Have You Noticed Notice Chaos?

By Dale Smith, CIPT

Futurist

Older privacy and operations pros remember the good old days when a business covered all consumer notice requirements by screening a lengthy “one size fits all” boilerplate Privacy Policy ending with the “I Agree” button.

Those days are now gone.  Modern in-force and emerging privacy laws are focused on true transparency as a consumer benefit.  Newer, emerging legislation is relentlessly spawning a variety of off--privacy-policy disclosures that businesses are mandated to present at consumer touchpoints prior to and at the moment when live Privacy Information is ingested.

Unfortunately, regulators have provided little practical guidance and thought leadership as to how these notice features might actually be implemented.  They have left operations and IT staff to implement just-in-time transparency without a guiding standard or specification. The result is the hodgepodge of notice formats and placement that consumers encounter today as they negotiate mobile apps and websites.  Viewed through consumer eyes, today’s privacy notices are confusing at best.  At worst, many remain obfuscational and noncompliant.

Question:  What can be done today to channel this chaos into a solid and permanent consumer benefit?  How could privacy facts be presented to consumers in a more organized and standardized way that would promote true privacy transparency now and into the future?

Answer:  Adapt the food industry’s “Nutrition Label” notice paradigm for disclosing privacy information  to consumers. Evidenced by its success since implementation many years ago, this format is relied upon and trusted by millions of consumers as an always-available, always-understandable prime source of nutrition information.

The inherent flexibility of the Nutrition Label paradigm makes it a natural to present privacy facts and information.  The title block and font are immediately recognizable and iconic around the world.  The gridded framework supports simple, explicit prompts, directly indexing to concise business purpose and sharing details about the PI about to be collected.  

And here’s the really best part:  Because the Privacy Facts notice is adaptively displayed on a mobile, laptop, tablet, or other “smart screen", it no longer presents as a flat image (as on a cereal box).  Boosted by technology, the label automatically presents ready for click/touch interaction.  Consumers can browse, select, and display specific elements of interest, then “drill down” into sub-layers and/or link into boilerplate privacy policy.  The presentation is simple and standard.  The consumer is in charge.

A  number of leading privacy-conscious industry players have recently recognized the value of Nutrition Label simplicity and consumer-friendliness. Procter & Gamble’s top privacy officer called for “Nutrition Label” style privacy notices at the 2020 CES show, and in June, Apple endorsed the concept by adding “Nutrition Style” privacy notices to the user experience flow within its popular app store. As industry attention and support builds, this writer believes that adapting nutrition label styling to privacy disclosure could lead to formation of a de facto standard. Need an honest opinion? Ask a consumer. 

Developers have coined the name Privacy Facts Interactive Notice (PFIN) for this new adaptation of seasoned, proven technology.  The paradigm can be seen actively deployed on the internet as ”Livestart” conversions are completed.  Live generic demonstrations can be coordinated by contacting the author.

Dale Smith, CIPT

Futurist

PrivacyCheq

drs@privacycheq.com

CCPA October 28, 2020 Comments

 October, 28, 2020

Lisa B. Kim

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013

Via Email to:  PrivacyRegulations@doj.ca.gov

Attn:  Honorable Xavier Becerra, Attorney General

Re:  Comments on NOTICE OF THIRD SET OF PROPOSED MODIFICATIONS TO TEXT OF REGULATIONS, Released October 12, 2020

Dear Mr. Becerra:

The newly added section §999.306(b)(3)(a) sets forth an illustrative example of how a consumer  can be made aware of the right to opt-out in a brick-and-mortar, offline situation.  It suggests using a printed paper form and/or by posting appropriate signage.

We are commenting to point out that both of these methods can be operationally enhanced if combined with the use of a QR code and just-in-time notice in conjunction with the paper form or signage.  Addition of the QR code technology can bring interactivity between business and consumer even in an offline setting.

A fictitious example can demonstrate how this works.  Figure 1 below visualizes one of the many ways a QR code might be deployed for use in an offline retail setting. Here, the content of the signage is static and venue-specific, but the addition of the QR code gives life to a “just-in-time” interactive notice readily available to the consumer.

Figure 1

Seconds after the consumer “shoots” the QR code on the signage using his smartphone app, a §999.306-compliant notice will appear on the consumer’s phone, ready to interactively inform the consumer of appropriate CCPA rights and choices. 

Figure 2 illustrates how that smartphone screen might look.

 

Figure 2

As before, the content of this fictitious screen visualizes several of the many ways an interactive notice can put consumers in the driver’s seat regarding their privacy choices.  In this example, in addition to presenting drill-down §999.306-specific information, the Do Not Sell, Access, and Deletion rights are set forth as options on the notice’s front page. 

This scenario demonstrates how the addition of public domain QR technology can transform a retail pamphlet or mall sign into an opportunity for a consumer to interact easily and directly with a business in real time to understand and take advantage of privacy rights provided by CCPA.

  

Regarding our specific comment, we suggest that in order to enrich the illustrative examples referenced in §999.306(b)(3), verbiage should be added to §999.306(b)(3)(a) mentioning the utility of the QR code concept as an efficient and practical means of informing consumers in offline environments. 

Use of a QR “trigger” to deliver on-demand, “just-in-time” notices also meets the purpose under §999.305(a) Notice of Collection and §999.307(a) Notice of Financial Incentive.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019, February 24, 2020, and March 27, 2020.

Finally, we respectfully reiterate our previous suggestion that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).

We thank you for these opportunities to comment. 

Dale R. Smith, CIPT

Futurist

drs@privacycheq.com