Tuesday, December 29, 2020

CCPA December 28, 2020 Comments

December 28, 2020

Lisa B. Kim
Privacy Regulations Coordinator
California Office of the Attorney General
300 South Spring Street, First Floor
Los Angeles, CA 90013

Via Email to: PrivacyRegulations@doj.ca.gov

Attn: Honorable Xavier Becerra, Attorney General

Re: Comments on NOTICE OF FOURTH SET OF PROPOSED MODIFICATIONS TO TEXT OF REGULATIONS, Released December 10, 2020

Dear Mr. Becerra:

The subject of this comment is the newly-added “Opt-Out Button” proposed in §999.306(f) and the overall effect the implementation of notice transparency may have on CCPA/CPRA success in achieving California's goal of protecting consumer’s privacy.

In that connection, we write to make the following observations:

As introduced under §999.306 Notice of Right to Opt-Out of Sale of Personal Information, the “Opt-Out Button” as presented in §999.306(f) is linked directly to and solely associated with presenting the “Do Not Sell My Personal Information” right (DNSMPI) and choice to consumers. DNSMPI is its sole function, by definition.

This implementation fulfills the OAG’s pending requirement of 1798.185(a)(4)(C) to provide a uniform opt-out button. As a consequence, however, the “Opt-Out Button” becomes just that … a button provided for the sole purpose of opting-out. Any use of the OOB for another purpose is confusing and at cross purposes with the regulation.

Paragraphs §999.305 Notice at Collection of Personal Information and §999.307 Notice of Financial Incentive are equally foundational elements of CCPA notice transparency. Both are similar in scope and purpose to §999.306. And as a means of just-in-time briefing of consumers on privacy rights, they are equally important as the DNSMPI because:

  • Not every company collects PI from consumers.
  • Not every company that collects PI from consumers sells it.
  • Not every consumer seeking contact/category/purpose/policy information (at collection time) is interested in exercising DNSMPI rights.
  • Companies who do not sell PI (and do not display a DNSMPI) run the risk of being seen as consumer-unfriendly based on logo confusion. (“If I can’t see the DNSMPI, this must be a bad company.”)
From a consumer’s point of view, we believe that Notice at Collection and Notice of Financial Incentive are equally important as Notice of Right to Opt-Out in terms of consumer access. Each should be equally available and accessible at points of consumer access and PI ingress.

As the CCPA regulations are operationalized, there is a risk that the single-purpose Opt-Out Button as currently specified could be misunderstood and misused by companies and consumers alike to be a “CCPA privacy information button”, to be pressed for any privacy purpose. Allowing this to happen could lead to a chaotic breakdown of essential communication between companies and consumers, which should be avoided at all costs.

With California now in the driver’s seat for implementing privacy legislation that could form the model for many North American jurisdictions (including a national US law), we believe that the time is right for practical operational guidance to be put forward. California needs to get this right, or risk losing consumer trust for the privacy community in general.

As one means to fill this transparency “vacuum”, we suggest employing a standardized graphic framework (trigger) image at consumer touchpoints that allows companies of all sizes to guide consumers’ attention to simply organized just-in-time information covering all elements of consumer access, not just DNSMPI.

We suggest the adaptation of the Nutrition Label-style framework for this purpose. The NL paradigm readily accommodates consumers access to information under all three notice types, as well as providing single-click linked access into a company’s mother privacy policy document as a final point of reference.

A testament to the flexibility and acceptance of the NL paradigm can be seen displayed on food items of every size, description, and composition in stores everywhere. Each Nutrition Facts label lists simple facts in order of importance to consumers. A Privacy Facts label builds on that same simplicity, but leverages technology by displaying simple and concise privacy information in real time as directed by the consumer.

Use of the NL paradigm brings a number of non-CCPA benefits:

It provides an operational means for transitioning away from the misuse of “cookie notices” and “cookie banners” as vessels for dispensing CCPA/CPRA information.

As a national privacy law is debated in Washington, a well-conceived and implemented CCPA/CPRA notice model will attract the attention of many state jurisdictions, leading to passage of a comprehensive national law rather than a fragmented quilt of state regulations. This would be a testimony to California’s thought leadership and a large benefit to the nation’s consumers in general.

As the US struggles for privacy adequacy with the EU and other continents, the flexibility and scope of the NL paradigm can work to promote transparency agreement across continents. Nutrition Labels are used and trusted around the world, not just in the USA.

Regarding our specific comment on the 4th set of proposed regulations, we suggest that language be added within the regulations to name the Nutrition Label paradigm as a recognized foundational tool for meeting the notice transparency requirements of CCPA/CPRA.

Additional descriptive information on practical CCPA notice implementation can be found in PrivacyCheq’s previous comment submissions to the CCPA Proposed Regulation which closed on December 6, 2019, February 24, 2020, March 27, 2020, and October 28, 2020.

We thank you for these opportunities to comment.


Dale R. Smith, CIPT
Futurist

drs@privacycheq.com