Tuesday, March 31, 2020

CCPA March 27, 2020 Comments

On March 11, 2020, California's Attorney General published a NOTICE OF SECOND SET OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS, inviting interested parties to comment on the proposed CCPA regulations during the period ending March 27, 2020.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on March 27th:

The Honorable Xavier Becerra

Attorney General

ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013


Dear Mr. Becerra:

We are writing concerning the removal of guidance regarding the Opt-Out Logo or Button as originally called for in AB-375, now in force.

While the logo/button concept as a means for consumers to signal the DO NOT SELL MY PERSONAL INFORMATION (DNSMPI) preference has proved elusive to prescribe, we believe that the concept of using a recognizable and uniform “trigger” graphic offering key just-in-time information to consumers is a sound concept and should not be abandoned.

Instead of using a single-purpose Button/Logo graphic to just trigger the DO NOT SELL preference, we suggest that the regulation recognize the utility of a standardized graphic trigger (Figures 1 and 2) offering consumers a pop-up menu of interactive “just-in-time” information and choices.

For the trigger graphic, we suggest adapting the public domain “Nutrition Facts” format which is widely used, understood, and trusted by consumers around the world. By substituting the words “Privacy Options” for the words “Nutrition Facts”, and by making the framework interactive, the consumer can be presented with a familiar, trusted display of privacy options. Below are some examples demonstrating how such a trigger graphic might function in practice:

Figure 1 illustrates how a trigger graphic would appear on a sample website as viewed on a large screen (laptop, tablet, etc.). The proposed Privacy Options trigger is highlighted.

Figure 1

Figure 2

Figure 2 illustrates how the same trigger graphic would appear on the screen of a mobile device.  The proposed Privacy Options trigger is highlighted.

With a Privacy Options trigger graphic in place, a consumer clicking on that trigger can be immediately presented with an interactive “just-in-time” menu of the business’s information and options. An important distinction here is that the consumer is presented with all relevant options, not just a single, binary opt-out option presented by a logo or button choice.

Figure 3

Figure 3 illustrates a sample “just-in-time” Notice at Collection on a mobile screen for a business that does not sell consumer’s PI.

Hotlinks to appropriate category, purpose, rights, etc. info are clearly displayed, but DNSMPI (Opt-Out) is not displayed as it is not a relevant choice. Confusion is eliminated and consumers’ trust is enhanced.

To further enhance clarity for the consumer, a business may choose to declare outright that they do not sell consumer’s PI (highlighted).

Figure 4

Figure 4 illustrates “just-in-time” choices on a mobile screen for a business that does sell consumer’s PI. The DNSMPI Opt-Out choice (highlighted) is now prominently presented, but still in context with basic category, purpose, rights, and other transparency information.

This is a great benefit to the consumer in that s(he) has single click access to the business’s salient privacy facts before making what is now an informed Opt-Out decision, rather than blindly clicking a binary yes/no button.

Figure 5

Figure 5 illustrates how the consumer can use the “just-in-time” interactive notice to access the business’s full privacy policy if/when full detailed information is desired.

Clicking on the highlighted element will link immediately to the business’s full legal privacy policy.

Concluding, we suggest that operationalizing DNSMPI choice to consumers can best be accomplished by making the Do Not Sell choice a feature of a larger standardized framework offering all relevant choices to the consumer, not just the DNSMPI choice. We suggest that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).

Thinking more generally, as CCPA is implemented, California has the opportunity to inspire a de facto standard for “just-in-time” notice design that could be embraced as best practice within the privacy community at large. As other jurisdictions implement similar regulations across the United States, California’s leadership in defining this standard could foster important harmonization of state and federal laws going forward.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019 and February 24, 2020 respectively:


Thank you for these opportunities to comment.


Dale R. Smith, CIPT


Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission.