Friday, November 13, 2020

Have You Noticed Notice Chaos?

By Dale Smith, CIPT

Futurist


Older privacy and operations pros remember the good old days when a business covered all consumer notice requirements by screening a lengthy “one size fits all” boilerplate Privacy Policy ending with the “I Agree” button.


Those days are now gone.  Modern in-force and emerging privacy laws are focused on true transparency as a consumer benefit.  Newer, emerging legislation is relentlessly spawning a variety of off--privacy-policy disclosures that businesses are mandated to present at consumer touchpoints prior to and at the moment when live Privacy Information is ingested.


Unfortunately, regulators have provided little practical guidance and thought leadership as to how these notice features might actually be implemented.  They have left operations and IT staff to implement just-in-time transparency without a guiding standard or specification. The result is the hodgepodge of notice formats and placement that consumers encounter today as they negotiate mobile apps and websites.  Viewed through consumer eyes, today’s privacy notices are confusing at best.  At worst, many remain obfuscational and noncompliant.


Question:  What can be done today to channel this chaos into a solid and permanent consumer benefit?  How could privacy facts be presented to consumers in a more organized and standardized way that would promote true privacy transparency now and into the future?


Answer:  Adapt the food industry’s “Nutrition Label” notice paradigm for disclosing privacy information  to consumers. Evidenced by its success since implementation many years ago, this format is relied upon and trusted by millions of consumers as an always-available, always-understandable prime source of nutrition information.


The inherent flexibility of the Nutrition Label paradigm makes it a natural to present privacy facts and information.  The title block and font are immediately recognizable and iconic around the world.  The gridded framework supports simple, explicit prompts, directly indexing to concise business purpose and sharing details about the PI about to be collected.  


And here’s the really best part:  Because the Privacy Facts notice is adaptively displayed on a mobile, laptop, tablet, or other “smart screen", it no longer presents as a flat image (as on a cereal box).  Boosted by technology, the label automatically presents ready for click/touch interaction.  Consumers can browse, select, and display specific elements of interest, then “drill down” into sub-layers and/or link into boilerplate privacy policy.  The presentation is simple and standard.  The consumer is in charge.


A  number of leading privacy-conscious industry players have recently recognized the value of Nutrition Label simplicity and consumer-friendliness. Procter & Gamble’s top privacy officer called for “Nutrition Label” style privacy notices at the 2020 CES show, and in June, Apple endorsed the concept by adding “Nutrition Style” privacy notices to the user experience flow within its popular app store. As industry attention and support builds, this writer believes that adapting nutrition label styling to privacy disclosure could lead to formation of a de facto standard. Need an honest opinion? Ask a consumer. 


Developers have coined the name Privacy Facts Interactive Notice (PFIN) for this new adaptation of seasoned, proven technology.  The paradigm can be seen actively deployed on the internet as ”Livestart” conversions are completed.  Live generic demonstrations can be coordinated by contacting the author.


Dale Smith, CIPT

Futurist

PrivacyCheq

drs@privacycheq.com




CCPA October 28, 2020 Comments

 October, 28, 2020


Lisa B. Kim

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013


Via Email to:  PrivacyRegulations@doj.ca.gov


Attn:  Honorable Xavier Becerra, Attorney General


Re:  Comments on NOTICE OF THIRD SET OF PROPOSED MODIFICATIONS TO TEXT OF REGULATIONS, Released October 12, 2020


Dear Mr. Becerra:


The newly added section §999.306(b)(3)(a) sets forth an illustrative example of how a consumer  can be made aware of the right to opt-out in a brick-and-mortar, offline situation.  It suggests using a printed paper form and/or by posting appropriate signage.


We are commenting to point out that both of these methods can be operationally enhanced if combined with the use of a QR code and just-in-time notice in conjunction with the paper form or signage.  Addition of the QR code technology can bring interactivity between business and consumer even in an offline setting.




A fictitious example can demonstrate how this works.  Figure 1 below visualizes one of the many ways a QR code might be deployed for use in an offline retail setting. Here, the content of the signage is static and venue-specific, but the addition of the QR code gives life to a “just-in-time” interactive notice readily available to the consumer.


Figure 1



Seconds after the consumer “shoots” the QR code on the signage using his smartphone app, a §999.306-compliant notice will appear on the consumer’s phone, ready to interactively inform the consumer of appropriate CCPA rights and choices. 


Figure 2 illustrates how that smartphone screen might look.

 

Figure 2


As before, the content of this fictitious screen visualizes several of the many ways an interactive notice can put consumers in the driver’s seat regarding their privacy choices.  In this example, in addition to presenting drill-down §999.306-specific information, the Do Not Sell, Access, and Deletion rights are set forth as options on the notice’s front page. 

This scenario demonstrates how the addition of public domain QR technology can transform a retail pamphlet or mall sign into an opportunity for a consumer to interact easily and directly with a business in real time to understand and take advantage of privacy rights provided by CCPA.

  

Regarding our specific comment, we suggest that in order to enrich the illustrative examples referenced in §999.306(b)(3), verbiage should be added to §999.306(b)(3)(a) mentioning the utility of the QR code concept as an efficient and practical means of informing consumers in offline environments. 


Use of a QR “trigger” to deliver on-demand, “just-in-time” notices also meets the purpose under §999.305(a) Notice of Collection and §999.307(a) Notice of Financial Incentive.


Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019, February 24, 2020, and March 27, 2020.


Finally, we respectfully reiterate our previous suggestion that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).


We thank you for these opportunities to comment. 


Dale R. Smith, CIPT

Futurist

drs@privacycheq.com


Tuesday, March 31, 2020

CCPA March 27, 2020 Comments

On March 11, 2020, California's Attorney General published a NOTICE OF SECOND SET OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS, inviting interested parties to comment on the proposed CCPA regulations during the period ending March 27, 2020.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on March 27th:
---------------------------------------------------------------------------------------------------


The Honorable Xavier Becerra

Attorney General

ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013

Re: Comments on NOTICE OF SECOND SET OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS Released March 11, 2020

Dear Mr. Becerra:

We are writing concerning the removal of guidance regarding the Opt-Out Logo or Button as originally called for in AB-375, now in force.

While the logo/button concept as a means for consumers to signal the DO NOT SELL MY PERSONAL INFORMATION (DNSMPI) preference has proved elusive to prescribe, we believe that the concept of using a recognizable and uniform “trigger” graphic offering key just-in-time information to consumers is a sound concept and should not be abandoned.

Instead of using a single-purpose Button/Logo graphic to just trigger the DO NOT SELL preference, we suggest that the regulation recognize the utility of a standardized graphic trigger (Figures 1 and 2) offering consumers a pop-up menu of interactive “just-in-time” information and choices.

For the trigger graphic, we suggest adapting the public domain “Nutrition Facts” format which is widely used, understood, and trusted by consumers around the world. By substituting the words “Privacy Options” for the words “Nutrition Facts”, and by making the framework interactive, the consumer can be presented with a familiar, trusted display of privacy options. Below are some examples demonstrating how such a trigger graphic might function in practice:

Figure 1 illustrates how a trigger graphic would appear on a sample website as viewed on a large screen (laptop, tablet, etc.). The proposed Privacy Options trigger is highlighted.

Figure 1



Figure 2


Figure 2 illustrates how the same trigger graphic would appear on the screen of a mobile device.  The proposed Privacy Options trigger is highlighted.

With a Privacy Options trigger graphic in place, a consumer clicking on that trigger can be immediately presented with an interactive “just-in-time” menu of the business’s information and options. An important distinction here is that the consumer is presented with all relevant options, not just a single, binary opt-out option presented by a logo or button choice.

Figure 3


Figure 3 illustrates a sample “just-in-time” Notice at Collection on a mobile screen for a business that does not sell consumer’s PI.

Hotlinks to appropriate category, purpose, rights, etc. info are clearly displayed, but DNSMPI (Opt-Out) is not displayed as it is not a relevant choice. Confusion is eliminated and consumers’ trust is enhanced.

To further enhance clarity for the consumer, a business may choose to declare outright that they do not sell consumer’s PI (highlighted).

Figure 4


Figure 4 illustrates “just-in-time” choices on a mobile screen for a business that does sell consumer’s PI. The DNSMPI Opt-Out choice (highlighted) is now prominently presented, but still in context with basic category, purpose, rights, and other transparency information.

This is a great benefit to the consumer in that s(he) has single click access to the business’s salient privacy facts before making what is now an informed Opt-Out decision, rather than blindly clicking a binary yes/no button.

Figure 5


Figure 5 illustrates how the consumer can use the “just-in-time” interactive notice to access the business’s full privacy policy if/when full detailed information is desired.

Clicking on the highlighted element will link immediately to the business’s full legal privacy policy.

Concluding, we suggest that operationalizing DNSMPI choice to consumers can best be accomplished by making the Do Not Sell choice a feature of a larger standardized framework offering all relevant choices to the consumer, not just the DNSMPI choice. We suggest that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).

Thinking more generally, as CCPA is implemented, California has the opportunity to inspire a de facto standard for “just-in-time” notice design that could be embraced as best practice within the privacy community at large. As other jurisdictions implement similar regulations across the United States, California’s leadership in defining this standard could foster important harmonization of state and federal laws going forward.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019 and February 24, 2020 respectively:

http://model.consentcheq.com/20191205-ccpa1010-comment.pdf
http://model.consentcheq.com/20200225-ccpa-comment-update.pdf

Thank you for these opportunities to comment.

Sincerely,

Dale R. Smith, CIPT
Futurist
drs@privacycheq.com

--------------------------------------------------------------------------------------------------

Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission.