On October 10, 2019, California Attorney General Xavier Becerra announced a long-awaited notice of proposed rulemaking and draft regulations for the California Consumer Privacy Act (CCPA), California’s new consumer privacy law, which we have analyzed here, here, and here.
In previous parts of our our multi-part series regarding the draft CCPA regulations, we focused on businesses’ notice obligations, handling consumer requests, and the standards for verifying consumers’ identities.
In the final part of our multi-part series, we discuss how the Attorney General’s proposed regulations affect “service providers” under the CCPA, including how the regulations clarify somewhat ambiguous provisions of the statute. Additionally, we discuss the obligations the proposed regulation impose on businesses that wish to offer financial or service incentives in exchange for the ability to collect and sell consumers’ personal information.
The CCPA, signed into law in 2018 and taking effect on January 1, 2020, grants consumers new rights with respect to the collection and use of their personal information. CCPA requires the California Attorney General to provide implementing regulations on key areas of the law, and also grants the AG’s office authority to “adopt additional regulations as necessary to further the purposes of [CCPA].” Cal. Civ. Code § 1798.185(b).
The proposed regulations provide guidance in a number of key areas. Violations of the regulations will be treated the same as violations of the Act itself, with the same penalties.
Before final regulations are approved, interested parties have until December 6, 2019 to submit written comments, or participate in town hall meetings hosted by the Attorney General’s Office in Sacramento, San Francisco, Los Angeles, and Fresno.
Representatives of the Attorney General’s office have indicated that July 1, 2020 is the anticipated date for CCPA enforcement to begin, but reiterated that the law takes effect on January 1, 2020.
Article 3: Changes for Service Providers:
The role of a “service provider”—defined as a for-profit entity that processes personal information on behalf of a business pursuant to a written agreement—is a critical one under the CCPA, because transfers of personal information from businesses to service providers are not “sales” and thus are not subject to the right to “opt-out.” Cal. Civ. Code § 1798.140 (t)(2), (v).
The proposed regulations clarify some areas of substantial uncertainty under the CCPA for entities acting as “service providers.” Critically:
- Entities acting as a “service provider” for a person or organization that does not qualify as a “business” are deemed service providers for the purposes of the CCPA. Proposed Regulations § 999.314(a).
This is a key clarification for entities working as vendors for government or non-profit organizations, as such sources by definition cannot qualify as “businesses” under the CCPA. Looking to the statutory text alone, a “service provider”can only receive personal information from a business, which potentially left those providing services to “non-business” entities with uncertainty as to their potential obligations.
- Service providers may collect information directly from a consumer on a business’s behalf, so long as they otherwise meet the definition of a service provider. Proposed Regulations § 999.314(b).
This clarification is important for some types of service providers, who may be engaged by businesses to collect information that they otherwise have no interest in.
- Service providers cannot use information collected in the context of one relationship to provide services to another person or entity. Personal information may only be combined to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity. Proposed Regulations § 999.314(c).
This restriction is a critical clarification for service providers relying on machine learning or similar technologies to improve their own services by using their clients’ data. Depending on how this restriction is interpreted (and whether it remains in the final text of the regulations) it may have serious consequences for businesses that rely on multiple entities’ datasets as an input in the analytics used to provide their own services or products.
- Service providers that receive requests to know or requests to delete from consumers must, if they do not comply with the request, explain the denial to the consumer and direct the consumer directly to the business on whose behalf the service provider is operating, and provide the consumer with the business’ contact information. Proposed Regulations § 999.314(d).
- Service providers that are also businesses shall comply with the CCPA with regard to any personal information collected, maintained, or sold outside of their role as a service provider. Proposed Regulations § 999.314(e).
For large service providers, these clarifications are some of the most important. Many large vendors operating in California qualify as “businesses” simply by virtue of meeting the annual revenue threshold of $25M. The statute did not make clear what responsibilities an organization has to consumers if it qualifies as a business independent of its “service provider” relationships. With these provisions, large service providers now know that they must directly address CCPA rights in the context of information they process as “businesses” but not for information that they process within the service provider role.
Article 5: Financial Incentives in Exchange for Data:
The draft regulations provide additional guidance on an area of substantial ambiguity. The CCPA states that a business may not discriminate against a consumer because the consumer has exercised any CCPA rights by “denying goods or services” to the consumer or “charging different prices or rates … including through the use of discounts or other benefits or imposing penalties” or “suggesting that a consumer will receive a different price or rate for goods or services or a different level of quality.” Cal. Civ. Code § 1798.125. However, the same section also states that “[n]othing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the business by the consumer’s data.” Cal. Civ. Code § 1798.125(a)(2). Furthermore, the CCPA states that businesses may offer financial incentives, including payments, for the collection, sale, or deletion of personal information. Cal. Civ. Code § 1798.125(b).
Faced with these restrictions, determining which programs are permissible is critical for businesses operating free and paid-versions of the same service, or those that wish to make use of personal information gathered from customers who participate in free loyalty or rewards programs.
The proposed regulations clarify that the key determination of whether an action qualifies as impermissibly discriminatory is whether there is “reasonable relation” of a consumer’s personal information to the business. Proposed Regulations § 999.336. Critically, if a business is offering a financial incentive or difference in service or goods in connection with the collection or sale of a consumer’s data, it must provide notice of that program’s material terms, how to opt-in, how to opt-out, and an explanation of how the business determined that the program was permissible (e.g., how the consumer’s information provides value to the business). Proposed Regulations § 999.307. The regulations give a number of examples of how a business can “calculate the value of the consumer’s data,” including “any … practical and reliable method of calculation used in good faith.” Proposed Regulations § 999.337(b)(8). For businesses that wish to offer a financial or service benefit in exchange for consumer data, the most important element is that the business document its valuation of the consumer’s data and include it in the required “Notice of Financial Incentive.”