The CCPA: California Consumer Privacy Act provides California consumers with a number of rights pertaining to their personally identifiable information (PII). These rights allow consumers to request disclosures pertaining to what PII a business has collected, request the deletion of the collected PII, and opt-out of the sale of their PII to third parties.
Should a consumer attempt to exercise any of these rights under the CCPA, businesses have several courses of action at their disposal. If, for example, a consumer requests the deletion of their collected PII at the onset of interaction with the business, the business may be tempted to deter such action by making it clear to the consumer that the collection of the PII is essential to delivering the best quality good or service. If the consumer nevertheless requests the deletion, the business could be tempted to offset the value lost from the deleted PII by downgrading the quality of the goods or services provided to the consumer. However, businesses should be aware of the fact that such actions may be in violation with the CCPA.
Section 1798.125 of the CCPA is designed to prevent any sort of discrimination on the part of the business in responding to CCPA requests. In an ideal world, this provision would “level the playing field” in ensuring that all consumers, whether they exercise a right under the CCPA or not, receive the same quality of goods and services as any other consumer. However, as will be discussed, Section 1798.125 contains a number of exceptions that arguably cancel out whatever net benefit was sought to be achieved.
This article will discuss the following topics:
- An overview of the right to non-discrimination
- Offering financial incentives to consumers
- An exception to the right to non-discrimination
Overview of the right to non-discrimination:
Should a consumer exercise any of the rights provided by the CCPA, the business must refrain from the following activities:
- Denying goods or services to the consumer
- Charging different prices for goods or services
- Providing a different quality of the good or service
- Relaying to the consumer that they will receive a different price or quality of the good or service
The business must incorporate a description of the consumer’s right to non-discrimination within the business’s online Privacy Policy. This description must also be incorporated into any California-specific description of the consumer’s rights under the CCPA. Moreover, businesses must ensure that each individual responsible either for handling consumer requests under the CCPA or compliance under the law are fully informed of the consumer’s rights under Section 1798.125.
The right to non-discrimination and financial incentives:
Under Section 1798.125, businesses are also permitted to offer consumers “financial incentives” as compensation for permitting the business to collect, sell, or delete their PII. Businesses also have the option of offering a different price, rate, level, or quality of goods or services so long as that price or difference is directly related to the value of the consumer’s PII.
A consumer must provide opt-in consent to be entered into the business’s financial incentive program. Moreover, the terms and conditions of the financial incentive program must be clearly conveyed to the consumer. Should the consumer want to cease participating in the financial incentive program, membership may be revoked at any time. Finally, when implementing the financial incentive program, businesses are obligated to ensure that any practices associated with the program are not coercive, unreasonable, or unjust.
Exception to the non-discrimination right under the CCPA:
Under certain circumstances, businesses are not obligated to honor the right to non-discrimination under the CCPA. If the value of the consumer’s data is reasonably related to the difference in price or the quality of the good or service provided, the business is entitled to provide a different price or quality to consumers who have exercised their CCPA rights.
This exception poses a number of questions. First, how does one calculate the value of their data? Do these calculations depend on the level of sensitivity of the PII? Does data of one individual, absent the aggregation with other data, amount to any meaningful monetary value?
Ultimately, calculations of value will depend on context and may be determined on a case-by-case basis. PII for one transaction and its value may not equate to similar value in other transactions. To illustrate, if a business asks a consumer for an email address to create an online account, the value of this data may be substantially less than using that email address to facilitate a marketing campaign.
Although not yet finalized, the California Attorney General’s office recently released updated CCPA regulations, which include guidance on calculating the value of data. According to the regulations, businesses should consider the following when calculating the value of data:
- The marginal value of the sale, collection, or deletion of the data
- The average value to the business of the sale, collection, or deletion of a consumer’s data
- The aggregate value to the business of the sale, collection, or deletion, of the data divided by the total number of consumers
- Any revenue or profit from the sale, collection, or retention of the data
- Expenses related to the sale, collection, or retention of the data
- Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference
The next question is, ‘how do you determine if data is reasonably related to the difference in price or quality of a product?’
Referring back to the email illustration, the business may require a consumer’s email in order to send notice of product updates. Arguably, the consumer’s email in this context may be reasonably related to the quality of the product offered. Again, this issue may be assessed on a case-by-case basis. In cases such as the collection of geolocation data, IP addresses, and cookie information, it may be less clear how the PII reasonably relates to a business’s product offerings.
As the CCPA enforcement period began in July, it can be expected that some clarity will emerge with respect to interpreting the value of data, identifying when the data is reasonably related to a product and service, and when businesses may permissibly offer varying prices and services to consumers. In the meantime, businesses should start by notifying consumers of the right to non-discrimination within their Privacy Policies, including all of the protections provided to consumers under the law. Termageddon’s Privacy Policy Generator helps to ensure businesses have CCPA ready and up-to-date Privacy Policies on their websites.