Tuesday, March 31, 2020

CCPA March 27, 2020 Comments

On March 11, 2020, California's Attorney General published a NOTICE OF SECOND SET OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS, inviting interested parties to comment on the proposed CCPA regulations during the period ending March 27, 2020.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on March 27th:
---------------------------------------------------------------------------------------------------


The Honorable Xavier Becerra

Attorney General

ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013

Re: Comments on NOTICE OF SECOND SET OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS Released March 11, 2020

Dear Mr. Becerra:

We are writing concerning the removal of guidance regarding the Opt-Out Logo or Button as originally called for in AB-375, now in force.

While the logo/button concept as a means for consumers to signal the DO NOT SELL MY PERSONAL INFORMATION (DNSMPI) preference has proved elusive to prescribe, we believe that the concept of using a recognizable and uniform “trigger” graphic offering key just-in-time information to consumers is a sound concept and should not be abandoned.

Instead of using a single-purpose Button/Logo graphic to just trigger the DO NOT SELL preference, we suggest that the regulation recognize the utility of a standardized graphic trigger (Figures 1 and 2) offering consumers a pop-up menu of interactive “just-in-time” information and choices.

For the trigger graphic, we suggest adapting the public domain “Nutrition Facts” format which is widely used, understood, and trusted by consumers around the world. By substituting the words “Privacy Options” for the words “Nutrition Facts”, and by making the framework interactive, the consumer can be presented with a familiar, trusted display of privacy options. Below are some examples demonstrating how such a trigger graphic might function in practice:

Figure 1 illustrates how a trigger graphic would appear on a sample website as viewed on a large screen (laptop, tablet, etc.). The proposed Privacy Options trigger is highlighted.

Figure 1



Figure 2


Figure 2 illustrates how the same trigger graphic would appear on the screen of a mobile device.  The proposed Privacy Options trigger is highlighted.

With a Privacy Options trigger graphic in place, a consumer clicking on that trigger can be immediately presented with an interactive “just-in-time” menu of the business’s information and options. An important distinction here is that the consumer is presented with all relevant options, not just a single, binary opt-out option presented by a logo or button choice.

Figure 3


Figure 3 illustrates a sample “just-in-time” Notice at Collection on a mobile screen for a business that does not sell consumer’s PI.

Hotlinks to appropriate category, purpose, rights, etc. info are clearly displayed, but DNSMPI (Opt-Out) is not displayed as it is not a relevant choice. Confusion is eliminated and consumers’ trust is enhanced.

To further enhance clarity for the consumer, a business may choose to declare outright that they do not sell consumer’s PI (highlighted).

Figure 4


Figure 4 illustrates “just-in-time” choices on a mobile screen for a business that does sell consumer’s PI. The DNSMPI Opt-Out choice (highlighted) is now prominently presented, but still in context with basic category, purpose, rights, and other transparency information.

This is a great benefit to the consumer in that s(he) has single click access to the business’s salient privacy facts before making what is now an informed Opt-Out decision, rather than blindly clicking a binary yes/no button.

Figure 5


Figure 5 illustrates how the consumer can use the “just-in-time” interactive notice to access the business’s full privacy policy if/when full detailed information is desired.

Clicking on the highlighted element will link immediately to the business’s full legal privacy policy.

Concluding, we suggest that operationalizing DNSMPI choice to consumers can best be accomplished by making the Do Not Sell choice a feature of a larger standardized framework offering all relevant choices to the consumer, not just the DNSMPI choice. We suggest that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).

Thinking more generally, as CCPA is implemented, California has the opportunity to inspire a de facto standard for “just-in-time” notice design that could be embraced as best practice within the privacy community at large. As other jurisdictions implement similar regulations across the United States, California’s leadership in defining this standard could foster important harmonization of state and federal laws going forward.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019 and February 24, 2020 respectively:

http://model.consentcheq.com/20191205-ccpa1010-comment.pdf
http://model.consentcheq.com/20200225-ccpa-comment-update.pdf

Thank you for these opportunities to comment.

Sincerely,

Dale R. Smith, CIPT
Futurist
drs@privacycheq.com

--------------------------------------------------------------------------------------------------

Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission. 

Tuesday, February 25, 2020

CCPA February 25, 2020 Comments

On February 7, 2020, California's Attorney General published a NOTICE OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS,  inviting interested parties to comment on the proposed CCPA regulations during the period ending February 25, 2020.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on February 25th:

----------------------------------------------------------------------------------------------------------------

The Honorable Xavier Becerra
Attorney General
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013
Re: Comments on TEXT OF MODIFIED REGULATIONS Released February 7, 2020

Dear Mr. Becerra:

We are writing to express our positive support for the proposed introduction of the “just-in-time” notice concept as an additional means of providing Notice at Collection and Notice of Right to Opt-Out of PI Sale to California consumers.

The term “just-in-time” does not appear in the CCPA law currently in force, nor did it appear in the October 10 PROPOSED TEXT OF REGULATIONS.  We welcome the introduction of this fresh concept in the February 7, NOTICE OF MODIFICATION TO TEXT … because we believe it brings into play a simple and practical means for businesses to implement the spirit of CCPA in a way that can build transparency and trust with Californian consumers.

While the term “just-in-time” is new to CCPA, it is not new to the privacy field. Research focused on consumer privacy at institutions such as Carnegie Mellon University, University of Michigan, and American Law Institute has posited for years that providing consumers with relevant and focused privacy information in the moment when they commit to sharing their information with others (the just-in-time notice moment) is a highly desirable best practice.

We believe that the introduction of just-in-time notices technology into CCPA leverages several strong trends in today’s digital marketplace:

 Mobile device access for commerce and internet usage has outstripped desktop usage and continues to grow at a robust rate.  Mobile use is now the rule, rather than the exception.  CCPA’s performance-based approach correctly dictates that consumer notices be clearly and well presented on both desktop and mobile devices, and with equal clarity and ease of access.

Businesses today face growing compliance regulation from an increasing number of jurisdictions, many of which mandate disparate notice and consent requirements for different consumer sets (jurisdiction, age, language, etc.).  Accommodating this complexity by adding paragraphs to a business’ legal Privacy Policy renders that document outsized, complex, and practically unfit for compliant Notice at Collection.  Recent proposals have suggested that a just-in-time notice be employed as a sub-layer to the mother Privacy Policy.

Consumers today are more aware of their privacy rights than ever before, especially their right to have businesses refrain from selling their personal information. Under CCPA rules, businesses who do sell will display the new Do Not Sell My Personal Information (DNSMPI) button to signal the business to stop.

But there are some businesses who do not sell, never have sold, and have no future plans to sell.  While these businesses do not need to display the DNSMPI button, this writer believes that many consumers could wrongly conclude that the absence of the DNSMPI button (i.e absence of a Do Not Sell choice) infers that this "white hat" business is noncompliant with the spirit of CCPA and should be avoided.

This writer proposes a standard, displayable We Do Not Sell Your Personal Information WDNSYPI button to instantly display this fact to the consumer just-in-time with the presentation of other privacy facts..

The OAG’s February 7 release provided no information about how just-in-time notices might appear as implemented in daily practice.  For your consideration, here are some snapshot examples of just-in-time notices use cases in a CCPA collection moment using the Privacy Facts Interactive Notice (PFIN) paradigm as described in our previous submission:

Figure 1

Figure 2

Figure 3

Concluding: in this writer’s opinion, the flexibility, accessibility, simplicity, and clarity of just-in-time notice presentation operates to bring California consumers positive and effective control over their personal information. It is an important and welcomed addition to the CCPA regulations.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submission to the CCPA Proposed Regulation (closed on December 6, 2019), available here:

http://model.consentcheq.com/20191205-ccpa1010-comment.pdf

Thank you for these opportunities to comment.


Sincerely,

Dale R. Smith, CIPT
Futurist
drs@privacycheq.com

----------------------------------------------------------------------------------------------------------------

Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission. 

Thursday, January 9, 2020

PrivacyCheq Supports Articl8 ePR Initiative

PrivacyCheq, together with twelve other companies, is a party to an open letter dated 8 January 2020 urging EU member states to include strong privacy safeguards in the new Privacy and Electronic Communications Regulation (ePrivacy Regulation).  The letter is an initiative of Articl8, an industry group of pro-privacy companies focused on privacy as a business case and on protecting the fundamental privacy rights of citizens.

In the letter, we express our support for a strong ePrivacy Regulation that compliments the principles and achievements of the GDPR. It is our belief that a tighter legal framework will not only better protect the privacy and confidentiality of electronic communications, but also foster competitiveness and innovation in the Digital Single Market.

Text of the letter is reproduced below:

Open letter to EU member states from Articl8 Members and supporting organisations urging for a privacy focused ePrivacy Regulation 

Stockholm, January 8th 2020


Dear Prime Minister,

We, the members of Articl8 – an industry group of privacy friendly companies – strongly support the European Commission’s proposal for a Regulation of the European Parliament and of the Council concerning respect for internet users’ private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications, hereinafter “ePrivacy Regulation”).

However, the latest suggested compromises at the Council are threatening the strong principles and achievements of the GDPR rather than completing it. Extensive, in particular third-party, online tracking is an attack to Internet users’ fundamental rights. Therefore, it must be legally limited rather than expanded.

It seem that our concerns are shared by several Member States as the Permanent Representatives Committee of the Council of the European Union (COREPER) voted to reject the Council draft of the Regulation on 22nd November.

In light of recent case law from the Court of Justice of the European Union in relation to the applicability of the General Data Protection Regulation (2016/679) and the ePrivacy Directive (2002/58) with regards to the use of online tracking and profiling technologies, Articl8 members feel it is more important than ever to finalise the draft of the ePrivacy Regulation, including strong safeguards to protect personal data, completing the regulations provided in the GDPR.

We believe that a strong, privacy focused ePrivacy Regulation will foster trust, innovation, and competition in the digital environment. It will increase consumer choice allowing users to select those applications and devices that fit their needs while protecting their privacy and security.

This will ensure the protection of the sensitive data which are part of any communications (both content or metadata), which is especially important for the most vulnerable members of our population (people with disabilities, refugees, journalists and children, among others) and thereby protect the fundamental rights to privacy and data protection as afforded to all citizens under the Charter of Fundamental Rights of the European Union (Articles 7 & 8), as well as various international laws and treaties.

In addition to this, we believe that by having a strong ePrivacy Regulation Europe can improve competition and innovation in the Digital Single Market, moving us away from a market controlled and distorted by data-hungry, dominant companies. By boosting this market, publishers will also benefit from a more even playing field, in which they can have the leverage to negotiate freely with advertisers who do not track or profile their readers.

Because of all of the above, we would like to show our support for an ePrivacy Regulation which contains strong safeguards to protect the privacy and confidentiality of electronic communications, including ensuring the following aspects:

● A ban on “tracking walls”.

● Free and informed consent as the only legal ground to process communications data, due to their sensitive nature.

● Privacy by design and by default in hardware and software.

● A prohibition of undermining encryption by not allowing the use of backdoors in software and hardware.

Yours sincerely,

Alexander Hanff, Managing Director, Articl8

On behalf of the following organisations:
ThinkPrivacy,
Startpage
eyeo GmbH
EAID
usercentrics
Chino.io
Piwik PRO
FriendUp
MediaTest
Dilecy
PrivacyCheq
Idka
Amari Inc

=================================================================
Dale Smith, CIPT
Futurist
PrivacyCheq
drs@privacycheq.com