Wednesday, December 11, 2019

CCPA December 6, 2019 Comments

On October 10, 2019, California's Attorney General published a Proposed Text of Regulations for the California Consumer Privacy Act.  Interested parties were invited to publicly comment on the proposed regulations during the period ending December 6th 2019.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on December 5th:

----------------------------------------------------------------------------------------------------------------
December 5, 2019

The Honorable Xavier Becerra
Attorney General
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013
Comments on Proposed Regulations

Dear Mr. Becerra:

 lI am writing on behalf of PrivacyCheq, a Pennsylvania corporation.  We specialize in the design and implementation of transparency and consent management software solutions embracing consumer privacy.

In our work, we focus squarely on optimizing the consumer’s overall privacy experience as they interact with businesses to share personal information.

As such, we wish to commend you on the “consumer friendliness” of the proposed regulations, noting our agreement with the following concepts in particular:

The regulations clearly set forth that there is a difference between a privacy policy  and a privacy notice .  A clear distinction is drawn between the purpose of the privacy policy  and the purpose of the Notice at Collection  relating to their respective use during data collection.  The regs make it clear that the privacy policy document is static and all-inclusive, while the notice is designed to support and promote “just-in-time” individual interactivity.

In defining and specifying three new types of notices  designed to better inform the consumer, the regulator has obviated the “click the I AGREE box or go away” model for transparency at consumer touchpoints.  This is a huge benefit to California consumers.

The regulations clearly state the requirement for Notice at Collection of Personal Information  prior to collecting PI.  As well, they set forth the need for notices to be in plain, straightforward language, avoiding technical and legal jargon, in a readable format (including on smaller screens), accessible to consumers with disabilities, and useful with venue signage.  This is another major bonus for California consumers.

Using Privacy by Design  principles, drafters of the regulations have leveraged important relevant research . The resulting “performance-based” notice design raises the bar for privacy regulation well beyond California’s borders as the privacy world looks for thought leadership in how to effectively communicate privacy information to consumers.

But the October 10th regulations stop short of prescribing or even suggesting what format the new notices might take in actual operation.

PrivacyCheq believes that over time, the presentation of just-in-time privacy notice information will evolve to a loose standard.  We believe that CCPA has a golden opportunity at this time to provide general guidance around what an acceptable paradigm for “just in time” notice delivery might look like.  It is in that spirit that we present the following analysis and suggestion:

What form would a new paradigm for transparency take?  What is a real-world example of how enterprises regularly inform citizens of copious and complex information in a way that is explicit, specific, intelligible, concise, and easily accessible?  We believe that one example of such a paradigm is the ubiquitous Nutrition Facts-style label (Figure 1).

The Nutrition Facts title name and font are familiar and iconic around the world.  The label’s gridded framework supports clear and plain language presenting a prospective buyer/user with a select, concise list of best questions about this specific product. Each issue or question prompts a clear and explicit answer.  The user can digest every detail of the information (unlikely), focus in on a fact of particular interest (calories, sodium, carbs?) or choose to ignore the notice completely (“I trust this business, and know that the facts are here if I ever need them”). 

This nutrition facts information format goes a long way towards organizing the transparency requirements of CCPA, but two major concepts are missing that would make this disclosure format ideal for operational privacy notices.

First, privacy is much more complicated than food.  Single digit or single- word right-hand “answers” to elements of the framework are often inadequate to describe privacy concepts.  For privacy facts, each answer needs to have “drill down” capability to present multiple sublayers of information on request.

Secondly, unlike the flat visual nutrition presentation, a privacy facts notice needs to be interactive.  It needs to place digital control into the hands of the consumer to navigate, view, select, drill down on, expand on, respond to, and exit or ignore the presentation.

Both of these issues can be overcome by purpose-built Privacy-by-designed application software, wherein “drill-down” simplicity and user interactivity become key features.  For our purposes, PrivacyCheq has named the resulting tool a Privacy Facts Interactive Notice or PFIN.

Fully enhanced with drill down and interactive functionality, here are three successive screenshots of how a PFIN might look on a mobile device as a California consumer first views the Notice at Collection (Figure 2), chooses to learn about categories (Figure 3), then chooses to investigate purposes (Figure 4).


A major benefit emerges from marrying nutrition label simplicity with modern digital technology.  The resulting consumer-paced dialogue now becomes operational across the full spectrum of consumer-facing touchpoints (websites, tablets, smartphones, mobile apps, IoT devices, venue signage, QR codes, etc.).

This concept places privacy control into the hands of the consumer to navigate, view, select, drill down on, expand on, respond to, and exit or ignore the presentation. 


Like nutrition facts labeling, the simplicity and familiarity of PFIN notices operate to build trust between business and consumers.  Implementation of this new notice paradigm could go a long way towards simplifying and standardizing businesses’ compliance with CCPA … a major benefit to California consumers.

In summary, PrivacyCheq is enthusiastic about operationalizing CCPA under the proposed regulations to deliver on Californians’ right to privacy by giving consumers positive and effective control over their personal information.

Additionally, we have proposed an open paradigm for notice delivery that we believe could be useful as CCPA regulations face operationalization in the real world.  Thank you for the opportunity to comment.   We stand ready to help however we can.

Sincerely,

Dale R. Smith, CIPT
Futurist
drs@privacycheq.com
 via email to: PrivacyRegulations@doj.ca.gov
------------------------------------------------------------------------------------------------------------------

Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission.