Thursday, November 7, 2019

How PrivacyCheq's PFIN Handles CCPA's New Notice Requirements

On October 10, 2019, the California Attorney General issued a proposed text of regulations detailing how CCPA will be implemented starting January 1, 2020.   A major feature of this announcement was a heightened focus on Notices to Consumers. In particular, the regulation enumerates and defines four distinct types of CCPA notice, three of which are new:

(1)  Notice at Collection of Personal Information (new)
(2)  Notice of Right to Opt-Out of Sale of Personal Information (new)
(3)  Notice of Financial Incentive (new)
(4)  Privacy Policy (not new, every business has a blanket Privacy Policy)

A careful reading of the three new Notice to Consumers specifications reveals that in addition to making substantial changes to existing blanket Privacy Policy statements, many CCPA-exposed businesses will need to post time-of-collection disclosure notices and dialogues to operationally comply with new "DO NOT SELL MY INFO," Opt-Out/In, and related CCPA consumer rights processes.

Indeed, paragraph 999.305(a)(5) of the proposed regs explicitly states: "If a business does not give the notice at collection to the consumer at or before the collection of their personal information, the business shall not collect personal information from the consumer.

The new regs also set forth a quality standard for giving notices, specifying that each notice should be "designed and presented to the consumer in a way that is easy to read and understandable to an average consumer,” using "plain, straightforward language,” using "a format that draws the consumer's attention to the notice and makes the notice readable, including on small screens,” and to "be accessible to consumers with disabilities." Given the fact that a large percentage of consumers’ online activity occurs on mobile devices, CCPA notices now need to be automatically adaptive and readable on a wide range of devices.  AG Becerra is placing a high priority on quality disclosure for California’s consumers.

Based on all of the above, PrivacyCheq believes that CCPA has raised the bar for B2C privacy disclosure beyond the scope of the traditional blanket Privacy Policy.  A new, just-in-time interactive format is needed for consumer privacy communication to augment and extend the traditional privacy policy.

Using Privacy-by-Design principles, PrivacyCheq has created a new paradigm for notice delivery that meets these transparency requirements.

Privacy Facts Interactive Notice (PFIN) to the rescue ..

Our new PFIN technology is purpose-built to facilitate a clear, concise, and transparent exchange of information between business and consumer as personal information is gathered and managed.

PFIN’s simplicity, flexibility, and adaptability across desktops, laptops, and mobile devices can best be understood by viewing working examples of its use. We've created samples demonstrating PFIN compliance with CCPA’s 1798.100(b) notice requirements.

PFIN - Sample CCPA Use Case - Notice at Collection

In this use case, a fictitious marketing website is collecting consumer's personal data for marketing purposes. At the time of collection, CCPA requires a privacy notice stating the categories of personal data to be collected, and the purposes for which the information will be used. A simple link from any landing page triggers a Privacy Facts Interactive Notice (PFIN) which fulfills this requirement of the regulation.

Click here for a video of this PFIN notice in action.
Click here to see how it looks to the consumer (and be sure to click the blue links to drill down).

PFIN - Sample CCPA Use Case - Notice of Right to Opt-Out of Sale of PI

In this use case, a consumer visits a fictitious marketing website desiring to opt-out of the sale of their personal data. As the consumer opts-out using a link at the bottom of the webpage, the CCPA requires a privacy notice enumerating the consumer’s rights under the regulation, then detailing how the consumer may exercise those rights. The Privacy Facts Interactive Notice (PFIN) fulfills this requirement of the regulation and records the consumer’s choices with respect to their rights.

Click here for a video of this notice in action.
Click here to see how it looks to the consumer (and be sure to click the blue links).

Topping the list of PFIN’s many unique features is the fact that it is interactive.  A displayed PFIN inherently sets up a dialog between business and consumer.  The consumer easily controls agenda, pace, and scope of that dialog, clicking on blue text keys to self-brief in real time. Interactivity is the key to solving Privacy’s age old “Post and Hope” conundrum.

PrivacyCheq believes that our new PFIN technology may be of interest if your organization is considering implementing CCPA compliance and the B2C dialogs mandated by the 10/10 regs.

Contact us at to discuss specific use cases.

Thanks for your time and attention.

Dale Smith, CIPT