Tuesday, December 29, 2020

CCPA December 28, 2020 Comments

December 28, 2020

Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

Via Email to: PrivacyRegulations@doj.ca.gov

Attn: Honorable Xavier Becerra, Attorney General


Dear Mr. Becerra:

The subject of this comment is the newly-added “Opt-Out Button” proposed in §999.306(f) and the overall effect the implementation of notice transparency may have on CCPA/CPRA success in achieving California's goal of protecting consumer’s privacy.

In that connection, we write to make the following observations:

As introduced under §999.306 Notice of Right to Opt-Out of Sale of Personal Information, the “Opt-Out Button” as presented in §999.306(f) is linked directly to and solely associated with presenting the “Do Not Sell My Personal Information” right (DNSMPI) and choice to consumers. DNSMPI is its sole function, by definition.

This implementation fulfills the OAG’s pending requirement of 1798.185(a)(4)(C) to provide a uniform opt-out button. As a consequence, however, the “Opt-Out Button” becomes just that … a button provided for the sole purpose of opting-out. Any use of the OOB for another purpose is confusing and at cross purposes with the regulation.

Paragraphs §999.305 Notice at Collection of Personal Information and §999.307 Notice of Financial Incentive are equally foundational elements of CCPA notice transparency. Both are similar in scope and purpose to §999.306. And as a means of just-in-time briefing of consumers on privacy rights, they are equally important as the DNSMPI because:

  • Not every company collects PI from consumers.
  • Not every company that collects PI from consumers sells it.
  • Not every consumer seeking contact/category/purpose/policy information (at collection time) is interested in exercising DNSMPI rights.
  • Companies who do not sell PI (and do not display a DNSMPI) run the risk of being seen as consumer-unfriendly based on logo confusion. (“If I can’t see the DNSMPI, this must be a bad company.”)
From a consumer’s point of view, we believe that Notice at Collection and Notice of Financial Incentive are equally important as Notice of Right to Opt-Out in terms of consumer access. Each should be equally available and accessible at points of consumer access and PI ingress.

As the CCPA regulations are operationalized, there is a risk that the single-purpose Opt-Out Button as currently specified could be misunderstood and misused by companies and consumers alike to be a “CCPA privacy information button”, to be pressed for any privacy purpose. Allowing this to happen could lead to a chaotic breakdown of essential communication between companies and consumers, which should be avoided at all costs.

With California now in the driver’s seat for implementing privacy legislation that could form the model for many North American jurisdictions (including a national US law), we believe that the time is right for practical operational guidance to be put forward. California needs to get this right, or risk losing consumer trust for the privacy community in general.

As one means to fill this transparency “vacuum”, we suggest employing a standardized graphic framework (trigger) image at consumer touchpoints that allows companies of all sizes to guide consumers’ attention to simply organized just-in-time information covering all elements of consumer access, not just DNSMPI.

We suggest the adaptation of the Nutrition Label-style framework for this purpose. The NL paradigm readily accommodates consumers access to information under all three notice types, as well as providing single-click linked access into a company’s mother privacy policy document as a final point of reference.

A testament to the flexibility and acceptance of the NL paradigm can be seen displayed on food items of every size, description, and composition in stores everywhere. Each Nutrition Facts label lists simple facts in order of importance to consumers. A Privacy Facts label builds on that same simplicity, but leverages technology by displaying simple and concise privacy information in real time as directed by the consumer.

Use of the NL paradigm brings a number of non-CCPA benefits:

It provides an operational means for transitioning away from the misuse of “cookie notices” and “cookie banners” as vessels for dispensing CCPA/CPRA information.

As a national privacy law is debated in Washington, a well-conceived and implemented CCPA/CPRA notice model will attract the attention of many state jurisdictions, leading to passage of a comprehensive national law rather than a fragmented quilt of state regulations. This would be a testimony to California’s thought leadership and a large benefit to the nation’s consumers in general.

As the US struggles for privacy adequacy with the EU and other continents, the flexibility and scope of the NL paradigm can work to promote transparency agreement across continents. Nutrition Labels are used and trusted around the world, not just in the USA.

Regarding our specific comment on the 4th set of proposed regulations, we suggest that language be added within the regulations to name the Nutrition Label paradigm as a recognized foundational tool for meeting the notice transparency requirements of CCPA/CPRA.

Additional descriptive information on practical CCPA notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019, February 24, 2020, March 27, 2020, and October 28, 2020.

We thank you for these opportunities to comment.

Dale R. Smith, CIPT


Friday, November 13, 2020

Have You Noticed Notice Chaos?

By Dale Smith, CIPT


Older privacy and operations pros remember the good old days when a business covered all consumer notice requirements by screening a lengthy “one size fits all” boilerplate Privacy Policy ending with the “I Agree” button.

Those days are now gone.  Modern in-force and emerging privacy laws are focused on true transparency as a consumer benefit.  Newer, emerging legislation is relentlessly spawning a variety of off--privacy-policy disclosures that businesses are mandated to present at consumer touchpoints prior to and at the moment when live Privacy Information is ingested.

Unfortunately, regulators have provided little practical guidance and thought leadership as to how these notice features might actually be implemented.  They have left operations and IT staff to implement just-in-time transparency without a guiding standard or specification. The result is the hodgepodge of notice formats and placement that consumers encounter today as they negotiate mobile apps and websites.  Viewed through consumer eyes, today’s privacy notices are confusing at best.  At worst, many remain obfuscational and noncompliant.

Question:  What can be done today to channel this chaos into a solid and permanent consumer benefit?  How could privacy facts be presented to consumers in a more organized and standardized way that would promote true privacy transparency now and into the future?

Answer:  Adapt the food industry’s “Nutrition Label” notice paradigm for disclosing privacy information  to consumers. Evidenced by its success since implementation many years ago, this format is relied upon and trusted by millions of consumers as an always-available, always-understandable prime source of nutrition information.

The inherent flexibility of the Nutrition Label paradigm makes it a natural to present privacy facts and information.  The title block and font are immediately recognizable and iconic around the world.  The gridded framework supports simple, explicit prompts, directly indexing to concise business purpose and sharing details about the PI about to be collected.  

And here’s the really best part:  Because the Privacy Facts notice is adaptively displayed on a mobile, laptop, tablet, or other “smart screen", it no longer presents as a flat image (as on a cereal box).  Boosted by technology, the label automatically presents ready for click/touch interaction.  Consumers can browse, select, and display specific elements of interest, then “drill down” into sub-layers and/or link into boilerplate privacy policy.  The presentation is simple and standard.  The consumer is in charge.

A  number of leading privacy-conscious industry players have recently recognized the value of Nutrition Label simplicity and consumer-friendliness. Procter & Gamble’s top privacy officer called for “Nutrition Label” style privacy notices at the 2020 CES show, and in June, Apple endorsed the concept by adding “Nutrition Style” privacy notices to the user experience flow within its popular app store. As industry attention and support builds, this writer believes that adapting nutrition label styling to privacy disclosure could lead to formation of a de facto standard. Need an honest opinion? Ask a consumer. 

Developers have coined the name Privacy Facts Interactive Notice (PFIN) for this new adaptation of seasoned, proven technology.  The paradigm can be seen actively deployed on the internet as ”Livestart” conversions are completed.  Live generic demonstrations can be coordinated by contacting the author.

Dale Smith, CIPT




CCPA October 28, 2020 Comments

 October, 28, 2020

Lisa B. Kim

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013

Via Email to:  PrivacyRegulations@doj.ca.gov

Attn:  Honorable Xavier Becerra, Attorney General


Dear Mr. Becerra:

The newly added section §999.306(b)(3)(a) sets forth an illustrative example of how a consumer  can be made aware of the right to opt-out in a brick-and-mortar, offline situation.  It suggests using a printed paper form and/or by posting appropriate signage.

We are commenting to point out that both of these methods can be operationally enhanced if combined with the use of a QR code and just-in-time notice in conjunction with the paper form or signage.  Addition of the QR code technology can bring interactivity between business and consumer even in an offline setting.

A fictitious example can demonstrate how this works.  Figure 1 below visualizes one of the many ways a QR code might be deployed for use in an offline retail setting. Here, the content of the signage is static and venue-specific, but the addition of the QR code gives life to a “just-in-time” interactive notice readily available to the consumer.

Figure 1

Seconds after the consumer “shoots” the QR code on the signage using his smartphone app, a §999.306-compliant notice will appear on the consumer’s phone, ready to interactively inform the consumer of appropriate CCPA rights and choices. 

Figure 2 illustrates how that smartphone screen might look.


Figure 2

As before, the content of this fictitious screen visualizes several of the many ways an interactive notice can put consumers in the driver’s seat regarding their privacy choices.  In this example, in addition to presenting drill-down §999.306-specific information, the Do Not Sell, Access, and Deletion rights are set forth as options on the notice’s front page. 

This scenario demonstrates how the addition of public domain QR technology can transform a retail pamphlet or mall sign into an opportunity for a consumer to interact easily and directly with a business in real time to understand and take advantage of privacy rights provided by CCPA.


Regarding our specific comment, we suggest that in order to enrich the illustrative examples referenced in §999.306(b)(3), verbiage should be added to §999.306(b)(3)(a) mentioning the utility of the QR code concept as an efficient and practical means of informing consumers in offline environments. 

Use of a QR “trigger” to deliver on-demand, “just-in-time” notices also meets the purpose under §999.305(a) Notice of Collection and §999.307(a) Notice of Financial Incentive.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019, February 24, 2020, and March 27, 2020.

Finally, we respectfully reiterate our previous suggestion that the ubiquitous Nutrition Label framework be named within the regulations as an example of a readily adaptable standard and functional implementation of what is called for in §1798.185(a)(4)(C).

We thank you for these opportunities to comment. 

Dale R. Smith, CIPT