The CCPA Non-Discrimination Right, Explained
The California Consumer Privacy Act (CCPA) provides consumers with a right to non-discrimination when they exercise other privacy rights guaranteed by the law, such as the right to access, delete, or opt out of the sale of their personal information. However, the meaning of “non-discrimination” and the exceptions to this prohibition provided in the CCPA and proposed regulations are among the more confusing aspects of California’s privacy law.
While other privacy laws contain non-discrimination provisions, the CCPA non-discrimination right is notably broader. For example, the CCPA concept of discrimination is not limited to protected or sensitive categories, as is the case with Title VII. Nor is it limited to a specific type of economic activity, as is the case with industry-specific laws such as the Equal Credit Opportunity Act. Instead, CCPA’s non-discrimination right applies to all California consumers exercising any of their other rights under the Act.
This post looks at what the non-discrimination right prohibits (and allows), as well as some of the important questions that the statute and draft regulations leave open. Critical practical issues include being able to (1) distinguish between lawful denials of CCPA rights and impermissible discrimination, and (2) justify the magnitude of financial incentives offered in connection with personal information collection, retention, and sale. With about two months before the CCPA’s July 1 enforcement date, it’s important for businesses to confirm how they are addressing this often overlooked right and square away any final adjustments that may be prudent.
Requirements
Transparency. Businesses must include a statement in their privacy policies informing consumers that they have a right “not to receive discriminatory treatment” for exercising their CCPA rights.
General Rule Against Discrimination. The CCPA (Cal. Civ. Code Section 1798.125) prohibits businesses from “discriminating” against consumers but does not define this central term. Instead, the CCPA provides a non-exclusive list of practices that may qualify as discriminatory, such as:
- Denying goods or services;
- Charging different prices;
- Providing a different quality of goods or services; and
- Suggesting that the consumer may receive a different price or rate.
Distinguishing between a lawful basis to deny a privacy request under the CCPA vs. unlawful discrimination is therefore of critical importance, and the regulations provide some guidance to assist in making this distinction.
Loyalty Club Examples: For example, if a consumer submits a privacy request for the business to delete all of her personal information maintained by the business, but also wants to continue to participate in the business’s loyalty program, the business may deny the request to delete as to the personal information necessary for providing the requested loyalty program and as reasonably anticipated within the context of the business’s ongoing relationship with the individual.
- In this example, the denial is lawful under the CCPA on the basis of at least two of the exemptions to the deletion right. The business requires this information in order to continue providing the consumer’s requested services from the business, and where the business retains the personal information for internal use only that is reasonably anticipated by the consumer, taking into account the context of the business relationship.
- In this example, there is no applicable CCPA exemption to sale opt outs. To continue to offer a financial incentive for the collection and sale of personal information without violating the discrimination provision, the store would need evidence that the value of the benefit to the consumer from the loyalty program is directly related to the value of the consumer’s personal information.
- In this example, as one way to demonstrate the required value, a business may determine that the payment for the premium version offsets the revenue provided by placing ads in the free version.
- This example is similar to the second loyalty program example. The business cannot continue to offer a financial incentive for the collection of personal information from such consumer unless it can support that the data provided reasonably relates to the value being provided to consumers in the discounts offered. A comparison with a sale price versus the non-discounted price commensurate with the value of the data to the business could be useful here, provided the calculation is in line with California advertising law on sale pricing, as well as the AG’s calculation examples, as discussed below.
The CCPA requires businesses to obtain opt-in consent prior to offering a “financial incentive” for the collection, sale, or deletion of personal information. The financial incentive must be “directly related” to the value provided by the consumer’s personal information to the business, and the business must provide a notice that describes a) the incentive and its terms, b) how consumers may opt out, and c) how the incentive relates to the value of consumers’ data.
The draft regulations do not specify what kinds of financial incentives businesses may offer. Changes in the proposed regulations on financial incentives and data valuation issues shed some light on these issues but leave many questions unanswered. A recap of how the different versions of the draft regulations address financial incentives is set forth below.
Calculation Method and Examples. In October, the AG provided illustrative examples and made clear that a business may offer a price or service difference if it is reasonably related to the value of the consumer’s data. The AG also detailed several acceptable methods to calculate the value of that data.
- Significance: Offers to California residents aligned with these examples provide greater confidence of non-discrimination compliance.
- Significance: Requires businesses to calculate a good-faith estimate of the value of consumer data before offering a financial incentive. Clarifies that compliance with the CCPA or federal law is not discrimination.
- Significance: Expands the financial incentive notice requirement beyond the right to non-discrimination; if a business offers a financial incentive related to the collection, retention, or sale of consumers’ personal information, it must provide notice about the incentive. This information may be contained in the Privacy Policy, but a link to this information should be provided at the point where the consumer opts into the offered incentive (g., in a loyalty program sign-up form). These draft regulations also provide an alternative method of calculating the value of consumer data, and clarify that compliance with state laws is not discrimination.