Wrapping up our multi-part series on the recent revisions to the CCPA draft regulations issued earlier this month by the California Attorney General’s office, we look at Article 6 pertaining to non-discrimination and financial incentives.
Section 1798.125 of the CCPA prohibits businesses from “discriminating” against consumers because the consumers choose to exercise their rights under one of the CCPA’s provisions, including by denying goods or services, charging different prices or a different quality of goods or services, or even suggesting that the consumer may receive a different price or rate. On the other hand, if a “financial incentive” for the collection, sale, or deletion of personal information is “directly related” to the value provided to the business by the consumer’s personal information, the practice is not discriminatory under the CCPA. This provision has been quite controversial and has raised many questions for businesses with loyalty programs and discounts available to those who may provide personal data. In the Initial Statement of Reasons issued with the first set of proposed regulations, the Attorney General acknowledged that this section caused “a significant amount of confusion and misunderstanding.”
Key Elements of Article 6 (pages 30-32)
The revised regulations clarify that businesses are required to calculate a good-faith estimate of the value of the consumer’s data, or otherwise show that the financial incentive or price or service differential is reasonably related to the value of the consumer’s data before the practice would be permissible under the CCPA. New Section 999.337(b) permits a business to consider the value of the data of all natural persons to the business and not just California residents.
Two new sections add clarifications: 999.336 (b) clarifies that any denials of consumer requests to exercise CCPA rights for reasons permitted under the CCPA will not be considered discriminatory practices, and 999.336 (g) provides that price or service differentials that are the direct result of a business’s compliance with federal law will not be considered discriminatory.
The revised regulations add three new examples of how a business may or may not offer a financial incentive:
- A clothing business offers a loyalty program offering customers a $5 coupon (sent to the consumer’s email address) after the consumer spends $100 with the business. The business may deny a request to delete personal information where the consumer indicates that they want to continue to participate in the loyalty program. The information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with the consumer.
- A grocery store offers a loyalty program with coupons and special discounts to consumers who provide their phone numbers. The consumer submits a request to opt-out of the sale of their personal information and the business complies, but drops them from the loyalty program. This practice is discriminatory unless the grocery store can demonstrate that the value of the coupons and special discounts are reasonably related to the value of the consumer’s data to the business.
- An online bookseller collects information about consumers, including email addresses. Discounts are offered to consumers through browser pop-up windows while the consumer uses the bookseller’s website. A consumer submits a request to delete all personal information that the bookseller has collected about them, including their email address and their browsing and purchasing history. The bookseller complies with the request but stops providing the pop-up coupons to the consumer. The bookseller’s failure to provide the coupons is discriminatory unless the value of the coupons are reasonably related to the value provided to the business by the consumer’s data. The bookseller may not deny the consumer’s request to delete as to the email address because the email is not necessary to provide the pop-up browser coupons or reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
These updated draft regulations are subject to a public comment period that will close at 5:00 PM PST on February 25, 2020.
If the Attorney General makes any further substantive changes in response to the comments filed, another public comment period will follow. Pending further revisions and applicable comment period(s), the proposed regulations appear to be on track to becoming effective by or before July 1, 2020. Recall that under the CCPA, the Attorney General cannot bring an enforcement action under the CCPA or the regulations until July 1, 2020.
Businesses should review processes and procedures that have been implemented since January 1 to determine whether the revisions impact operations and require further adjustments. If you’ve waited for the revisions after the original October 2019 version of the proposed regulations, now would be the time to start digging into the weeds of these regulations and ensure that your procedures comply with this new proposed draft. If you have any questions about your business’s CCPA compliance posture, please contact a member of the Mintz privacy team for additional guidance.