Tuesday, February 25, 2020

CCPA February 25, 2020 Comments

On February 7, 2020, California's Attorney General published a NOTICE OF MODIFICATIONS TO TEXT OF PROPOSED REGULATIONS,  inviting interested parties to comment on the proposed CCPA regulations during the period ending February 25, 2020.

The following is the text of PrivacyCheq's comment to AG Becerra which was emailed on February 25th:


The Honorable Xavier Becerra
Attorney General
ATTN: Privacy Regulations Coordinator
300 South Spring Street, First Floor
Los Angeles, CA 90013
Re: Comments on TEXT OF MODIFIED REGULATIONS Released February 7, 2020

Dear Mr. Becerra:

We are writing to express our positive support for the proposed introduction of the “just-in-time” notice concept as an additional means of providing Notice at Collection and Notice of Right to Opt-Out of PI Sale to California consumers.

The term “just-in-time” does not appear in the CCPA law currently in force, nor did it appear in the October 10 PROPOSED TEXT OF REGULATIONS.  We welcome the introduction of this fresh concept in the February 7, NOTICE OF MODIFICATION TO TEXT … because we believe it brings into play a simple and practical means for businesses to implement the spirit of CCPA in a way that can build transparency and trust with Californian consumers.

While the term “just-in-time” is new to CCPA, it is not new to the privacy field. Research focused on consumer privacy at institutions such as Carnegie Mellon University, University of Michigan, and American Law Institute has posited for years that providing consumers with relevant and focused privacy information in the moment when they commit to sharing their information with others (the just-in-time notice moment) is a highly desirable best practice.

We believe that the introduction of just-in-time notices technology into CCPA leverages several strong trends in today’s digital marketplace:

 Mobile device access for commerce and internet usage has outstripped desktop usage and continues to grow at a robust rate.  Mobile use is now the rule, rather than the exception.  CCPA’s performance-based approach correctly dictates that consumer notices be clearly and well presented on both desktop and mobile devices, and with equal clarity and ease of access.

Businesses today face growing compliance regulation from an increasing number of jurisdictions, many of which mandate disparate notice and consent requirements for different consumer sets (jurisdiction, age, language, etc.).  Accommodating this complexity by adding paragraphs to a business’ legal Privacy Policy renders that document outsized, complex, and practically unfit for compliant Notice at Collection.  Recent proposals have suggested that a just-in-time notice be employed as a sub-layer to the mother Privacy Policy.

Consumers today are more aware of their privacy rights than ever before, especially their right to have businesses refrain from selling their personal information. Under CCPA rules, businesses who do sell will display the new Do Not Sell My Personal Information (DNSMPI) button to signal the business to stop.

But there are some businesses who do not sell, never have sold, and have no future plans to sell.  While these businesses do not need to display the DNSMPI button, this writer believes that many consumers could wrongly conclude that the absence of the DNSMPI button (i.e absence of a Do Not Sell choice) infers that this "white hat" business is noncompliant with the spirit of CCPA and should be avoided.

This writer proposes a standard, displayable We Do Not Sell Your Personal Information WDNSYPI button to instantly display this fact to the consumer just-in-time with the presentation of other privacy facts..

The OAG’s February 7 release provided no information about how just-in-time notices might appear as implemented in daily practice.  For your consideration, here are some snapshot examples of just-in-time notices use cases in a CCPA collection moment using the Privacy Facts Interactive Notice (PFIN) paradigm as described in our previous submission:

Figure 1

Figure 2

Figure 3

Concluding: in this writer’s opinion, the flexibility, accessibility, simplicity, and clarity of just-in-time notice presentation operates to bring California consumers positive and effective control over their personal information. It is an important and welcomed addition to the CCPA regulations.

Additional information on practical CCPA just-in-time notice implementation can be found in PrivacyCheq’s previous comment submission to the CCPA Proposed Regulation (closed on December 6, 2019), available here:


Thank you for these opportunities to comment.


Dale R. Smith, CIPT


Please contact PrivacyCheq at info@privacycheq.com to schedule a live demonstration of all of the technology and concepts depicted in the above submission.