Typically, businesses are not required to delete information maintained as part of a loyalty program in response to a right to be forgotten request. Some businesses, however, may consider voluntarily agreeing to a right to be forgotten request in order to confer upon consumers greater control over their data.
Based upon the current drafting of the CCPA, voluntarily agreeing to a right to be forgotten request may raise unintended complexities. Specifically, the CCPA states that a business “shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights” under the Act.1 Among other things, the CCPA provides the following examples of discrimination under the statute:
- Denying “goods or services” because the consumer exercised a deletion right;2
- Charging “different prices or rates for goods or services” because the consumer exercised a deletion right;3
- Charging different rates “through the use of discounts or other benefits” because the consumer exercised a deletion right;4 or
- Providing “a different level or quality of goods or services” because a consumer exercised a deletion right.5
In the context of a loyalty program, a potential conflict arises if an individual requests to be forgotten. If the business voluntarily honors such a request, the consumer’s participation in the loyalty program would presumably need to be terminated as the business would no longer have data about the consumer needed to track purchases and provide loyalty-related benefits. For loyalty programs that provide free products or services, termination could lead a consumer to argue that they were either “den[ied] goods or services” or “charg[ed] different prices or rates . . . through the use of discounts or other benefits.”6 While some businesses might attempt to mitigate inadvertent harm by warning consumers that an inevitable consequence of a deletion request would be the loss of value, or the loss of benefits, associated with the loyalty program, the CCPA specifically prohibits a business from “[s]uggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services” if the consumer were to exercise one of their rights.7 That prohibition seemingly puts a business between a rock and a hard place. If they honor the consumer’s request, they may be accused of unlawful discrimination by denying the benefits of the loyalty program as a result of the exercise of the consumer’s rights. If they warn the consumer of the inevitable consequence of a deletion request, the business could be accused of violating the CCPA by suggesting that the exercise of a right will lead to the loss of a benefit.
To the extent that the California Attorney General argues that the act of exercising a deletion request leads to a form of “discrimination,” the CCPA provides an affirmative defense that may be available to some loyalty programs. The CCPA states that, notwithstanding the anti-discrimination prohibition within the Act, a business may charge a different price or rate, or provide a different level of quality or service, if that “difference is reasonably related to the value provided to the business by the consumer’s data.”8 The CCPA does not, however, set forth a standard by which courts should judge whether the difference in price or quality is “reasonably related.” Nor does the CCPA set forth a methodology for how a business should calculate the value provided to it by the consumer’s data.
The net result is that there remains a great deal of uncertainty concerning the practical ability of a business to rely upon the “business value” exception. Specifically, it remains to be seen whether courts will (1) assign the burden to a plaintiff to prove the value of data to a business, or assign the burden to a business to prove the value to the business of the data, (2) perceive the question of whether two values are “reasonably related” to be a question of fact suitable for juries, and/or (3) establish a consistent methodology for calculating the value of data to a business.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.