Three Important Nuances of the CCPA - NCC Group | Leading Cyber Security & Managed Services

09 June 2020

The California Consumer Privacy Act (CCPA) became a law about two (2) years ago and went into effect January 1, 2020. Since then, the CCPA has undergone some proposed changes that have recently been finalized. The Office of the California Attorney General submitted the final proposed CCPA Regulations to the California Office of Administrative Law (OAL) for procedural compliance on June 1, 2020. Once approved, these final changes will be filed with the Secretary of State where they will become enforceable by law. The OAL has up to ninety (90) calendar days to review and approve the final changes.

There are several changes that were finalized in this package, but there are three important nuances in the CCPA that we want to discuss. These important, and possibly overlooked items, pertain to the following:

Use of plain, straightforward language
Accessibility for individuals with disabilities
De-Identification

Overview of Required Notices

The CCPA requires every applicable business to provide a privacy policy that must meet certain requirements. Any applicable business that collects personal information must provide a notice of collection that must meet certain requirements. Also, applicable businesses that sell personal information must provide a notice of right to opt-out that must meet certain requirements.

Finally, applicable businesses that offer a financial incentive (or price/service differences for the collection or sale of personal information) must provide a notice of financial incentive that must meet certain requirements.

For our discussion, we are going to assume that you are a covered business and must provide the following to a consumer:

Privacy Policy
Notice of Collection
Notice of Right to Opt-Out
Notice of Financial Incentive

Our discussion will not cover all of the specific requirements for each of these notices, but rather, we’ll discuss at least two (2) important components regarding language and accessibility. The third important component we will discuss is de-identification.

1. Use of Plain, Straightforward Language

Under section 999.305(a)(2), 999.306(a), 999.307(a), and 999.308(a)(2) of the CCPA, the Notice of Collection of Personal Information, the Notice of Right to Opt-Out of Sale of Personal Information, the Notice of Financial Incentive, and the Privacy Policy, respectively, are required to be designed and presented in a way that is “easy to read and understandable”. These notices are supposed to be written using “plain” and “straightforward language” as well as “avoid technical or legal jargon”.

As part of NCC Group’s CCPA Compliance Services, we’ve developed a framework to review your notices based on the Federal Plain Language Guidelines. This framework reviews the following areas:

Write for your audience

As the Federal Plain Language Guidelines state, “the first rule of plain language is: write for your audience.” This means you need to know ‘who’ your consumers are and you need to convey your message by getting their attention. Tell them exactly what they need to know and why it is important to them. Pretend to be a consumer yourself and see if your writing makes sense from this perspective. In some cases, you may have different audiences for the different notifications you are required to provide.

Organization is essential

There is a lot of information that will need to be conveyed to your audience within these notices. For some, this information may be overwhelming. The notices must be well organized to meet your audience’s needs. These notices must start with a purpose and maintain a logical flow. Proper headings and writing short sections should help convey the meanings of these notices.

Properly write your notices

It is important your notices are written properly. As the Federal Plain Language Guidelines state, “words matter”. You may be telling your consumers what to do through your notices so you must use proper verbs. You’ll want to use active voice making it clear on ‘who’ is supposed to do ‘what’ as well as the present tense (or simplest/strongest form) verbs. Avoid converting a verb into a noun (or ‘hidden verb’) and make sure you indicate requirements of your consumer through the word ‘must’ (as opposed to ‘shall’).

The Federal Plain Language Guidelines suggests you ‘write as you talk’, but you’ll also want to make sure you utilize proper grammar and spelling. You’ll want to speak directly to your consumer by utilizing pronouns, but you want to make sure you define ‘who’ you are talking to when using these pronouns. For instance, when you refer to ‘you’ in a notice, you’ll want to define ‘you’ as a ‘consumer’ within the first sentence. You will also want to minimize the use of abbreviations or ensure you spell out abbreviations when introduced for the first time.

Make sure you use short, simple words and omit any unnecessary words. You will want to stay consistent with the use of terms and as the CCPA regulation requires, avoid the use of legal or technical jargon.

When it comes to writing sentences, it is important to keep in mind the order of your words. Keep your sentences short and to the point. Also, keep in mind English’s word order in a sentence: subject – verb – object. Finally, you want to avoid ‘double-negatives’ or ‘exceptions to exceptions’ at all costs. This makes sentences very confusing.

Your notices are going to be made up of several sentences across several paragraphs. You’ll want to utilize topic sentences for each paragraph along with transition words. As well as writing short, concise paragraphs to get your points across.

Finally, you’ll want to use examples and provides lists. If you have a complex idea, the use of tables or illustrations may assist your audience. Highlight major concepts and minimize cross-reference points. This is all to ensure you design your notices to make them easier to read.

Tip: Writing for the Web

Writing for the web is a little different than writing for print versions. If your notices are going to be published to the web, you must consider several elements, but here are some examples to consider:

How people use the web and writing for these users;

Repurposing material for the web;

If you are considering just re-posting PDF files of printed versions of your notices, you’ll want to consider if your site contains too many PDF documents (and you want to ensure your PDF files are Section 508 compliant as will be discussed later);

Avoid meaningless formal language or filler phrases; and

Write effective links that tell the user where the link takes them if they were to click on it.

Testing

The Federal Plain Language Guidelines suggests testing your documents throughout the writing process. Testing shouldn’t be something you do after the fact. There are a few testing strategies you can perform such as paraphrase testing, usability testing, and more complex controlled comparative studies. Just as we do for software development, plain language writing is an iterative process of writing, testing, revising, re-writing, and re-testing.

NCC Group’s Plain Language Testing Framework

NCC Group has developed a plain language testing framework that will review your notices taking into consideration several different factors. The framework attempts to answer certain questions to better understand how these notices come across to your targeted audience. Once the review is completed, NCC Group will provide specific recommendations to assist your organization in meeting the plain language requirements of the CCPA.

2. Accessibility for Individuals with Disabilities

This is consistent with a letter from the Department of Justice (DOJ) dated September 25, 2018 that states:

“The Department [of Justice] first articulated its interpretation that the ADA [American with Disability Act of 1990] applies to public accommodations’ websites over 20 years ago. This interpretation is consistent with the ADA’s title III requirement that the goods, services, privileges, or activities provided by places of public accommodation be equally accessible to people with disabilities.”

Although there are no formal regulations and the DOJ has not approved any standard, the letter goes on to say, “the Department [of Justice] has consistently taken the position that the absence of a specific regulation does not serve as a basis for noncompliance with a statute’s requirements.” Failure to comply with the ADA could subject organizations to a civil rights lawsuit that prohibits discrimination based on disability.

By reference, the CCPA requires notices provided online to follow generally recognized industry standards such as the Web Content Accessibility Guidelines (WCAG), version 2.1 of June 5, 2018, from the World Wide Web Consortium.

Section 508 of the Rehabilitation Act of 1973 defines “scoping and technical requirements for information and communication technology (ICT) to ensure accessibility and usability by individuals with disability”.

Any Federal agency subject to Section 508 must comply with these standards. The ICT Testing Baseline describes the conformance evaluation to the Section 508 standards that are aligned with the WCAG 2.0 Level A and AA Success Criteria.

NCC Group’s Certified DHS Section 508 Trusted Testers

NCC Group maintains Department of Homeland Security (DHS) Section 508 Trusted Tester Certified assessors that can evaluate your notices and websites to ensure conformance with the WCAG Success Criteria. The Trusted Tester Process provides manual testing procedures that align with the ICT Testing Baseline.

This process provides repeatable and reliable conformance test results as well as a review by an independent, certified third party that validates testing for Section 508 conformance. The Trusted Tester process includes roughly sixty-six (66) specific tests mapped to the twenty-five (25) ICT Testing Baseline tests. These tests include the WCAG Accessibility Principles and Tests that cover perceivable, operable, understandable, and robustness.

NCC Group will perform testing to validate Section 508 Conformance as supported, partially supported, does not support, requirement is not applicable, or requirement is not evaluated. NCC Group will provide specific remediation details for identified non-conformance issues. The provided report will include a ‘sign-off’ from a Certified DHS Section 508 Trusted Tester to validate the organization’s compliance with the WCAG as required by the CCPA regulations. This report can be used to demonstrate compliance and defend against lawsuits.

3. De-identification

Under section 999.313(d)(2) of the CCPA, when a consumer requests to delete their personal information, the business may permanently and completely erase, de-identify, or aggregate the information. In addition, under section 999.323(f) of the CCPA, a business that maintains consumer information that is de-identified is not obligated to provide or delete information in response to a consumer request. The business is also not obligated to re-identify individual data to verify this consumer request. De-identifying information could relieve a business of a lot of effort, obligations, and/or liability under the CCPA.

So you might say, “Great – let’s de-identify any personal information we come in contact with”, but there are some specific requirements we need to consider as defined for de-identification. Under section 1798.140(h) of the CCPA, de-identified:

“means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses de-identified information:

Has implemented technical safeguards that prohibit re-identification of the consumer to whom the information may pertain.
Has implemented business processes that specifically prohibit re-identification of the information.
Has implemented business processes to prevent inadvertent release of de-identified information.
Makes no attempt to re-identify the information.”

Due to the large amount of information publicly available on the Internet, it may be very difficult to ensure a reasonable level of de-identification as in the case of linking or indirectly identifying an individual. If you are not experienced in data analytics and statistics to make this expert determination, you may not be able to provide the reasonable assurance that your data sets can’t be re-identified.

We recommend obtaining an expert to determine the identifiability of your data set and whether the CCPA applies. In general, the CCPA excludes from its application collection, sharing or processing of “aggregate consumer information” and “de-identified data”. We also recommend getting in touch with our strategic partners at Privacy Analytics. They have the expertise to assist you in ensuring that you’ve taken reasonable steps in properly de-identifying your data. When you’ve completed this analysis, NCC Group recommends contacting us to ensure you’ve implemented appropriate technical safeguards, implemented business processes to prohibit re-identification and prevent inadvertent release, and you have the appropriate policies/procedures in place to restrict attempts to re-identifying your information.

Where Can I Get More Information on Assistance with the CCPA Regulations?

NCC Group maintains privacy experts on staff to assist you with your CCPA needs. Along with the services mentioned above, NCC Group also offers data mapping, data inventory, CCPA health-checks (gap reviews), CCPA specific privacy policy/procedure development, and other privacy related advisory services as well as privacy certification services such as APEC CBPR/PRP.

You can learn more about the specifics of these service offerings by connecting with one of our CCPA experts.