October, 28, 2020
Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013
Via Email to: PrivacyRegulations@doj.ca.gov
Attn: Honorable Xavier Becerra, Attorney General
Re: Comments on NOTICE OF THIRD SET OF PROPOSED MODIFICATIONS TO TEXT OF REGULATIONS, Released October 12, 2020
Dear Mr. Becerra:
The newly added section §999.306(b)(3)(a) sets forth an illustrative example of how a consumer can be made aware of the right to opt-out in a brick-and-mortar, offline situation. It suggests using a printed paper form and/or by posting appropriate signage.
We are commenting to point out that both of these methods can be operationally enhanced if combined with the use of a QR code and just-in-time notice in conjunction with the paper form or signage. Addition of the QR code technology can bring interactivity between business and consumer even in an offline setting.
A fictitious example can demonstrate how this works. Figure 1 below visualizes one of the many ways a QR code might be deployed for use in an offline retail setting. Here, the content of the signage is static and venue-specific, but the addition of the QR code gives life to a “just-in-time” interactive notice readily available to the consumer.
Seconds after the consumer “shoots” the QR code on the signage using his smartphone app, a §999.306-compliant notice will appear on the consumer’s phone, ready to interactively inform the consumer of appropriate CCPA rights and choices.
Figure 2 illustrates how that smartphone screen might look.
As before, the content of this fictitious screen visualizes several of the many ways an interactive notice can put consumers in the driver’s seat regarding their privacy choices. In this example, in addition to presenting drill-down §999.306-specific information, the Do Not Sell, Access, and Deletion rights are set forth as options on the notice’s front page.
This scenario demonstrates how the addition of public domain QR technology can transform a retail pamphlet or mall sign into an opportunity for a consumer to interact easily and directly with a business in real time to understand and take advantage of privacy rights provided by CCPA.
Regarding our specific comment, we suggest that in order to enrich the illustrative examples referenced in §999.306(b)(3), verbiage should be added to §999.306(b)(3)(a) mentioning the utility of the QR code concept as an efficient and practical means of informing consumers in offline environments.
Use of a QR “trigger” to deliver on-demand, “just-in-time” notices also meets the purpose under §999.305(a) Notice of Collection and §999.307(a) Notice of Financial Incentive.
Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019, February 24, 2020, and March 27, 2020.
Finally, we respectfully reiterate our previous suggestion that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).
We thank you for these opportunities to comment.
Dale R. Smith, CIPT