Preliminary Comments - Reducing Friction in the Exercise of Privacy Rights and Opt-Out Preference Signals

In-House Privacy, Inc. (“IHP”) is a law firm that serves numerous businesses subject to the California Consumer Privacy Act (“CCPA”). IHP submits these comments on its own behalf in response to the California Privacy Protection Agency (“CalPrivacy”) request for input on reducing friction in the exercise of privacy rights and opt-out preferences signals. 

Questions for Preliminary Comment 

1. Reducing friction in the exercise of privacy rights 

2. What challenges do consumers experience when they exercise their privacy rights, and how can the regulations address them? 

For example, consumers may experience challenges, including but not limited to: locating information about privacy rights and how to exercise them; user-interface designs that may impair or interfere with consumers’ ability to make privacy choices; verification of identity; using authorized agents; request-submission limits; and modifying privacy choices consumers previously made. If you identify a challenge, explain in detail what is difficult and provide any information about how you think it can be addressed. 

Comments: 

1. Improved Education: Consumers should be further educated that they have a legal right to request deletion of all personal information held by a business, and/or opt-out of third party ‘sale’ activities independently of the ‘cookie banner’ or other proactive choice presented to them upon their initial website visit.
   
   

2. Simplification of Privacy Policies: Privacy policies are often lengthy, written by lawyers for lawyers, combine US and UK/European terms, and do not provide easy navigation to privacy choices. Consumers are reticent to review and/or navigate to privacy choices embedded in lengthy privacy policies. CalPrivacy could propose regulations and/or best practice guides for short-form privacy policies that include easier privacy choices navigation. Furthermore, such regulations and/or best practice guides would be valuable to businesses to understand CalPrivacy’s ideal layout and language included in policies, although efforts should be made to not clash or conflict with other US state and UK/European privacy goals.
   
   

3. User Interface Commonality: Privacy choices vary significantly across businesses. Consumers often identify the ‘cookie banner’ as their initial interface for privacy choices, even though it is limited to only one channel of ‘sale or share’ activities. Consent management platforms (CMPs) should evolve from ‘cookie banners’ to enable all privacy choices through the same simple user interface. CalPrivacy could recommend user interface guides for CMPs to implement across privacy choices, including when identity verification is recommended or discouraged. 
   
   

4. Operational Consistency: Businesses do not follow a standard ‘playbook’ for responding to consumer privacy rights requests. As a result, consumers are often unaware that their privacy rights requests are being processed, have been processed, or if the consumer information is even identified for processing. Further, there are variations in response terminology and approaches, including how to deliver personal information from rights to know requests. CalPrivacy could present guides and common ‘playbook’ responses to rights requests, and best practices for communicating and delivering rights requests.  

5. What challenges do businesses experience when they provide consumers with the ability to exercise their privacy rights, and how can the regulations address them? For example, businesses may experience challenges, including but not limited to: presenting information about privacy rights and how to exercise them; designing user interfaces that make it easy for consumers to make privacy choices; verification of identity; and receiving requests from, and interacting with, authorized agents. 

Comments: 

1. Issue regulations for ‘Authorized Agents’:  Businesses that serve as ‘authorized agents’ to request privacy rights on behalf of consumers should be certified and standardized. Currently, there is no impediment for any entrepreneur to create an ‘authorized agent’ business, including through the use of innovative AI agent technologies. As a result, businesses processing authorized agent requests have witnessed a myriad of different formats, approaches, and inaccurate information being presented alongside privacy rights requests.  Further, some authorized agents use ‘fear tactics’ related to commercial data use to solicit high monthly or yearly subscription fees that are limited in value after the initial privacy rights requests have been effectuated. CalPrivacy should create regulations that include the following: 

   1. Implement a registration and certification process to ensure authorized agents are legitimate businesses. 

   2. Implement requirements for authorized agents to verify consumer identity, and a process to communicate that verification to businesses in a standardized way without the need to share sensitive personal information such as government identifiers. 

   3. Create mechanisms for businesses to provide CalPrivacy with feedback on authorized agents that submit inaccurate, duplicative, or are unresponsive to business requests to verify or validate requests. 

   4. Require authorized agents to follow the prescribed method for privacy rights requests embedded in business privacy policies or CMP user interfaces and require authorized agents to confirm receipt following a business response to their request. 

   5. If an authorized agent intends to submit bulk requests to a business, require that the authorized agent provide notice, providing the opportunity for a business to receive bulk transmissions through an application programming interface or other secure transfer mechanism.  

   6. Review and scrutinize authorized agent businesses that charge high subscription fees without an ongoing business need to provide ongoing services commensurate with those fees.  

   7. Restrict authorized agents from submitting California consumer deletion or opt-out requests to California registered data brokers following the ‘DROP’ mechanism implementation date. 
      
      

   2. Consumers following prescriptive requirements. Consumers commonly do not follow the prescribed method for privacy rights requests embedded in a privacy policy, and may ask to exercise rights that are not provided under CCPA. CalPrivacy should educate consumers that privacy rights requests are distinct from customer support requests, and require consumers to follow the prescribed privacy policy instructions. 

   3.Enhance guidance for data ‘sellers’ regarding downstream obligations. Many businesses buying and selling data are unaware of the requirement to process opt-out requests received by the data seller following the initial sale and prior to any such automated updates. This may result in additional data uses that conflict with data subject expectations for such use following an opt-out request. CalPrivacy can provide additional examples and simplified guidelines explaining the timelines for such opt-out processing activities. 

   4. What are the top three things CalPrivacy should prioritize in reducing friction in the exercise of privacy rights, and why? If you have identified ways to reduce friction, what would the benefits be of reducing friction?

Comments:

1. Create a California consumer residency mechanism. Alongside the process for California consumers to exercise their privacy rights through the Delete Request and Opt-Out Platform (DROP), consumers should be able to establish their California residency for non-DROP privacy rights requests that a business can verify through CalPrivacy. This mechanism would allow consumers to bypass residency and/or identity verification mechanisms with rights to know or delete privacy rights requests. This mechanism would not only reduce friction, but protect user privacy in avoiding sharing identification documentation such as drivers license information that is commonly used to verify privacy rights requests. 
   

2. Create best practice guides and/or examples of privacy rights user interfaces that reduce friction. CMPs have not sufficiently innovated their technologies to address cross-channel privacy rights requests, which CalPrivacy and the AG have identified in numerous enforcement actions. While these enforcement actions are helpful for businesses, they are not prescriptive in what the optimal privacy rights user experience should be for CMPs or businesses to implement. There are no ‘benchmarks’ for businesses to follow in establishing privacy rights requests, user interfaces, and operations to respond to such requests.  

3. Provide additional consumer education of rights and their limits. Consumers are unaware of the time frame for businesses to respond, or rights businesses have to retain information for necessary legal or other exempt purposes. Businesses should be able to process privacy rights without receiving additional correspondence from consumers questioning the process, or confirmations before the compliance deadline. 

4. Do the current regulations sufficiently address the challenges consumers experience when they exercise their privacy rights? If not, how should CalPrivacy revise its regulations to sufficiently address those challenges? 

Comments: 

1. Simplify business operations guidance. CalPrivacy can issue simplified guidance when businesses should verify individuals identity in order to process privacy rights requests, and when authentication is acceptable prior to enabling ‘do not sell’ opt-out requests. Additional guidance for communications timing and response content expectations would also be helpful. 
   
   

2. Clarify deletion completion and exemptions. Businesses should have more clarity when they can inform consumers that certain information may be retained for backup or archival purposes, including how to describe vendors retaining such information in accordance with automated deletion periods.   
   

3. Do the current regulations sufficiently address the challenges businesses experience when they provide consumers with the ability to exercise their privacy rights? If not, how should CalPrivacy revise its regulations to address those challenges? For example, if lack of standardization or uniformity in how businesses handle consumers’ privacy-rights requests is a challenge, how should CalPrivacy address that? 

Comment:  As noted above, CalPrivacy should create regulations on authorized agents’ submission of privacy rights requests. This ultimately would help the consumers because these authorized agents would improve their effectiveness and provide more value for their services. 

6. What else should CalPrivacy consider to reduce friction in consumers’ exercise of their privacy rights? 

Comment: As noted, a centralized system for CA consumer residency verification would dramatically reduce friction with businesses who verify individuals.    

2. Opt-out Preference 

3. Describe your experience using an opt-out preference signal or age-signal mechanism. 

Comment: Each OOPS provider has a different approach to educating, onboarding, and verifying California or other state residents prior to enabling OOPS. This process does not clarify how OOPS is applicable to ‘sales or shares’, but not to other data subject rights such as deletion or other opt-out choices that may be presented through a cookie banner such as analytics. In addition, cookie banners do not always indicate that an OOPS has been processed, especially where a login is required to effectuate an opt-out.  

2. Do you have any suggestions on how to improve the experience? 

Comments: 

1. Create a standardized approach to ensuring accuracy or receptivity with businesses processing OOPS. Ie: It’s hard to know if it works. CalPrivacy could collaborate with OOPS providers and CMPs to standardize approaches to signal confirmation.  Provide guidelines or regulations for website pixel/cookie consent tools to indicate that GPC has been honored, and for GPC tools to adjust settings for authorizing specific websites’ use.  
   
   

2. Identify ways in which CMPs and/or businesses can more easily extend OOPS from browser-based signals to other sales activities, such as email-based/alternative ID ad targeting. 

3. What are your expectations when using an opt-out preference signal? 

Comment: No targeted advertising cookies are utilized for ads on other websites. 

2. What challenges do businesses face in processing opt-out preference signals, like Global Privacy Control? 

Comments: 

1. Businesses rely on CMPs to identify and respond to OOPS and do not always have any record of a response. As a result, there is no persistent correlation between an OOPS request and a record for future application should the consumer be engaged through a non-CMP channel.  

2. Synchronization across consumer touchpoints is nearly impossible, such as integrating a CMP with an email marketing list that may be used for email-based ad targeting. It would require a user to log in (if available) and then apply the GPC, which may conflict with the regulations. 

3. Businesses have no insight whether the OOPS is from a consumer from a state that requires compliance, like California, or a consumer from a state where it may not be required to be applied and no such ability exists to verify their request. 

4. The current regulations around business rights to present choices to visitors with OOPS to verify their request in conjunction with other incentives or loyalty programs could be more clear. Most CMPs currently do not offer OOPS verification tools to integrate with loyalty/incentive programs.  

5. How are businesses applying the signal to "known" consumers and pseudonymous profiles, and across different browsers, devices, or identifiers? 

Comments: 

1. Businesses often rely on a CMP to apply OOPS, which rarely synchronizes with authenticated user logins. As a result, few OOPS visitors are ‘known’ so CMPs apply web-only opt-out rights to these visitors irrespective of their previous customer experience and use of email or other contact info for sales activities.
   
   

2. Some CMPs are synchronized with login or transactional events and can apply both web and mobile browser opt-outs. Few CMPs are cross-browser.  

3. Is there anything that requires additional clarity or guidance in the form of a regulation relating to OOPS? 

Comments: 

1. CalPrivacy should require OOPS to provide standard CA residency verification during onboarding. 

2. OOPS providers should enable businesses to test signal adoption with their systems.  

3. CalPrivacy could provide educational guides to both CMPs and businesses how to apply OOPS in conjunction with authenticated users, transaction events, and other cross-channel or cross-device use cases.
   

4. CalPrivacy should enable a safe harbor for businesses that utilize a CMP to process OOPS and endeavor to synchronize with authentication systems or other systems but are unable to accurately sync such disparate systems. As noted, CalPrivacy should encourage CMPs and OOPS systems to synchronize with cross-device and cross-channel mechanisms.