIN notice in action.
Click here to see how it looks to the consumer (and be sure to click the blue links to drill down).

PFIN - Sample CCPA Use Case - Notice of Right to Opt-Out of Sale of PI

In this use case, a consumer visits a fictitious marketing website desiring to opt-out of the sale of their personal data. As the consumer opts-out using a link at the bottom of the webpage, the CCPA requires a privacy notice enumerating the consumer’s rights under the regulation, then detailing how the consumer may exercise those rights. The Privacy Facts Interactive Notice (PFIN) fulfills this requirement of the regulation and records the consumer’s choices with respect to their rights.

Click here for a video of this notice in action.
Click here to see how it looks to the consumer (and be sure to click the blue links).


Topping the list of PFIN’s many unique features is the fact that it is interactive.  A displayed PFIN inherently sets up a dialog between business and consumer.  The consumer easily controls agenda, pace, and scope of that dialog, clicking on blue text keys to self-brief in real time. Interactivity is the key to solving Privacy’s age old “Post and Hope” conundrum.

PrivacyCheq believes that our new PFIN technology may be of interest if your organization is considering implementing CCPA compliance and the B2C dialogs mandated by the 10/10 regs.

Contact us at info@privacycheq.com to discuss specific use cases.

Thanks for your time and attention.

Dale Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com