The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information. However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.
While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader. For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII. Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act. Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.
This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open. Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale. With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.
Transparency. Businesses must include a statement in their privacy policies informing consumers that they have a right “not to receive discriminatory treatment” for exercising their CCPA rights.
General Rule Against Discrimination. The CCPA (Cal. Civ. Code Section 1798.125) prohibits businesses from “discriminating” against consumers but does not define this central term. Instead, the CCPA provides a non-exclusive list of practices that may qualify as discriminatory, such as:
- Denying goods or services;
- Charging different prices;
- Providing a different quality of goods or services; and
- Suggesting that the consumer may receive a different price or rate.
Importantly, the proposed regulations also provide that a “business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or these regulations shall not be considered discriminatory.”
Distinguishing between a lawful basis to deny a privacy request under the CCPA vs. unlawful discrimination is therefore of critical importance, and the regulations provide some guidance to assist in making this distinction.
Loyalty Club Examples: For example, if a consumer submits a privacy request for the business to delete all of her personal information maintained by the business, but also wants to continue to participate in the business’s loyalty program, the business may deny the request to delete as to the personal information necessary for providing the requested loyalty program and as reasonably anticipated within the context of the business’s ongoing relationship with the individual.
- In this example, the denial is lawful under the CCPA on the basis of at least two of the exemptions to the deletion right. The business requires this information in order to continue providing the consumer’s requested services from the business, and where the business retains the personal information for internal use only that is reasonably anticipated by the consumer, taking into account the context of the business relationship.
In contrast, if a store offers a loyalty program whereby consumers receive coupons and special discounts when they provide their phone numbers, and a consumer submits a request to opt out of the sale of her personal information, the store cannot exclude the consumer from the loyalty program unless it can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.
- In this example, there is no applicable CCPA exemption to sale opt outs. To continue to offer a financial incentive for the collection and sale of personal information without violating the discrimination provision, the store would need evidence that the value of the benefit to the consumer from the loyalty program is directly related to the value of the consumer’s personal information.
Free vs. Premium Examples: For example, if a business offers both a free service, and a premium service that costs $5-per-month (premium), and only allows the premium-service consumers to opt out of the sale of their personal information, the practice is discriminatory under the CCPA unless the premium payment is reasonably related to the value of the consumer’s data to the business.
- In this example, as one way to demonstrate the required value, a business may determine that the payment for the premium version offsets the revenue provided by placing ads in the free version.
If a retailer collects personal information and offers discount coupons to consumers on its website, the retailer cannot stop providing the website coupons if a consumer submits a request to delete their personal information unless the value of the coupons are reasonably related to the value provided to the business by the consumer’s data. (See Section 999.307 of the draft regulations.)
- This example is similar to the second loyalty program example. The business cannot continue to offer a financial incentive for the collection of personal information from such consumer unless it can support that the data provided reasonably relates to the value being provided to consumers in the discounts offered. A comparison with a sale price versus the non-discounted price commensurate with the value of the data to the business could be useful here, provided the calculation is in line with California advertising law on sale pricing, as well as the AG’s calculation examples, as discussed below.
Financial Incentives and the Value of Personal Information
The CCPA requires businesses to obtain opt-in consent prior to offering a “financial incentive” for the collection, sale, or deletion of personal information. The financial incentive must be “directly related” to the value provided by the consumer’s personal information to the business, and the business must provide a notice that describes a) the incentive and its terms, b) how consumers may opt out, and c) how the incentive relates to the value of consumers’ data.
The draft regulations do not specify what kinds of financial incentives businesses may offer. Changes in the proposed regulations on financial incentives and data valuation issues shed some light on these issues but leave many questions unanswered. A recap of how the different versions of the draft regulations address financial incentives is set forth below.
Calculation Method and Examples. In October, the AG provided illustrative examples and made clear that a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data. The AG also detailed several acceptable methods to calculate the value of that data.
- Significance: Offers to California residents aligned with these examples provide greater confidence of non-discrimination compliance.
Calculation Requirement and Clarified Exceptions. In February, the AG clarified that if a business is unable to calculate a good-faith estimate of the value of the consumer’s data or cannot show that the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, that business shall not offer the financial incentive or price or service difference. The AG also clarified that denials of consumer requests to exercise CCPA rights for reasons permitted under the CCPA (e.g., a lawful denial of a deletion request in accordance with relevant exceptions) will not be considered a discriminatory practice, and price or service differentials that are the direct result of a business’s compliance with federal law will not be considered discriminatory. The draft regulations included the revised examples summarized earlier in this post. These changes remain in the current proposed regulations.
- Significance: Requires businesses to calculate a good-faith estimate of the value of consumer data before offering a financial incentive. Clarifies that compliance with the CCPA or federal law is not discrimination.
Revised Definitions. In March, the AG changed the definitions of “financial incentive” and “price or service difference” to specifically relate to the “collection, retention, or sale of personal information,” and specifically excluded the words “disclosure” and “deletion.” In addition, the AG’s most recent draft regulations clarified that compliance with federal or state laws are nondiscriminatory. To calculate the value of consumer data, a business may consider the value of the data of all natural persons in the U.S. and not just California residents.