This is the eighth installment in Hogan Lovells’ series on the California Consumer Privacy Act.
In the digital age, data is everything. “Big Data” feeds countless business processes and offerings. Businesses rely on data to enhance revenue and drive efficiency, whether by better understanding the needs of existing customers, reaching new ones in previously unimagined ways, or obtaining valuable insights to guide a wide array of decisions. Data also drives developments in artificial intelligence, automation, and the Internet of Things.
Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. The breadth of personal information covered by the CCPA, going beyond what is typically covered by U.S. privacy laws, will complicate compliance and business operations.
This entry in Hogan Lovells’ ongoing series on the CCPA will focus on implications for data-driven businesses–the rapidly increasing number of businesses that rely heavily on consumer data, whether for marketing, gaining marketplace insights, internal research, or use as a core commodity.
1. The CCPA will apply to data-driven businesses of all sizes
Companies, especially those outside of California, may wonder whether they are subject to the CCPA. As discussed in a previous blog post, the statute applies to for-profit entities that (1) have greater than $25 million in gross annual revenues; (2) annually handle personal information of 50,000 or more consumers, households, or devices; or (3) derive 50% or more of annual revenue from selling personal information. These criteria will result in a wide swath of businesses being subject to the CCPA. For example, a website might only need 137 unique visitors from California per day to reach the threshold of 50,000 consumers. That website’s collection of data through cookies may be captured by the CCPA’s broad definition of personal information. And given the third criterion focused on revenue percentage, even very small businesses that regularly exchange data, for example in the online ecosystem, might be captured if their activities are deemed to be a “sale” under the CCPA.
2. The definition of personal information is broad, and the exemptions for de-identified and aggregate information are unclear
Whether the extensive CCPA requirements will apply to various types of information that a business holds hinges on the statute’s definition of “personal information.” The CCPA’s definition covers an array of data even when it is not tied to actual identifying information. For example, personal information also encompasses data that “relates to … is capable of being associated with or could reasonably be linked directly or indirectly, with a particular consumer or household.” The data does not have to identify a consumer or household; merely relating to a particular consumer or household is sufficient.
Given that the information need not actually identify an individual consumer or household, a business’ handling of any number of data elements can trigger CCPA obligations. These data elements include, among others, geolocation information, biometric information, IP address, and other online identifiers; browsing history; search history; information about how consumers’ interact with websites, applications, or advertisements; and inferences drawn from these or other types of personal information that may be used to create a profile about a consumer. Using the online advertising ecosystem as an example, the CCPA approach therefore sweeps in much of the information relied on by, and disclosed among, online ad agencies, website publishers, ad exchanges, ad networks, ad buying and selling platforms, and other data businesses in the online ecosystem.
The statute does exempt from its restrictions the handling of data that is “deidentified or in the aggregate.” These exemptions have led some commentators to suggest that the impacts for certain data-driven businesses in the online advertising ecosystem may not be that significant. However, what counts as “de-identified” or “aggregate consumer information” under the CCPA may conflict with common understandings of those terms in the United States.
Under the CCPA, information is only de-identified if it “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.” In addition, the business using it must adopt technical and procedural safeguards to prevent its re-identification, have business processes to prohibit re-identification, and it must not make any attempt to re-identify it. Businesses may today view information as “de-identified” even when information relates to a specific-but-unidentified individual. But the CCPA appears to upend this approach, though it is not clear how the California Attorney General, when enforcing the law, will interpret reasonable de-identification. An expansive reading of the CCPA approach to de-identification suggests that even if it would take sharing of information with a third party to actually identify an individual (based on other information the third party possesses), because the information was “capable of being associated with” a particular consumer, it would be personal information even before it was shared with the third party.
The definition of “aggregate consumer information” is similarly unclear. Under the CCPA, aggregate consumer information is “information that relates to a group or category of consumers . . . that is not linked or reasonably linkable to any consumer or household, including via a device.” As with de-identified data, businesses may currently share aggregated information that, through statistical techniques or in combination with other data sets, could enable some de-coupling of information or linking to an individual. Under the current definition, there is no clear threshold for when such information is “reasonably linkable” to a consumer, household, or device.
Given the lack of clarity surrounding these exemptions and the exceptionally broad definition of personal information, the CCPA has the potential to affect a wide range of common business practices, such as those involving the sharing of information that is sometimes currently understood to be de-identified or aggregate information.
3. The CCPA’s new notice requirements may be challenging
Many data-driven businesses collect, combine, and analyze consumer data from multiple sources to gather insights into consumer preferences and behavior. Under the CCPA, these activities also raise new notice obligations. Businesses subject to the CCPA must notify consumers, at or before the point of collection, “of the categories of personal information collected and the purposes for which that information will be used.” The CCPA defines “collection” broadly to include buying, renting, gathering, obtaining, receiving, or accessing information.
While businesses maintaining first-party relationships with consumers may be able to develop a consumer-friendly and convenient mechanism for informing consumers at or before data collection, non-consumer-facing third parties may find complying with notice requirements to be challenging. For example, in the online advertising context, ad networks, exchanges, and other actors in the online ecosystem may find it practically challenging to satisfy this obligation given the lack of direct interaction with consumers. However, the CCPA does not define how consumers must be “informed.” Some might argue that even a non-consumer-facing business could satisfy such requirements by posting requisite disclosures on its own website. Alternatively, entities in the online ecosystem, potentially through industry groups or industry-wide initiatives, may develop mechanisms, contractual or otherwise, to ensure that publishers make appropriate disclosures covering these other entities’ activities.
4. The right to opt-out of “sales” of personal information and restrictions on resale may disrupt data-driven business models
Under the CCPA, consumers may opt-out of sales of their personal information to third parties. The CCPA defines “sale” broadly to include not just the disclosure of personal information, but also merely “making [it] available, to another business or third party for monetary or other valuable consideration.” Again, in the online context, a website publisher may make information collected by its website (through cookies or otherwise) available to third party data exchanges or ad networks that use the information to facilitate the placement of ads for the publisher on third party sites or for third parties on the publisher’s site, or the third parties may use information they obtain to further supplement their own data or profiles. The services performed by the third parties for the publisher, based on the receipt of information, may be viewed as the sale of personal information. It may even be that the entity initially possessing the information is not actively disclosing it, but merely making it available to the other entity. There are many other situations where a data broker or other third party may be obtaining “personal information” (as broadly defined) for its own uses in exchange for a service. Under the CCPA, these scenarios may still require businesses to offer consumers the opportunity to opt-out of the data “sale.”
The CCPA also prohibits businesses from engaging in the resale of personal information—i.e., selling data that was sold to it (as opposed to selling data the business collected directly from a consumer)—absent providing consumers explicit notice and an opportunity to exercise the right to opt out of the resale. This provision may raise challenges for businesses such as data brokers whose business models center around selling the data they collect from various sources other than consumers. It will also impact the advertising middlemen that facilitate delivery of targeted ads for multiple companies based on information collected on individual publisher sites, who help companies link a consumer’s offline behavior (e.g., shopping at brick and mortar stores) with online behavior, or who help companies track a consumer across devices. Many commentators have noted that the right to opt out may severely hinder the operations of data brokers and other ad tech middlemen, while favoring “walled gardens”—closed or relatively closed ecosystems that collect and use information of their own users, and who enable advertising without allowing third parties to access their users’ information. Similar to the first party notice requirements mentioned above, the CCPA’s obligation to provide explicit notice prior to reselling data may be problematic for data-driven businesses lacking a first-party relationship with consumers.
Notably, there is an exception to a sale that may be helpful for certain data sharing arrangements. Under the CCPA, a sharing arrangement is not a sale where a business shares personal information with a “service provider” as necessary to perform a “business purpose” as long as it has provided notice of the sharing and has a contract with the service provider to prevent its use of the information for any reason other than performing the business purpose. The CCPA defines business purposes as “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.”
This sale exception for business purposes also requires that the use of personal information “be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed.” The personal information can also be used for another operational purpose if that purpose is “compatible with the context under which the information was collected.” The CCPA provides examples that include auditing; detecting security incidents; short term transient use if not disclosed to a third party or used for profiling; performing services on behalf of the business, which can include advertising and marketing services; internal research; and quality control. It will be important for businesses to understand the scope of this exception, which may enable various forms of sharing for a number of different purposes without triggering the “sale” opt-out.
To effectuate opt-out rights, companies may need to implement technical measures to respect consumer preferences. They may also need to renegotiate existing data sharing agreements to accommodate the right to opt-out where appropriate.
5. Other consumer rights such as the right to access, portability, deletion, opt-in rights for minors, and anti-discrimination may be especially burdensome for data-driven businesses
The CCPA provides consumers with the right to access their personal information held by a business; the right to receive that information in an easily-transferable format, if provided electronically; the right to request deletion of any personal information (subject to several important exceptions); the right for minors to have opt-in consent for sale of personal information; and the right not to be discriminated against for exercising CCPA rights. While challenging for all businesses, complying with these rights may be uniquely burdensome on data-driven businesses based on the potential volume of data held, the value of that data to the business (with associated risks to allowing consumers to transfer and delete that data), and, in some cases, the lack of a first-party relationship with consumers, which can make it challenging to afford consumers these rights.
Right to Access: Consumers have the right to request businesses “disclose to that consumer the categories and specific pieces of personal information the business has collected.” This right, which consumers may exercise twice per year, obliges businesses to “disclose and deliver, free of charge to the consumer, the personal information” held. Companies must disclose all of the specific types of personal information the business holds, regardless of its source or where the business holds that information. Given the many different databases and servers frequently involved in operating a data-driven business, capturing all data may be logistically challenging, especially if the data is stripped of directly identifying information. Properly effectuating the right to access will thus require well-designed policies and a thorough understanding of one’s digital storage.
Right to Portability: When responding to a request for access to consumer information, businesses must comply with the portability requirement. Specifically, access requests fulfilled electronically “shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance.” Respecting this right while protecting proprietary information, which for some businesses could include information such as marketing segments, may be challenging.
Right to Deletion: The CCPA also grants consumers the right to “request that a business delete any personal information about the consumer which the business has collected from the consumer.” In general, companies must comply with a verifiable consumer request. However, businesses may refuse deletion requests if the personal information is necessary for any of nine enumerated purposes. Among these exceptions are where information is necessary to comply with a legal obligation, to provide goods or services requested by the consumer, to detect security incidents, to protect against illegal activity, or to exercise free speech. In another particularly broad but ambiguous exception, businesses may refuse a deletion request if the information is necessary to use “internally, in a lawful manner that is compatible with the context in which the consumer provided the information.” It is possible that platforms with first-party relationships may have grounds to refuse a deletion request, even if they use the information for marketing purposes, so long as the use is internal and compatible with the context at the time of collection. Considering the breadth of potential exceptions, data-driven businesses should consider developing policies to assess and respond to deletion requests in a consistent fashion, ensuring consumers’ rights are respected while responsibly protecting their own data to the extent possible.
Affirmative Consent for Selling Personal Information of Minors Under 16: In addition to the general right to opt-out of the sale of personal information, the CCPA also imposes an affirmative consent requirement for the sale of personal information of any minor, if the business has “actual knowledge” the consumer is younger than 16 years. Such affirmative consent must be sought from parents or guardians of consumers under 13 or, for consumers aged 13 to 16, from the consumers themselves. While “actual knowledge” is undefined, the CCPA deems any business that “willfully disregards the consumer’s age” as having actual knowledge. Businesses in a first-party relationship with consumers are better situated to comply with the CCPA’s affirmative consent requirement. For example, they may be able to directly request the consumer’s age or employ technical measures such as an age verification system. But even companies without a first-party relationship are still required to seek affirmative authorization prior to selling information if they have actual knowledge of the consumer’s age, and they cannot willfully disregard indicia of age. Data-driven businesses should assess whether they are likely to engage in any activity that could be construed as “selling” personal information about consumers younger than 16 years, and if so, consider establishing protocols and procedures to mitigate risks.
Anti-discrimination Provision for Consumers Who Exercise Rights plus Additional Differential Treatment Condition: Under the CCPA, companies may not discriminate against consumers who exercise their rights. The CCPA specifically prohibits denying goods or services, charging different prices, providing a different level or quality of goods or services, or suggesting to the consumer any of the above will happen if they exercise their rights. However, the anti-discrimination provision makes clear that a business may offer different prices or rates or different levels of quality or goods or services “if reasonably related to the value provided to the consumer by the consumer’s data.” Cal. Civ. Code § 1798.125(a). Measuring the value provided to the consumer may prove difficult. A statutory approach that would have made more sense would have tied the value provided to the business by the consumer’s data.
Notably, in what appears to be a case of poor drafting, there is a separate clause that is not part of the anti-discrimination clause, and therefore not tied to a consumer’s exercise of rights that explicitly allows businesses to charge different prices or provide different levels of quality with a similar qualifier to that used in the anti-discrimination provision, i.e., if the differences are “directly related to the value provided to the consumer by the consumer’s data.” Cal. Civ. Code § 1798.125(b).The qualifier is not tied to a prohibition, but it suggests as written, that any differential terms are restricted even in the absence of a consumer exercising a right if the differences are not tied to the value provided to the consumer for use of the consumer’s data. This subsection also specifies that financial incentives for the collection and sale of personal information require notice to consumers or if part of a financial incentive program, opt-in consent. The meaning and intent behind this provision is unclear. A forthcoming blog post will discuss the anti-discrimination provision and this separate but related provision in further detail.
The CCPA will impose substantial compliance obligations on all businesses that handle personal information of California consumers. Such obligations may pose particular challenges for the ever increasing array of businesses that leverage consumer data for analytics, profiling, advertising, and other monetization activities, particularly as the compliance requirements are not easily gleaned from the statutory language. Addressing these challenges will require creative, thoughtful approaches and may potentially involve industry-wide coordination to develop and advance practical solutions.
As a first step, data-driven businesses unsure of where they stand should consider assessing their personal information collection and use practices sooner than later. Armed with an understanding of the data they hold, whether it fits the broad definition of personal information, how it is collected, where it is stored and with whom it is shared, businesses can develop proactive strategies to achieve compliance, mitigate risks, and minimize the potential for disruption.