When does a company have to give access to the specific pieces of data collected about a consumer

No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.1

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.2

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in three situations:

1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.1  In other words, if a consumer consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.2
2. Sale of information about minors. The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer (in the case of individuals between 13 and 16) or the guardian (in the case of individuals under the age of 13) has “affirmatively authorized the sale” of personal information.3 In other words, opt-in consent is needed to sell the information of a minor.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph technically the information transfer might not be a “sale” at all.
3. Re-soliciting the ability to sell. The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”4

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in two situations when dealing with employees:

1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.1  In other words, if an employee consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.2
2. Sale of information about minors.  The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer has “affirmatively authorized the sale” of personal information.3 In other words, opt-in consent is needed to sell the information of a minor-employee.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph the information transfer might not be a “sale” at all.
3. Re-soliciting the ability to sell.  The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”4 As a result, if a company sells the information of its employees, and provides employees a do not sell option, it is not permitted to ask those employees that opt-out for permission to sell for 12 months.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners.  If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.1

Companies often struggle with anticipating the percentage of users that are likely to accept the deployment of cookies when prompted.  There is relatively little empirical data publicly available concerning website visitors’ interactions with cookie banners.  The little data that exists, however, indicates that acceptance rates differ depending upon the location of the website visitor.  Specifically, users in some European countries (e.g., Sweden and the Netherlands) appear to “accept” cookies when presented with a cookie notice that solicits opt-in at rates that may be more than double the acceptance rate in the United States.2

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1 The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to delete personal information about a consumer after receiving a deletion request.2

The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3  Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4

An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.  As a practical matter this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor deletion requests, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with deletion requests.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” 1  The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to disclose to consumers information about their data upon request, or provide “the specific pieces of personal information” collected about a consumer.2

The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4

An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.  As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor access requests, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with access requests.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1   The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to provide notice concerning its privacy practices.2

It should be noted that the California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3  Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law, arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4

An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages to all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.  As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that fail to post a privacy notice, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action.

The CCPA states that people have a right to request that a business “delete any personal information about the consumer which the business has collected from the consumer.”1  Although the CCPA does not define what it means to “delete” information or specify how a business must carry out a deletion request, California courts are likely to accept at least two approaches to deletion.

First, a business that receives a deletion request may choose to erase, shred, or irrevocably destroy the entirety of a record that contains personal information.  As part of that destruction, any personal information contained within the record will, necessarily, be “deleted.”

Second, California courts are likely to accept the anonymization or de-identification of information as a form deletion.  Among other things, a separate California statute (the “California data destruction statute”), which predates the CCPA, requires that businesses take “reasonable steps” to dispose of customer records that “contain[] personal information.”2  That statute recognizes that a customer record can be “dispos[ed]” of without its complete erasure by “modifying the personal information within the record to make it unreadable or undecipherable through any means.”3  As a result, if a business maintains a record, but modifies the portion of the record that contains “personal information” (e.g., deletes, redacts, replaces, or anonymizes name, address, Social Security Number, etc.), its actions conform to the California data destruction statute.  A strong argument can be made that a business that complies with the destruction standard under the California data destruction statute should be deemed to be in compliance with the deletion requirements of the CCPA, and, as a result, the removal of the portion of a record that contains personal information is sufficient to “delete” such information.  This approach is further supported by the fact that the CCPA expressly states that it does not impose any restriction on a business that “retain[s]” information that is “deidentified.”4  As a result, if a business de-identifies a record by modifying the personal information within it such that the personal information is no longer associated with an identified individual, the further retention of the record (i.e., the record absent the personal information) is not prohibited by the CCPA.5

It is worth noting that the use of de-identification or anonymization techniques to remove personal information from a record is also consistent with other California consumer protection statutes.  Specifically, in 2015, California enacted a statute that required operators of websites and mobile apps directed towards minors to “remove” content that a minor posted on a website if requested (the California “Erasure Button Law”).6  The Erasure Button Law specifically states that a company is not required to “erase or otherwise eliminate” such information if “the operator anonymizes the content or information” such that it “cannot be individually identified.”7

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

Some retailers have expressed confusion about whether a loyalty program might be considered a “financial incentive” program under the CCPA. If a loyalty program were classified as a “financial incentive program,” it might, among other things, require the business to confirm that differences in “price, rate, level, or quality of goods or services” offered to consumers are “directly related to the value provided to the business by the consumer’s data.”1

Most loyalty programs have a strong argument that they are not financial incentive programs as the main purpose of the program is to provide benefits in recognition of (or in exchange for) repeat purchasing patterns, and not “for the collection of personal information.”  Nonetheless, some retailers have expressed concern that privacy advocates, or plaintiffs attorneys, might attempt to argue that all loyalty programs amount to financial incentives.  In order to avoid the cost of defending such an argument, they have considered excluding Californians from the scope of their loyalty programs.

While the CCPA prohibits discriminating against a consumer that exercises one of their rights under the Act,2 the CCPA does not confer a right to join loyalty programs.  As a result, a company can elect to exclude Californians completely from loyalty programs in order to avoid the risk that the program might be alleged to be a financial incentive program.

Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).

The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”1 When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.2

Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions.  While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data.  These include:3

1. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
2. Debug to identify and repair errors that impair existing intended functionality.
3. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
4. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
5. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
6. Comply with a legal obligation.
7. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.

A consumer may incorrectly direct a deletion request to a service provider rather than to the business for which the service provider processes personal information.  Service providers are permitted to refuse deletion requests that they receive directly from a consumer, as the CCPA  only allows consumers to request deletion from a business.1

It is a common practice for employers to ask employees if they would like to be included in a picture or a video, either for product advertisement or internal training.  Typically, when this occurs, the employer asks the employee to sign a release, waiver, or permission for the use of their image.

If an employee whose image was integrated in company material made a right to deletion request, the honoring of such request could cause significant disruption or cost to a company.  For example, posters, mailers, images, or advertisements might need to be recalled, deleted, or destroyed.

It is presently unclear how courts would deal with such a request once employee-deletion rights go into effect in 2021.  While an employer might point to the employee’s consent to have their image used, it’s possible that an employee would refer to a provision in the CCPA which states that “[a]ny provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title . . . shall be deemed contrary to public policy and shall be void and unenforceable.”1  Furthermore, it is not clear whether any of the nine exceptions to deletion within the CCPA would apply to the employee’s request:

The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1  While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.2  There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person.  There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.

Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,”  and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.3  The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request.  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.4Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:

• Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.5  To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
• Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.6  To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
• Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.7  To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
• Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.8  Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use).  To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
• Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.9  While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.  Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
• Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.10In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” 1  The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to disclose to consumers information about their data upon request, or provide “the specific pieces of personal information” collected about a consumer.2

The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3 Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4

An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action, and the ability for plaintiffs’ attorneys to seek statutory damages, to all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.  As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to honor access requests, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with access requests.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”1   The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligations to provide notice concerning its privacy practices.2

It should be noted that the California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”3  Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law, arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”4

An amendment to the CCPA – Senate Bill 561 – has been proposed which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages to all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.  As a practical matter, this means that the amendment will more than likely not be enacted this year, although it could come back for a vote after 2019.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that fail to post a privacy notice, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action.

The CCPA states that people have a right to request that a business “delete any personal information about the consumer which the business has collected from the consumer.”1  Although the CCPA does not define what it means to “delete” information or specify how a business must carry out a deletion request, California courts are likely to accept at least two approaches to deletion.

First, a business that receives a deletion request may choose to erase, shred, or irrevocably destroy the entirety of a record that contains personal information.  As part of that destruction, any personal information contained within the record will, necessarily, be “deleted.”

Second, California courts are likely to accept the anonymization or de-identification of information as a form deletion.  Among other things, a separate California statute (the “California data destruction statute”), which predates the CCPA, requires that businesses take “reasonable steps” to dispose of customer records that “contain[] personal information.”2  That statute recognizes that a customer record can be “dispos[ed]” of without its complete erasure by “modifying the personal information within the record to make it unreadable or undecipherable through any means.”3  As a result, if a business maintains a record, but modifies the portion of the record that contains “personal information” (e.g., deletes, redacts, replaces, or anonymizes name, address, Social Security Number, etc.), its actions conform to the California data destruction statute.  A strong argument can be made that a business that complies with the destruction standard under the California data destruction statute should be deemed to be in compliance with the deletion requirements of the CCPA, and, as a result, the removal of the portion of a record that contains personal information is sufficient to “delete” such information.  This approach is further supported by the fact that the CCPA expressly states that it does not impose any restriction on a business that “retain[s]” information that is “deidentified.”4  As a result, if a business de-identifies a record by modifying the personal information within it such that the personal information is no longer associated with an identified individual, the further retention of the record (i.e., the record absent the personal information) is not prohibited by the CCPA.5

It is worth noting that the use of de-identification or anonymization techniques to remove personal information from a record is also consistent with other California consumer protection statutes.  Specifically, in 2015, California enacted a statute that required operators of websites and mobile apps directed towards minors to “remove” content that a minor posted on a website if requested (the California “Erasure Button Law”).6  The Erasure Button Law specifically states that a company is not required to “erase or otherwise eliminate” such information if “the operator anonymizes the content or information” such that it “cannot be individually identified.”7

The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways.

First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.1  As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request.  In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.

Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected.  In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

1. The data is no longer necessary.2
2. The processing was based solely on consent.3
3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.4
4. The data is being processed unlawfully.5
5. Erasure is already required by law.6
6. That data was collected from a child as part of offering an information society service.7

Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement.  As the chart below indicates, while those exceptions are similar, they are not identical:

The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2  The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.

The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2  The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.

Probably not.

Typically, businesses are not required to delete information maintained as part of a loyalty program in response to a right to be forgotten request.  Some businesses, however, may consider voluntarily agreeing to a right to be forgotten request in order to confer upon consumers greater control over their data.

Based upon the current drafting of the CCPA, voluntarily agreeing to a right to be forgotten request may raise unintended complexities.  Specifically, the CCPA states that a business “shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights” under the Act.1  Among other things, the CCPA provides the following examples of discrimination under the statute:

• Denying “goods or services” because the consumer exercised a deletion right;2
• Charging “different prices or rates for goods or services” because the consumer exercised a deletion right;3
• Charging different rates “through the use of discounts or other benefits” because the consumer exercised a deletion right;4 or
• Providing “a different level or quality of goods or services” because a consumer exercised a deletion right.5

In the context of a loyalty program, a potential conflict arises if an individual requests to be forgotten.  If the business voluntarily honors such a request, the consumer’s participation in the loyalty program would presumably need to be terminated as the business would no longer have data about the consumer needed to track purchases and provide loyalty-related benefits.  For loyalty programs that provide free products or services, termination could lead a consumer to argue that they were either “den[ied] goods or services” or “charg[ed] different prices or rates . . . through the use of discounts or other benefits.”6  While some businesses might attempt to mitigate inadvertent harm by warning consumers that an inevitable consequence of a deletion request would be the loss of value, or the loss of benefits, associated with the loyalty program, the CCPA specifically prohibits a business from “[s]uggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services” if the consumer were to exercise one of their rights.7  That prohibition seemingly puts a business between a rock and a hard place.  If they honor the consumer’s request, they may be accused of unlawful discrimination by denying the benefits of the loyalty program as a result of the exercise of the consumer’s rights.  If they warn the consumer of the inevitable consequence of a deletion request, the business could be accused of violating the CCPA by suggesting that the exercise of a right will lead to the loss of a benefit.

To the extent that the California Attorney General argues that the act of exercising a deletion request leads to a form of “discrimination,” the CCPA provides an affirmative defense that may be available to some loyalty programs.  The CCPA states that, notwithstanding the anti-discrimination prohibition within the Act, a business may charge a different price or rate, or provide a different level of quality or service, if that “difference is reasonably related to the value provided to the business by the consumer’s data.”8 The CCPA does not, however, set forth a standard by which courts should judge whether the difference in price or quality is “reasonably related.”  Nor does the CCPA set forth a methodology for how a business should calculate the value provided to it by the consumer’s data.

The net result is that there remains a great deal of uncertainty concerning the practical ability of a business to rely upon the “business value” exception.  Specifically, it remains to be seen whether courts will (1) assign the burden to a plaintiff to prove the value of data to a business, or assign the burden to a business to prove the value to the business of the data, (2) perceive the question of whether two values are “reasonably related” to be a question of fact suitable for juries, and/or (3) establish a consistent methodology for calculating the value of data to a business.

When investigating a data security incident, companies are often focused on determining whether there has been unauthorized access or acquisition to personal data, and, if so, which data subjects were impacted.  As part of that investigation, companies typically create records that indicate which data subjects were, or were not, impacted by the incident, and attempt to create copies of the records that might have been impacted.

If a company notifies individuals about a data breach, it is not uncommon for some portion of the notified individuals to request that the company delete the information held about them.  Such requests raise an inherent conflict.  On the one hand, the data subject may no longer wish their information to be in the hands of the company – particularly if they perceive that the company’s security may be inadequate or may have contributed to the data breach.  On the other hand, the company has a strong interest in maintaining records relating to the security incident.  For example, if a data subject were to bring an action against a company for damages as a result of the security incident, the company has an interest in being able to refer to its internal records to determine if the data subject’s information was involved in the incident, and, if so, what types of data fields may have been impacted.  Similarly, if a third party is responsible for a data breach, a company may need the evidence (in an unaltered and authenticated state) in order to bring suit against the third party, or to aid in a criminal prosecution against the individual.  The GDPR resolves the conflict by allowing a company to keep personal data – despite a data subject’s request that it be deleted – if data is “necessary . . . for the establishment, exercise or defence of legal claims.”1

In some circumstances, data relating to a breach may no longer be necessary for the purpose of establishing a claim or defense (e.g., if the attacker has already been prosecuted, or the statute of limitations for a third party to bring a claim relating to the incident has expired).  In such situations, whether a company must comply with a deletion request depends on the context of a particular incident and whether one of the following criteria applies:

1. Companies must delete data upon request if data is no longer necessary.  If the personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.2 As a result, if the company no longer needs the data to establish a legal defense or claim, and the data is no longer necessary for the purposes of its original collection, the request to delete should be honored.
2. Companies must delete data upon request if the data was processed based solely on consent.  If a company’s sole basis for processing data was the consent of the individual, the company is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent.  Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
3. Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights.  When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”3 Whether or not the company’s interest in continuing to keep the information, or the data subject’s interest in having it deleted, control may depend on the precise reasons both parties have for keeping (or deleting) the information.

Like the GDPR, the CCPA contains an exception that permits a company to refuse a deletion request if the information is needed to “[e]xercise or defend legal claims.”4  The CCPA also contains an exception that permits the retention of the information if it is “necessary” to “prosecute those responsible for” a security incident,5 if it is needed for “internal uses that are reasonably aligned with the expectations of the consumer,”6 or if it is necessary for the business to use it internally in a manner that is “compatible with the context in which the consumer provided the information.”7

Loyalty programs can be, and are, structured in a variety of different ways.  Some programs track dollars spent by a consumer, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  All loyalty programs share one thing in common however – they provide some form of reward to a consumer in recognition of (or in exchange for) their repeat purchasing patterns.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”1  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.) there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  Specifically, the following exceptions to the right to deletion apply to personal information collected from a consumer as part of most loyalty programs:

The net result is that most loyalty programs are permitted to refuse a request that a consumer’s personal information be deleted from an active loyalty account.

To the extent that a loyalty program collects personal information, it is required to provide a privacy notice consistent with the CCPA.

One of the rights granted to individuals under the CCPA is the right to be informed about the collection and use of personal data.1  A privacy notice (sometimes referred to as a privacy policy or information notice) is a document provided by a company to data subjects that includes, among other things, a description of what types of personal data the company collects, how the company uses the data, with whom the company shares the data, and how the company protects the data.  The CCPA requires that a business subject to the Act’s jurisdiction “inform consumers” about the categories of information collected and the purposes of that collection “at or before the point of collection.”2  The CCPA also requires that a business that posts an online privacy policy include within it certain additional disclosures relating to the rights of California residents, the specific categories of information collected, and the practices that the company has in relation to the sale of information.3

Some of the rights conferred by the CCPA are limited to data collected “from the consumer,”1 whereas other rights apply to data “collected about” a consumer.2 Access rights are part of the latter category.  As a result, if a business receives an access request from a member of a loyalty program, the CCPA requires that the business disclose “the specific pieces of personal information it has collected about that consumer.”3  This may be interpreted by courts as indicating that information must be disclosed regardless of whether the information was collected from the consumer directly, was received from a third party (e.g., a retailer, or a commercial partner), or was generated internally by a business.

Yes.

An invitation to a conference or a trade show is generally considered a commercial solicitation. On the federal level, the CAN-SPAM act does not require prior consent for a commercial email, only that it be clearly identified as an advertisement and include an unsubscribe link. It also prevents a company from using an email list that was generated by automated means1, either by scanning and harvesting emails from websites or by generating email addresses by combining names, letters, or numbers, into permutations. A company that buys an email list is still responsible for how it was created.

While the CAN-SPAM act pre-empts state laws that require opt-in consent before sending commercial emails, it does not preempt state laws that govern how companies collect email addresses.  As a result, while companies are permitted to send mass marketing emails concerning upcoming events to the extent that they intend to cull prospective attendees from various lists, that activity may trigger other state privacy laws.  For example, the CCPA requires that a company that collects an email address or any other personal information from a California resident distribute a privacy notice “at or before the point of collection.”2  The CCPA’s requirement is ambiguous as to whether a privacy notice must be provided only when the email address is collected directly from the resident, or whether it must be provided regardless of where the company obtains the email address.

Co-authored by Jason Schultz.

Loyalty programs are structured in a variety of different ways.  Some programs track dollars spent by consumers, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  All loyalty programs share several things in common, however – they collect information about consumers and they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, then its loyalty program will also be subject to the CCPA.  In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive – and complex – data privacy regulation in the United States.  The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects.  As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute.  While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects.  As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

Quick Overview

The right to be forgotten (sometimes called the right of erasure or the right to deletion) refers to the ability of a person to request that a company delete the personal information that the company holds about them.  The right to be forgotten is often misinterpreted as being an absolute right when, in reality, it only applies in a limited number of situations.

Comparison to Other Privacy Laws

The right to be forgotten is not a new concept and has long been a cornerstone of European data privacy law.  Indeed, the right was included within the Privacy Directive which was put into place in 1995 and carried over into the current GDPR.   Like the CCPA, the GDPR confers a limited right to be forgotten.  The following compares the exceptions to the exercise of the right under both laws:

Situations in which a company is not required to delete information

While the majority of United States data privacy laws do not include a right to be forgotten, the Children’s Online Privacy Protection Act (“COPPA”) has an analogous provision.  COPPA regulates the online collection of information from children under the age of 13.  Pursuant to the rules implementing COPPA, parents have a right to review “or have deleted the child’s personal information.”  In addition to COPPA, California previously enacted what is often referred to as the “Eraser Button Law” that permits children under the age of 18 to delete or de-identify information that they posted online.

To Do List

To comply with the CCPA companies should:

• Review existing methods for submitting deletion requests to verify that they comply with the CCPA.
• Review existing policies or procedures for authenticating individuals that make deletion requests.
• If no authentication policy exists, draft an appropriate policy for authentication of individuals that make data subject requests.
• Draft a “play book” that provides standard communications that can be sent to individuals that make deletion requests.
• Train employees on how to handle deletion requests.
• Verify that the policies in-place facilitate the fulfillment of deletion requests within the time period permitted by the statute.
• Review protocols for deleting personal information.
• Review technological capability for doing a “hard delete” (i.e., an irrevocable deletion) and a “selective deletion” (i.e., deleting one individual’s information without corrupting a larger information system).

How We Can Help

Companies across the globe have retained BCLP to draft their internal protocols for handling consumer requests for deletion, or to review existing protocols to spot any red flags that might be of concern to a court or a regulator.

Cross References

The CCPA generally prohibits a business from “discriminat[ing]” against a consumer that chooses to exercise “any of the consumer’s rights” – including the right to be deleted.1  As a result, to the extent that a consumer’s name is included in a marketing list, and the act of deletion would deprive the consumer of an exclusive price, discount, or service offering, a business could be alleged to have “discriminated” against the consumer.

That does not, of course, mean that all marketing lists inevitably lead to discrimination when a deletion request is made.  Many – if not most – marketing lists are not structured to lead to a discriminatory outcome.  For example, a strong argument could be made that the following types of marketing lists would not cause discrimination when, or if, a consumer exercised a right to be deleted:

• Discounts to join a marketing list. Many businesses offer consumers a discount for joining a marketing list (e.g., “Receive a 10% coupon when you join our mailing list”).  Incentivizing a consumer to join a marketing list does not “discriminate against a consumer” that has “exercised any of the consumer’s rights” under the CCPA.2  Specifically if the consumer submits a deletion request after joining the marketing list, and their information is deleted, discrimination has not occurred unless the consumer is denied the ability to utilize the discount that they received when they initially joined (e.g., the 10% coupon).
• Alerts of sales. Many businesses offer consumers the ability to sign up to receive emails or mailings that describe sales or promotions offered by the business (e.g., “Sign up and never miss our sales!”).  Notifying a consumer of upcoming sales does not “discriminate against a consumer” that has “exercised any of the consumer’s rights” under the CCPA. 3  Specifically if the consumer submits a deletion request after joining the program, and their information is deleted, discrimination has not occurred unless the consumer is denied the ability to avail themselves of the actual sale or promotion being offered.  To the extent that the sales or discounts are available elsewhere (e.g., on the company’s website, or in the company’s store), discrimination arguably has not occurred. 

When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1  If the business decides to grant the request, the CCPA states only that the “specific pieces of personal information [the business] has collected about that consumer” should be produced.2  It does not mandate that all copies of the information be produced.  As a result, if a business collects information about a consumer, transmits a copy of that information to one or more service providers, but maintains the original information in its own files, it can satisfy the access requirements of the CCPA using its own copy and without flowing down the access request.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners.  If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.1

Companies often struggle with anticipating the percentage of users that are likely to accept the deployment of cookies when prompted.  There is relatively little empirical data publicly available concerning website visitors’ interactions with cookie banners.  The little data that does exist, however, indicates that user acceptance rates are significantly greater when a user visits a website on their smartphone.  For example, in one study researchers placed the same cookie banner on the bottom-left of a website and on the bottom left bottom-left of a smartphone.2 They found that desktop visitors accepted the banner 18.4% of the time, whereas smartphone visitors accepted the same banner 26.4% of the time.  When other variables were controlled the difference increased.  So, for example, when the banner was adjusted to present only two options – accept or decline – the acceptance rate increased to 45.6% for smartphones while it remained around 20% for desktop users.3 The increase was likely caused by presenting options that were, from a user-experience perspective, easy to select on a smartphone.

A privacy notice typically discloses the following information to the public:

• The categories of information collected from a data subject directly and from third parties about a data subject,
• The purpose for which information is collected and used,
• The extent to which the business tracks or monitors data subjects,
• The extent to which the business shares the data subject’s information with third parties,
• The standard by which the business protects the information from unauthorized access,
• The ability (if any) of a data subject to request access to their information,
• The ability (if any) of a data subject to request the deletion of their information,
• The ability (if any) of a data subject to request the rectification of inaccurate information, and
• The process by which a business will inform data subjects about changes in its privacy practices.

While the CCPA requires that a business that collects a consumer’s personal information about its employees disclose the first two categories of information “at or before the point of collection,” it does not require that all of the information typically contained in a privacy notice be disclosed to the employee at that time.1

The CCPA states that a business may offer “financial incentives, including payments to consumer as compensation, for the collection of personal information . . . .”1  If a financial incentive is offered, the CCPA requires the business to:

• Notify the consumer of the financial incentive;2
• Obtain the consumer’s “opt in consent” to the “material terms” of the financial incentive program;3 and
• Permit the consumer to revoke their consent “at any time.”4

The CCPA also implies that a financial incentive that amounts to a difference in “price, rate, level, or quality of goods or services” might have to be “directly related to the value provided to the business by the consumer’s data.”5

Some retailers have expressed confusion about whether a loyalty program might be considered a financial incentive insofar as such programs typically offer differences in price, level, or quality of goods or services to their members.  The intent of most loyalty programs, however, is not to provide benefits “for the collection of personal information,” but to provide benefits in recognition of (or in exchange for) repeat purchasing patterns.  Any collection of information is ancillary to the purpose of the loyalty program and typically is used by the company either to administer the program or to track accrued benefits.  As a result, a strong argument could be made that most loyalty programs do not qualify as a payment for the collection of personal information and, hence, are not “financial incentive” programs.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

The scope of the right to be forgotten under the CCPA and the GDPR differ in three important ways.

First, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.1  As a result, if a business obtains information about a consumer from other sources (e.g., third party data brokers) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2

In comparison, the right to be forgotten under the GDPR extends to data collected from a consumer directly and to data collected about the consumer from third party sources.

Second, under the CCPA a consumer can request that data be forgotten regardless of the purpose for which the data was originally collected.  In comparison, the GDPR extends the right to be forgotten only if one of the following six conditions is present:

1. The data is no longer necessary.3
2. The processing was based solely on consent.4
3. The processing was based upon the controller’s legitimate interest, but that interest is outweighed by the data subject’s rights.5
4. The data is being processed unlawfully.6
5. Erasure is already required by law.7
6. That data was collected from a child as part of offering an information society service.8

Third, the CCPA and the GDPR both contain exceptions where a business (or a controller in the language of the GDPR) is exempt from the deletion requirement.  As the chart below indicates, while those exceptions are similar, they are not identical:

Point of sale systems typically collect and retain inherently “personal information” as defined by the CCPA, such as the customer’s name, address, phone number, email, and payment information. 1 While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, together, create a strong argument that point of sale information does not need to be deleted. Although there is no “one size fits all” exception, the chart below outlines how each exception may apply to point of sale information.

Note that retaining point of sale information indefinitely is probably not defensible. Regardless of what exception a business uses, maintaining a current and enforceable record retention schedule can bolster the overarching argument that point of sale information should be retained in lieu of a deletion request.

While personal information is generally subject to deletion requests, the CCPA provides nine exceptions which, depending on a company’s data processing and retention practices, may provide an argument that marketing information does not need to be deleted.

Marketing programs generally fall into one of two categories: 1) value accrual programs (i.e. loyalty programs and paid memberships), and 2) general advertising programs (i.e. email marketing or other coupon-based marketing).  Information in value accrual programs, such as loyalty programs, may not need to be deleted as many of the exceptions directly impact these types of programs.  For example, there is a strong argument that companies need to retain loyalty program information in order to detect wrongdoing and provide an agreed upon service. General advertising programs, on the other hand, have fewer exceptions due to the fact that they do not provide a reward in recognition of purchasing patterns.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer,1 if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its communications or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in or assist with the marketing program).  As this information was not collected “from” the consumer, it likely does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, responses to emails, etc.), the CCPA allows a company to deny a deletion request if necessary to “enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.”2 This implies that a company who does not share its marketing information, and who publicly describes its internal purposes for retaining such information (e.g. for purposes of analytics or to comply with a retention schedule) may deny a request for deletion of that data. For example, a company whose privacy policy discloses that marketing-related data is retained for “x” amount of time may deny a deletion request to the extent the retention period has not lapsed, as the consumer arguably “expects” the company to follow their published retention schedule.

Note that the retention of marketing information does not mean that a company should continue to send the consumer marketing communications.  Presumably a consumer who requests that marketing-relating data be deleted intends that the company unsubscribe them from any marketing communications (if that intent is not clear, the company should consider clarifying the desire of the consumer).  It does mean, however, that a company may keep the information that it obtained from the consumer for internal purposes such as analytics concerning the effectiveness of past marketing campaigns, substantiation as to the consumer’s prior opt-in to marketing communications, or substantiation as to the consumer’s historic preferences (e.g., opt-out, unsubscribe, communication frequency, etc.).

The CCPA requires that a business that collects a consumer’s personal information provide the consumer “at or before the point of collection” certain information regarding what will be collected, the purpose of the collection, the business’s sale practices, and where the consumer can find the business’s privacy notice.1

The regulations implementing the CCPA clarify that the requirement to provide a “notice at collection” only applies, however, when a business collects personal information “from the consumer.”2 In situations in which a business collects personal information about a consumer, but collects the personal information from a third party, the regulations implementing the CCPA make clear that the business “does not need to provide a notice at collection” so long as the business does not intend to sell the personal information.3 If the business intends to sell the personal information, a notice at collection is still not required if the business complies with California’s rules regulating data brokers.4

The CCPA requires businesses that sell personal information to, among other things, explain that consumers have a “right to opt-out” of the sale,1 and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes the consumer to a mechanism that permits the exercise of the opt-out right.2  If a business does not sell personal information, and if the business affirmatively states that it does not sell personal information in its privacy notice, it is not required to provide a notice of [the] right to opt-out” or post the “Do Not Sell” link.3

The majority of United States federal privacy laws do not include a right to be forgotten.  Those that do – such as the Children’s Online Privacy Protection Act – only require that an organization which receives a right to be forgotten request delete the personal information in its possession and direct that its service providers do the same.  COPPA does not require that an organization that receives a right to be forgotten request forward the request to third parties with whom it has shared information.

In California the CCPA requires that (in certain situations) a business “delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.”1  In situations in which a business has shared a consumer’s personal information with another business or a third party, the CCPA does not require business A to inform business B that a deletion request has been received. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2

In comparison, under the European GDPR when a controller receives a right to be forgotten request, and determines that it is required to delete information about an individual, the controller must “take reasonable steps” to “inform [other] controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”3  It is unclear based upon the text of the GDPR whether this requirement requires controller A to notify controller B that the data subject has requested controller A to erase data, or whether the requirement requires controller A to notify controller B that a data subject has requested erasure by both controller A and B.

The CCPA applies to the personal information of California employees of a business that is subject to the statute.  The specific rights afforded to employees were set to phase-in throughout 2020.

Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” 1  While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures.  These only apply to employee-privacy notices beginning on January 1, 2021.  The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:

The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents.  In essence, it can be thought of as a “short form” privacy notice.  After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.

The CCPA requires that a business subject to the Act disclose the type of personal information that it collects about its California employees and the purpose of the collection “at or before the point of collection.”   The CCPA does not, however, require that such information be presented in a separate employee-specific privacy notice.

While some employers choose to create a stand-alone privacy notice that applies to employees, other employers choose to include disclosures concerning their collection and use of employee data as part of the broader privacy notice that they provide to clients, customers, and business partners, which discusses all of the business’s data-related practices.

Watch Video

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does the CCPA exempt businesses from having to disclose privileged communications?
Yes and no.

The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (For more on the history of the CCPA, you can find a timeline on page 2 of BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the CCPA intentionally, or unintentionally, is at best ambiguous, or at worst leads to unintended results. One of those areas deals with attorney-client communications.

The CCPA confers an obligation upon businesses (a term which could apply to many law firms and their corporate clients depending upon the factual circumstances) to provide privacy notices to individuals about whom information is collected, to provide individuals with access to information held about them, and, in some instances, to delete information about individuals upon their request. As it is currently written, the CCPA contains an exemption which states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”1 While the exception presumably was intended to ensure that the CCPA did not require a business or an attorney to disclose privileged information, on its face it is limited only to the obligations imposed by “Sections 1798.110 to 1798.135.” More specifically, on its face it does not apply to the obligations imposed by other sections of the CCPA including Sections 1798.100 or 1798.105.

Sections 1798.100 and 1798.105 are particularly relevant when it comes to attorney-client privilege. Section 1798.100 contains within it the requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.2 Section 1798.105 contains within it the requirement that a business must, in response to a valid deletion request, “delete the consumer’s personal information from its records. . . .”3 The net result is that the statute does not on its face prevent a California resident from requesting that an attorney, or a business, disclose privileged information that relates to the California resident, nor does it prevent the California resident from requesting that a law firm (or its client) delete privileged information that relates to the individual.

Judicial interpretation (or intervention) may be needed to clarify whether the access and deletion rights of the CCPA are preempted by another federal, state, or local law that guarantees the confidentiality of attorney-client communications. Similarly courts may need to determine whether an access or deletion request could be refused based upon the exception within the CCPA that none of the “rights afforded to consumers and the obligations imposed on the business” should “adversely affect the rights and freedoms of other consumers.”4

Federal law sometimes requires that companies obtain consent prior to sending marketing communications to business contacts identified during conferences and trade shows.  In addition to any consent requirement required under federal law, the CCPA imposes the following additional requirements when information is collected from California residents: 1

Note that to the extent that the business contact or prospect is an “employee, owner, director, officer, or contractor” of a company, some of the requirements of the CCPA may be deferred until 2021.2 Whether the requirements are, or are not, deferred, however, may depend upon whether the marketing communication relates to “due diligence regarding,” or “providing or receiving a product or service.”  While the deferral should extend to marketing communications relating to future products or services, it is possible that a privacy advocate might argue that marketing is neither due diligence regarding, or the actual provision of, a product or service.

The CCPA states that a business “may []offer” different prices or rates to consumers if those prices or rates are “directly related to the value provided to the business by the consumer’s data.”1 Interestingly, the CCPA does not prohibit a business from the opposite activity.  In other words, it does not state that a business is prohibited from offering different prices or rates if the benefits of a loyalty program are not directly related to the value provided to the business.

The CCPA makes clear that a business can offer different prices or rates to consumers as part of a financial incentive program if those different prices or rates are “directly related to the value provided to the business by the consumer’s data.”1  The CCPA does not, however, directly prohibit the offering of a financial incentive if the value provided to the business by the consumer’s data is not “directly related” to the value of the financial incentive.

The CCPA also states that a business may not, through a financial incentive program (or any other activity), discriminate against a consumer because the consumer “exercised any of [their] rights” under the CCPA (e.g., access, deletion, or opt-out of sale), unless the difference in price, rate, or quality that forms the basis of the discrimination is “reasonably related to the value provided to the business by the consumer’s data.”2

In commentary published with the issuance of the regulations implementing the CCPA, the California Attorney General informally suggested that the Act might be interpreted as requiring that the benefit provided by all loyalty programs should be “reasonably related to the value of the consumer’s data to the business.”3  The California Attorney General did not explain, however, the basis for his assertion, and such a position would directly conflict with the text of the CCPA (described above) which applies the “reasonable relationship” test only to situations in which “discriminat[ion]” is prompted by the “exercise[] . . . of the consumer’s rights.”4 Furthermore, in other statements made by the Attorney General, he concedes that the “reasonable related” standard applies only in the context of discrimination.5

As a result, there is a strong argument that the price or rate discounts offered through a loyalty program do not need to be reasonably related to the value that a business derives from data, so long as the business does not discriminate against a consumer that attempts to exercise a privacy right.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners.  If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.1

Companies often struggle with how to display a cookie banner given the complexities of conveying information to individuals that may lack technical expertise, and “banner fatigue” – i.e., the fact that website visitors are presented with so many pop-ups and banners that they often do not spend the time to read banners that appear before closing them.

There is relatively little empirical data publicly available concerning website visitors interactions with cookie banners.  The little data that does exist, however, indicates that user acceptance rates are significantly impacted by where a cookie banner is placed on a screen.  For example, in one study researchers randomly placed the same cookie banner at the top, the top-left, the top-right, the bottom, the bottom-left, and the bottom-right of a website and then observed how 14,135 website visitors interacted with the banner.2  They found that when the banner was placed in a “bar” at the top of the page approximately 1.8% of visitors accepted cookies.  When the same banner was placed on the bottom-left of the screen the acceptance rate jumped to 18.4%.  While the researchers did not probe the cause of the difference, they suspected that the bottom-left placement was more likely to cover the main content of a website (in comparison, notices shown at the top often hide only design elements), and that website visitors were accustomed to the left-to-right directionality of Latin script.  Both factors may cause viewers to interact with a cookie banner at the bottom left.

The GDPR confers a right (albeit a limited one that is subject to exceptions) for individuals to request that a controller erase all of the personal data concerning them. 1  In contrast, the CCPA states only that people have a right to request that a business delete personal information about the consumer “which the business has collected from the consumer.”2  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3

As a result, if a business receives a deletion request under the CCPA there is a strong argument that the business is permitted to keep information about the consumer that:

• It developed itself (e.g., its prior transactions or experiences with the consumer), or

• It received from third parties (e.g., lead-lists, consumer reports, etc.)

When the CCPA was enacted last year BCLP published a Practical Guide to help companies reduce the requirements of the Act into practice. Following publication of the Guide we wrote a series of articles that addressed companies’ most frequently asked questions concerning the CCPA. The Guide, and the FAQ series, contributed to JD Supra naming BCLP as the 2019 “Top” law firm in the area of Data Collection & Data Use (i.e., data privacy).

There is a great deal of confusion surrounding what impact the CCPA will have on the use of cookies – and in particular third party behavioral advertising cookies. In order to address that topic, we have collected our cookies-related FAQs and have republished them here as a “handbook” that companies can use when trying to understand the impact that the CCPA will have on their use of first and third party cookies, as well as behavioral advertising networks. The articles also help explain the impact that the CCPA will have on the AdTech world in general. We hope that you find this a valuable resource.

Handbook of FAQs Cookies

Beginning in 2020, the CCPA required that businesses subject to the Act provide their employees with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.1  Beginning on January 1, 2021, employers are required to include twelve additional topics in employee privacy notices.

While the CCPA does not dictate the manner in which a privacy notice is distributed to employees, many employers consider using one, or more, of the following distribution techniques:

1. Computer log-in notice.  Some employers add a link to the employee privacy notice on the log-in screen of all workstations.
2. Email.  Some employers email a copy (e.g., PDF) or a link (e.g., internal SharePoint) of the employee privacy notice to all employees at least once a year.
3. Employee handbook. Some employers include a copy of the employee privacy notice in the employee handbook.
4. Open enrollment.  Some employers include a link to the employee privacy notice on the page or portal used by employees to select, or confirm, their benefits elections each year.
5. Paper Distribution.  Some employers distribute a hard copy of the privacy notice to each employee, or post a copy of the privacy notice in a public space available to employees (e.g., break rooms).

It is important to note that, regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to employees with disabilities.2 As a result, if some employees do not have access to some format as a result of a disability (e.g., visually impaired employees might not utilize computers or email), a business may need to consider alternative methods of communicating.  It is also important to note that the Modified Proposed Regulations imply that even if a business elects to distribute a privacy notice in hard copy (e.g., paper distribution) it may still need to post an electronic copy of the privacy notice “online.”3

The distribution technique that is best suited for a particular company may depend on a number of factors, including whether employees have access to computers at work, maintain work email addresses, receive benefits, or have access to an employee handbook.

The CCPA requires that a company allow Californians to access the information held about them, or, in some situations, request that the information that they provided to a company be deleted.  In order to access or delete their information, a consumer must submit a “verifiable consumer request.”1  While the term implies that a business must take steps to “verify” that the individual who has made a request is indeed the person about whose information they would like the company to take action, the CCPA does not specify what steps it considers to be sufficient (or that it considers to be inadequate) to accomplish the verification.  Rather, the Act directs the Attorney General to adopt regulations to help guide companies on how to accomplish consumer verification.2  If the Office of the Attorney General has not finalized regulations by the time that the CCPA goes into force, many businesses are likely to apply a sliding scale verification process under which they establish higher-threshold steps needed for verification (e.g., government issued ID) when a request might permit access to sensitive consumer information (or the deletion of important consumer data) and lower-threshold steps needed for verification (e.g., confirmation to an email address previously on file) when a request would permit access only to low-sensitivity consumer information (or the deletion of relatively unimportant consumer data). That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3

In comparison, in Europe the Article 29 Working Party – the predecessor to the European Data Protection Board – recognized that while there “are no prescriptive requirements to be found in the GDPR on how to authenticate the data subject,” controllers have an obligation to “strongly ascertain” the identity of a data subject before responding to a request regarding information.3 While in some situations, verifying the email address of a data subject (e.g., sending a communication to the data subject at the email address that a company has previously associated with the individual) may be sufficient to “strongly ascertain” identity, in other instances it would not.  Specifically, email verification has well accepted vulnerabilities to impersonation and supervisory authorities have advised controllers that they should not assume that a data subject is who they say they are based upon the mere fact that an “email address matches the company’s records” and have advised gathering “further information,” prior to responding to the data subject’s request.4  In the United Kingdom, the Information Commissioner’s Office published a ‘Subject Access Code of Practice’ which provided guidance on (amongst a multitude of other things) how to confirm a requestor’s identity. In short, the Code recommended asking only for enough information to judge whether the person making the request is the individual to whom the personal data relates. What is reasonable may be circumstance specific. For example:

• If a company receives a written request from a current employee that is personally known, a phone call may be sufficient to satisfy the identity of the requestor. It would likely be unreasonable to ask them for additional proof of identity.

• If a company receives a request by email, and in that email the requestor provides an address which does not match the address a company has on record, it would be reasonable to confirm another detail which the company holds on record.

The means by which the request is delivered may also affect your decision about how far a company needs to go to confirm the requestor’s identity. For example, if a request is made from an email account with which a company has recently corresponded with the requestor, it may be reasonable (particularly if the personal information kept has no sensitivity) to assume that the request has been made by the requestor. On the other hand, if the request is made via a social networking website or on blank letter paper, it may be more prudent to check whether it is a genuine request.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

The CCPA states that a business may not “use personal information” that is collected for one purpose for a different purpose without “providing the consumer with notice” of the new use.1 The regulations implementing the CCPA, however, expand upon the notice requirement.

According to the regulations, if a new use is “materially different” than former uses (about which a consumer was notified), a business must not only send notice to the consumer of the new use, but also “obtain explicit consent from the consumer to use [the personal information] for this new purpose.”2 At the same time, the California Attorney General has recognized that if a new use is not materially different than a former use, a business is neither required to notify consumers or to obtain their consent.3

Pursuant to Cal. Civ. Code Sections 1798,100(a), and 1798.110(a) and (b), a consumer has a right to request, and a business that “collects personal information about a consumer” has an obligation to disclose and deliver upon a verifiable request, “the specific pieces of personal information the business has collected.”   To the extent it is not readily apparent from the specific pieces of personal information disclosed, a business must additionally disclose (1) the categories of personal information the business has collected about the consumer; (2) the categories of sources from which the personal information was collected; (3) the business or commercial purpose for the collection; and (4) the categories of third parties with whom the business shares the personal information.

A business responding to a verified data subject access request must disclose the personal information collected about the consumer in the 12-month period preceding the business’s receipt of the access request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.1

A consumer’s right to deletion is subject to a number of exceptions.  One of these exceptions is to “comply with a legal obligation.”1 Thus, where retaining personal information of a consumer is necessary to comply with a legal obligation, the business is not required to honor the data subject request.  The CCPA does not identify, restrict, or qualify the type of legal obligation that triggers the exception.  Thus, it is likely, though not certain, that a requirement to maintain personal data under foreign law would trigger the exception, such that a business would not be obligated to delete the personal data subject to the foreign law.

This is in marked contrast to GDPR’s relationship with United States law.  The GDPR states that a company does not have to honor a request to be forgotten if the processing is necessary for “compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.” Many companies assume that they can use this exception if they are required by United States law to retain data.  Unfortunately, the Article 29 Working party (now the European Data Protection Board) – an influential, independent advisory body to the European Commission on data protection matters that was chiefly comprised of representatives from each Member State’s supervisory authority – has implied that United States law cannot justify ongoing processing.

The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2  The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.

The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”2  The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”3 It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.

There are a number of laws within the United States that require companies to provide people with a notice concerning the company’s privacy practices – a document that is often interchangeably referred to as  “privacy notice,” “privacy policy,” or “information notice.”  On the federal side these include the Gramm Leach Bliley Act (“GLBA”), which requires financial institutions to provide privacy notices to customers, the Health Insurance Portability and Accountability Act (“HIPAA”), which requires health care plans, health insurers, and health care providers to provide privacy notices to patients, the Family Educational Rights and Privacy Act (“FERPA”), which requires educational institutions that receive federal funding to provide privacy notices to students and parents, and the Children’s Online Privacy Protection Act (“COPPA”), which requires that websites which collect information from children provide a privacy notice to parents.  A small number of states have also enacted statutes that require websites which collect information from state residents to provide a privacy notice concerning their online privacy practices, and companies that collect Social Security Numbers to provide a privacy notice specific to their collection and use of that data.1

While the various statutes that mandate privacy notices in the United States contain a common core of similarities; almost all of them require that a company:

1. Identify the categories of information collected,
2. Disclose the process (if any) for individuals to request changes to their information,
3. Disclose how the organization notifies individuals of material changes to the privacy policy.
4. Disclose the effective date of the privacy policy.

Beyond this common core the various United States laws have differing requirements.  For example, some state laws require that companies disclose whether or not they honor automated privacy preferences broadcast by users’ browsers, other laws require that companies disclose certain rights of the data subject.  It is worth noting that none of the existing United States privacy laws include all of the substantive components of the CCPA; how far away a company’s existing privacy notice is from the CCPA’s requirement depends upon on the context in which it was drafted, what other United States laws it was intended to satisfy, and whether it incorporated certain “best practices.” That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2

The following chart indicates which requirements of the CCPA are likely, or are not likely, to be found in a United States based privacy notice:

When investigating a data security incident, companies are often focused on determining whether there has been unauthorized access or acquisition to personal data, and, if so, which data subjects were impacted.  As part of that investigation, companies typically create records that indicate which data subjects were, or were not, impacted by the incident, and attempt to create copies of the records that might have been impacted.

If a company notifies individuals about a data breach, it is not uncommon for some portion of the notified individuals to request that the company delete the information held about them.  Such requests raise an inherent conflict.  On the one hand, the data subject may no longer wish their information to be in the hands of the company – particularly if they perceive that the company’s security may be inadequate or may have contributed to the data breach.  On the other hand, the company has a strong interest in maintaining records relating to the security incident.  For example, if a data subject were to bring an action against a company for damages as a result of the security incident, the company has an interest in being able to refer to its internal records to determine if the data subject’s information was involved in the incident, and, if so, what types of data fields may have been impacted.  Similarly, if a third party is responsible for a data breach, a company may need the evidence (in an unaltered and authenticated state) in order to bring suit against the third party, or to aid in a criminal prosecution against the individual.  The GDPR resolves the conflict by allowing a company to keep personal data – despite a data subject’s request that it be deleted – if data is “necessary . . . for the establishment, exercise or defence of legal claims.”1

In some circumstances, data relating to a breach may no longer be necessary for the purpose of establishing a claim or defense (e.g., if the attacker has already been prosecuted, or the statute of limitations for a third party to bring a claim relating to the incident has expired).  In such situations, whether a company must comply with a deletion request depends on the context of a particular incident and whether one of the following criteria applies:

1. Companies must delete data upon request if data is no longer necessary.  If the personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.2 As a result, if the company no longer needs the data to establish a legal defense or claim, and the data is no longer necessary for the purposes of its original collection, the request to delete should be honored.
2. Companies must delete data upon request if the data was processed based solely on consent.  If a company’s sole basis for processing data was the consent of the individual, the company is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent.  Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
3. Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights.  When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the interest of a controller or a third party is demonstrably “overriding.”3 Whether or not the company’s interest in continuing to keep the information, or the data subject’s interest in having it deleted, control may depend on the precise reasons both parties have for keeping (or deleting) the information.

Like the GDPR, the CCPA contains an exception that permits a company to refuse a deletion request if the information is needed to “[e]xercise or defend legal claims.”4  The CCPA also contains an exception that permits the retention of the information if it is “necessary” to “prosecute those responsible for” a security incident,5 if it is needed for “internal uses that are reasonably aligned with the expectations of the consumer,”6 or if it is necessary for the business to use it internally in a manner that is “compatible with the context in which the consumer provided the information.”7

There are various United States federal and state laws that require companies to provide privacy notices.  While each of those statutes differs in terms of how fast the notice must be provided, most require that the notice be provided at the time that information is collected from a data subject (in situations in which a business collects information directly from an individual), or at the time that a business establishes a relationship with an individual.1  The requirement to provide a privacy notice is triggered in other statutes once the business anticipates making certain uses or disclosures of the individual’s information.  For example, under the Gramm Leach Bliley Act (“GLBA”) a financial institution is not required to provide a privacy notice to a consumer (i.e., someone with whom the financial institution does not have a customer relationship), unless the institution anticipates disclosing the individual’s information to a nonaffiliated third party.  In such a situation, the privacy notice must be provided “before” the disclosure occurs.2

In the context of the California CCPA, a business is required to disclose certain privacy practices “at or before the point of [the information’s] collection.”3 There is inherent ambiguity whether this provision applies only to situations in which information is collected directly from a data subject, or whether it also applies to situations in which a business obtains information about a data subject from a third party.

In comparison to United States law, under the European GDPR, if a company collects information directly from an individual and is required to provide that individual with a privacy notice, the notice should be provided “at the time when personal data [is] obtained.”4 If a company collects information from a third party source (e.g., a public source or from a data broker) and is required to provide an individual with a privacy notice, it should provide the notice at the earliest of the following three situations:

1. When the company first communicates with the data subject,
2. When the company transfers the individual’s information to a third party, or
3. Within one month of having obtained the information.5

Although the CCPA indicates that consumers “have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer,” that right is not absolute.1

As a threshold matter, the CCPA states only that a business may have to delete the information that it obtained “from” the consumer.2  As a result, if a business obtains information about a consumer from other sources (e.g., third party data companies) or develops the information from its own experiences with the consumer (e.g., transactional information), arguably that information does not have to be deleted pursuant to a deletion request. That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3

Even in situations in which a consumer provides information directly to a business, the CCPA provides ten exceptions pursuant to which a business can refuse a deletion request:

• Complete a transaction. If personal information is collected because it is necessary for a business to complete a transaction with the consumer, or provide a product or services to the consumer, or is part of the business’s ongoing relationship with the consumer it does not need to be deleted.4
• Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.) it does not need to be deleted.5
• Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality” it does not need to be deleted.6  It should be noted that the CCPA, and the legislative history leading up to the CCPA, do not explain what use-cases may fall under this exception.
• Free speech. If personal information collected from a consumer relates to the free speech of the business, or the free speech of another Californian, it does not need to be deleted.7
• Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law” it does not need to be deleted.8
• CalECPA Compliance. If personal information collected from a consumer is needed in order for the business to comply with the California Electronic Communications Privacy Act it does not need to be deleted.9
• If personal information collected from a consumer is needed to engage in research – whether that research is public, peer-reviewed scientific, historical, or statistical — it does not need to be deleted.  Note, however, that in order to qualify for this exception the deletion of the information may need to impair the integrity of the research.10
• Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.11  Note, that while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, or at the time that they made a deletion request, presumably the relevant time period is when the consumer provided the information to the business as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they had/have no continued expectation of use).  Furthermore there is uncertainty as to whether a California court would evaluate the expectations of the consumer using a subjective standard or an objective standard.
• Internal uses aligned with the context of collection.  If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.12 While this exception is similar to the previous exception, unlike the previous exception the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.
• Comply with legal obligations.  If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer), the business is not required to delete the information.13

The term “personal information” is defined by the CCPA as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1  While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.2  There is a strong argument that a dynamic IP address (which is assigned to different computers at different times) may not fall within the definition of “personal information” under the CCPA as it may not be capable of being reasonably linked with a particular person.  There may also be an argument that many static IP addresses may not be “reasonably” linked to a consumer if they are not combined with other information that would permit the easy identification of that consumer.

Assuming that a court or a regulator were to determine that a particular IP address did fall under the definition of “personal information,”  and a consumer were to make a right to be forgotten request in connection with that IP address, the right to be forgotten is not absolute.3  The CCPA provides ten exceptions pursuant to which a business can refuse a deletion request.  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.4Of those ten exceptions, the following are most likely to apply to a request that a company delete an IP address from its weblogs:

• Detect wrongdoing. If personal information is collected from a consumer because it is needed to detect security incidents, or protect the business against illegal actions (e.g., fraud, deception, etc.), it does not need to be deleted.5  To the extent that a company maintains a weblog to identify potential malicious activity impacting its website (e.g., hacking, unauthorized attempts to access information, patterns of suspicious activity, possible denial-of-service attacks, etc.), this exception could be asserted to deny a deletion request.
• Repair errors. According to the CCPA, if personal information is necessary to “[d]ebug to identify and repair errors that impair existing intended functionality,” it does not need to be deleted.6  To the extent that a company maintains a weblog that contains IP addresses as part of its effort to identify and debug errors that may be occurring on its website (e.g., faulty page loads, broken links, etc.), this exception could be asserted to deny a deletion request.
• Exercise legal right. If personal information collected from a consumer is needed for the business to “exercise another right provided for by law,” it does not need to be deleted.7  To the extent that a company maintains a weblog as part of its right to communicate with third parties and/or a right to understand the identity of those third parties that attempt to communicate with it, this exception might be asserted to deny a deletion request.
• Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.8  Note that, while the statute does not explicitly state whether a California court should look to the “expectations of the consumer” at the time that they provided the information to the business, presumably that is the relevant time period, as any other interpretation might render the exception a nullity (i.e., a consumer is likely to argue at the time of making a deletion request that they have no continued expectation of use).  To the extent that a consumer would expect the company to collect IP addresses (e.g., such collection was disclosed as part of a privacy notice, or such collection has become industry standard practice), this exception might be available to deny a deletion request.
• Internal uses aligned with the context of collection. If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.9  While this exception is similar to the previous exception, unlike the previous exception, the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.  Again, in the context of IP addresses, if a company uses IP address in a context in which the consumer provided the information (e.g., as disclosed in a privacy notice), this exception might be available to deny a deletion request.
• Comply with legal obligations. If personal information collected from a consumer is needed to comply with a legal obligation (e.g., a statute that requires that the business maintain documentation relating to the consumer, a preservation hold issued as part of legal process, or a statute that requires that a company maintain weblogs as part of its overall security), the business is not required to delete the information.10In the context of IP addresses, if a company is required by law to maintain certain records – such as a weblog for security or audit trail purposes – this exception may be available to deny a deletion request.

The CCPA states only that a business may have to delete the information that it obtained “from” the consumer that submits the right to be forgotten request.1 That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.2 As a result, if a business obtained information from two consumers that reside in the same household, and receives a right to be forgotten request from one of those consumers, it does not need to delete the information that it obtained from the other consumer.  As an example, if two individuals in the same household signed up to receive advertising from a retailer by mail, and one of those individuals exercised their right to be forgotten, the retailer could continue to send advertisements to the second individual.

The CCPA does not specifically state that a right to be forgotten request is, itself, exempt from the obligation to delete a consumer’s information, but maintaining the right to be forgotten request would arguably fall under one of the following exceptions:

• Detect wrongdoing. The CCPA states that information does not need to be deleted if it is necessary to “protect against malicious, deceptive, fraudulent, or illegal activity.”1  To the extent that maintaining records of individuals that have submitted right to be forgotten requests is needed in order to protect against deception, the request, itself, can be maintained.  For example, many retailers may need to keep a notation of who has submitted a right to be forgotten request in order to ensure that bad actors that are later suspected of illegal activity (e.g., identity theft, misdirection of orders, etc.) have not covered their tracks via the submission of deletion requests.
• Internal uses aligned with consumer expectations. If personal information collected from a consumer will have “solely internal uses” for the business, and if those uses are “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business,” the information does not need to be deleted.2  Arguably the retention of a right to be forgotten request may align with the consumer’s expectation that the business not only processed the request, but keeps the amount of records necessary to be accountable for the request in the future.  It’s important to note, however, that the statute does not state whether a California court should evaluate the expectations of the consumer using a subjective standard or an objective standard.  If a court were to apply the latter standard than whether or not this exception applies could differ depending upon the expectations of each individual that submits a deletion request.
• Internal uses aligned with the context of collection.  If personal information collected from a consumer will be used “internally” and in a manner that is “compatible” with the “context in which the consumer provided the information,” than the information does not need to be deleted.3 While this exception is similar to the previous exception, unlike the previous exception the use need not be aligned with the consumer’s expectations so long as it is compatible with the context of the original collection.  An argument could be made that maintaining records demonstrating when a deletion request was received, and how a business responded to the request, is inherently “compatible with the context” of the request itself.

In comparison, the GDPR sets forth five exceptions to the right to be forgotten.4  One of those exceptions is where personal data is “necessary: . . . for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.”5  Article 5(2) of the GDPR requires that a controller “be able to demonstrate compliance with” the GDPR’s principles for processing data.  One of those principles is that the controller process data “lawfully, fairly, and in a transparent manner in relation to the data subject.”6  Another principle is that personal data be kept “for no longer than is necessary for the purposes for which the personal data [was] processed.” 7  A company could argue that retaining a right to be forgotten request, and a log of the actions taken in response to that request, is necessary to comply with the requirement within the GDPR that the company be able to demonstrate its lawful processing.   Another exception exists where “processing is necessary: . . . for the establishment, exercise or defense of legal claims.”8  A company also could argue that retaining a right to be forgotten request, as well as its response to such request, is necessary to defend against a claim by the data subject that the company failed to comply with the right to be forgotten.

The CCPA grants to consumers “the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”1  Nothing within the CCPA prohibits a business from collecting new or additional personal information about the same consumer in the future.  Indeed, if a business attempted to treat a right to be forgotten request as a persistent instruction not to collect information, it would lead to absurd results.

First, a business would have no way of applying the consumer’s instruction unless the business kept a record of the consumer’s preference.  Of course, such a record would, in and of itself, constitute personal information that the business failed to delete at the request of the consumer.

Second, if a business treated a right to be forgotten request as persistent, the business would most likely be preventing the consumer from utilizing the products or services of the business in the future, as to do so might entail future collections of personal information.  Such an interpretation would not only be gratuitous, but it would violate the anti-discrimination prohibition within the CCPA under which a business is not permitted to “deny[] goods or services to the consumer” because “the consumer exercised” a right conferred by the Act.2

The net result is that a right to be forgotten request should be viewed as a request made at a specific point in time and should not be interpreted as indicating a persistent, ongoing, or continuous instruction by a consumer to delete information collected about the consumer in the future.  With that said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.3

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. If a data subject submits an access or deletion request directly to a service provider, is the service provider required to respond to the data subject? 

The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions.  (You can find a timeline that illustrates the CCPA’s history and development on page 2 of BCLP’s Practical Guide to the CCPA).  Given its hasty drafting there are a number of areas in which the act intentionally, or unintentionally, is at best ambiguous, at worst leads to unintended results.  One of those areas involves how a service provider should respond to a request by a consumer to access or delete their information.

The CCPA states that a consumer has the right to request that a “business that collects a consumer’s personal information” disclose the “specific pieces of personal information . . . collected.”1  The term “business” is defined as any “legal entity” that is “operated for . . . profit” and that:

collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the state of California . . .

The most logical interpretation of the above definition is that the phrase “determines the purposes and means of the processing” applies both to (1) entities that collect personal information and (2) entities on behalf of which such information is collected.  Under such an interpretation most service providers would not be considered a “business” to the extent that they do not determine the purpose and means of processing.  That said, the definition of business appears to be missing a comma after the phrase “or on the behalf of which such information is collected.”  Absent the comma it is unclear whether the clause “determines the purposes and means of the processing” applies only to entities “on the behalf of which such information is collected.”  If the purpose and means qualification only applies to entities on whose behalf information is collected, it might mean that service providers that directly collect consumer personal information fall under the definition of “business.”2

The CCPA also does not explain, or define, what it means to determine the “purpose and means of processing.”  While there is a great deal of interpretation of that phrase under European privacy law (which utilizes a similar phrase) it’s unclear to what degree California courts will defer to European regulators when interpreting a California statute.

The net result is that while the best interpretation of the CCPA is one that holds that consumers have no right to request access or deletion of their personal information directly from service providers, the obtuse language of the CCPA leaves some uncertainty concerning whether California courts will adopt that interpretation.

Under the European GDPR, if a service provider is considered a “processor,” the service provider is not required (or permitted) to substantively respond to a data subject’s request to access, modify, or delete their personal data unless their client (the “controller”) has specifically delegated the authority to act on their behalf in response to data subject requests.  The service provider is required, however, to “assist[] the controller” when requested by the controller with the “controller’s obligation to respond to requests” from the data subject.3  As a practical matter most European drafted data processing addendum require that a service provider forward a request that it receives from a data subject to the service provider’s client for the client to determine how the request should be answered.  If the client determines that the data subject is entitled to access their information, modify their information, or have their information deleted, the data processing addendum also typically requires the service provider to work with the client-controller to carry out that decision.

Article 28 of the GDPR requires that a controller “bind[]” every service provider to approximately thirteen substantive provisions; it also requires that contracts with service providers contain specific disclosures concerning the type of processing that will be covered by the agreement.  In order to comply with this requirement many companies put in place data processing addendum or “DPA’s” which were designed to amend master service agreements to conform to the GDPR.

The CCPA requires that a service provider agree to three substantive restrictions involving their retention, use, and disclosure of personal information.  While the CCPA does not mandate that a business include any other provisions in an agreement with a service provider, in order for a business to comply with its own obligations under the CCPA it must “push down” certain obligations onto its service providers.  For example, if a business is required to delete a consumer’s personal information pursuant to a right to be forgotten request, the business will be unable to comply with that requirement if its service provider is unable to selectively and irrevocably delete data.  The following chart compares the requirements that the GDPR imposes upon processors with those that a business should impose upon a service provider pursuant to the CCPA.  As the chart indicates, a DPA that complies with all of the GDPR requirements will also satisfy each of the CCPA’s requirements.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to CCTV footage if there is a third party in the video, as this would infringe upon the third party’s privacy rights. Similarly, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background programming
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer (i.e. internal notes about a customer service representative’s experience with the consumer) as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

The CCPA requires a business to respond to an access request by disclosing all information that it has “collected” about a consumer in the previous 12 months.1 Unlike the CCPA’s treatment of a business’s obligation to delete information, the Act provides very few exceptions to a business’s obligation to provide access to information.

Although the “access” obligation is undoubtedly broad, it is somewhat limited by how the CCPA interacts with other statutes, rights, and other obligations. Under the CCPA:

1. The rights of one consumer “shall not adversely affect the rights…of other consumers,2 and
2. Individuals whose information has been subject to “an unauthorized access…or disclosure” can recover statutory damages.3

A business’s response to an access request must take these provisions into consideration. For example, a business may not be able to provide access to internal documents regarding a consumer as it could be construed as an unauthorized disclosure of the document creator’s personal information.

A case could also be made that the right of “access” is somewhat limited by the term “collect.” Under the CCPA, “collect” means:

[B]uying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.4

Arguably, this definition does not include information that is “created” internally, even if it relates to the consumer. At face value, all of the terms describing “collect” refer to information that already exists, so information that is “created” by the business may not need to be disclosed. Internally developed or created information may include:

• Inferences about a consumer
• Background programming
• Background responses (e.g., internal responses to consumer requests and/or consumer activity)
• Internal information unrelated to the consumer (e.g., background data describing a web page that the consumer navigated to)
• Internal notes about a consumer

For example, if a consumer contacts a retailer to request a purchase return, some information relating to the return is “collected” and some is not. The information given to the retailer during the request phase  ̶  such as the consumer’s name, phone number, mailing address, and the request made  ̶  is certainly “collected” under the CCPA and would need to be disclosed pursuant to an access request. Other information generated after the request is made  ̶  such as internal return protocols, the refund date, the retailer’s response to the consumer,  fraud detection protocols, internal notes, and inferences made about the consumer’s purchasing behavior ­ ̶  is arguably not “collected” under the CCPA and would not need to be disclosed pursuant to an access request.

The CCPA states that a business “may offer financial incentives” to a consumer for the “collection of personal information,” the “sale of personal information,” or the “deletion of personal information.”  The CCPA does not state, however, that a business “must” offer consumers a financial incentive prior to information collection.  

The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive – and complex – data privacy regulation in the United States.  The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects.  As a result, United States companies that thought they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute.  While the CCPA was drafted with an eye towards the GDPR, it also differs from that regulation in many respects.  As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Protection Act.

Quick Overview

A privacy notice (sometimes referred to as a privacy policy) is a document provided by a company to data subjects that include, among other things, a description of what types of personal data the company collects, how the company uses data, with whom the company shares data, and how the company protects data.

The CCPA requires that a business informs Californians about whom it has collected information about the organization’s privacy practices.  The privacy notice should be given “at or before the point of collection” of the information.

Comparison to Other Privacy Laws

Prior to the enactment of the CCPA there were several laws within the United States and within other countries – most notably the European GDPR – that required companies to publish a privacy notice.  The CCPA differs from those laws in the following respects:

• Unlike United States federal laws that require privacy notices, the CCPA applies to a broader group of companies that is not limited to distinct industries (e.g., financial sector or health care).
• Unlike United States state laws that require privacy notices, the CCPA
  • Applies to the collection by a business of personal information online and offline.
  • Requires companies to provide a greater degree of granularity concerning how the company uses and processes the personal information it collects.
  • Requires that businesses notify individuals about more extensive rights to access the information that the business holds about them.
  • Requires that businesses notify individuals about more extensive rights to have their information deleted.
  • Requires that businesses include a “Do Not Sell My Personal Information” link on their websites and in their privacy notices.
  • Requires that businesses describe the information that they share with service providers.
  • Requires that businesses describe the types of entities to whom they sell information.
• Unlike the GDPR, the CCPA
  • Requires that businesses include a “Do Not Sell My Personal Information” link on their websites and in their privacy notices.
  • Requires that businesses describe the information that they share with service providers.
  • Requires that businesses describe the types of entities to whom they sell information.

To Do List

• Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
• Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice.
• In such situations, draft a privacy notice that conforms with both the CCPA and other privacy laws that may apply (g., the GDPR).

How We Can Help

BCLP looks at privacy notices like regulators and class action plaintiff’s attorneys look at privacy notices– with an eye toward spotting inconsistencies, errors, and facial violations of the law.  We also bring to bear a deep understanding of how other organizations have addressed the challenges of conveying complex privacy concepts in a simple outward facing document.  We can validate that a privacy policy –whether it was originally drafted to comply with United States or European law – complies with all of the new requirements of the CCPA.  You can find out more about how we draft and review privacy notices here.

Cross References

The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive – and complex – data privacy regulation in the United States.  The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects.  As a result, United States companies that thought they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute.  While the CCPA was drafted with an eye towards the GDPR, it also differs from that regulation in many respects.  As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

To help address the confusion caused by the CCPA, Bryan Cave Leighton Paisner is publishing this multi-part Practical Guide to the California Consumer Privacy Protection Act.

Quick Overview

A privacy notice (sometimes referred to as a privacy policy) is a document provided by a company to data subjects that include, among other things, a description of what types of personal data the company collects, how the company uses data, with whom the company shares data, and how the company protects data.

The CCPA requires that a business informs Californians about whom it has collected information about the organization’s privacy practices.  The privacy notice should be given “at or before the point of collection” of the information.

Comparison to Other Privacy Laws

Prior to the enactment of the CCPA there were several laws within the United States and within other countries – most notably the European GDPR – that required companies to publish a privacy notice.  The CCPA differs from those laws in the following respects:

• Unlike United States federal laws that require privacy notices, the CCPA applies to a broader group of companies that is not limited to distinct industries (e.g., financial sector or health care).
• Unlike United States state laws that require privacy notices, the CCPA
  • Applies to the collection by a business of personal information online and offline.
  • Requires companies to provide a greater degree of granularity concerning how the company uses and processes the personal information it collects.
  • Requires that businesses notify individuals about more extensive rights to access the information that the business holds about them.
  • Requires that businesses notify individuals about more extensive rights to have their information deleted.
  • Requires that businesses include a “Do Not Sell My Personal Information” link on their websites and in their privacy notices.
  • Requires that businesses describe the information that they share with service providers.
  • Requires that businesses describe the types of entities to whom they sell information.
• Unlike the GDPR, the CCPA
  • Requires that businesses include a “Do Not Sell My Personal Information” link on their websites and in their privacy notices.
  • Requires that businesses describe the information that they share with service providers.
  • Requires that businesses describe the types of entities to whom they sell information.

To Do List

• Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
• Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice.
• In such situations, draft a privacy notice that conforms with both the CCPA and other privacy laws that may apply (g., the GDPR).

How We Can Help

BCLP looks at privacy notices like regulators and class action plaintiff’s attorneys look at privacy notices– with an eye toward spotting inconsistencies, errors, and facial violations of the law.  We also bring to bear a deep understanding of how other organizations have addressed the challenges of conveying complex privacy concepts in a simple outward facing document.  We can validate that a privacy policy –whether it was originally drafted to comply with United States or European law – complies with all of the new requirements of the CCPA.  You can find out more about how we draft and review privacy notices here.

Cross References

Companies use different names to describe the document that discloses their practices in relation to the collection, use, and disclosure of personal information including: “Privacy Notice,” “Privacy Policy,” “Information Notice,” “Privacy Statement,” and “Data Protection Notice.”

From a legislative perspective, statutes have been equally inconsistent in their use of terms.  For example, the California Online Privacy Protection Act (“CalOPPA”) refers to the creation of a “privacy policy,” but acknowledges that the document can be described via a text link to consumers in any manner so long as the link “[i]ncludes the word ‘privacy.’”1  The California Consumer Protection Act (“CCPA”) refers to the obligation to provide consumers with “notice” of privacy practices.2 While the CCPA does not itself require it, the Act also refers to the fact that some businesses may have an “online privacy policy.”3 In comparison, the European GDPR refers only to the obligation of a controller to provide “information” to data subjects, and does not reference explicitly either a “policy” or a “notice.”  In its interpretation of the GDPR, the Article 29 Working Party typically referred to a website “privacy statement” or a “privacy notice,” but recognized that “commonly used terms” by organizations included “Privacy,” “Privacy Policy,” “Data Protection Notice,” and “Fair Processing Notice.”4  The United States Federal Trade Commission – which is often looked to as the primary federal data privacy regulator for most companies in the US – has used the term “privacy notice” and “privacy policy” interchangeably.5

The net result is that, from a legal standpoint, companies can choose how they want to label their disclosure of privacy practices, so long as their label would be understood by a reasonable person.

From a practical perspective, many companies maintain internal policies that are not intended to fulfill the function of notifying data subjects of the company’s privacy practices.  For example, a company might have a “privacy policy” focused on the company’s commitment to comply with certain privacy laws, or that sets up an internal structure for managing privacy within an organization.  A company might also have a “privacy policy” that discusses whether, or how, the company monitors the email of its employees, or a “privacy policy” that discusses the type of information that will be shared between managers or supervisors.  It can be confusing to create a “privacy policy” focused on data subjects when other “privacy policies” exist concerning internal operations and procedures.  Using the term “Privacy Notice” typically avoids that confusion.  Arguably, “Privacy Notice” also is better aligned with the intent of privacy-related statutes – i.e., to have companies “notify” data subjects of their privacy practices.

Anytime a new statute or regulation comes along, some law firms unfortunately flag issues that may not be of true concern to companies, or highlight problems that may not, in fact, exist.  Unfortunately, that continues to happen in connection with the California Consumer Privacy Act (“CCPA”).  In the context of retailer loyalty or reward programs, firms have said that the CCPA may spell the “end of loyalty programs,” or implied that the CCPA could lead to “the potential elimination of loyalty programs due to the nondiscrimination requirements.”  Some law firms have gone so far as to advise retailers to “address the issue[s]” caused by their loyalty programs by “not offer[ing] preferential pricing through loyalty programs” or by “mak[ing] loyalty program pricing available to all customers” regardless of whether they are, in fact, members of the loyalty program.  Such changes would, of course, destroy the business-case for having a loyalty program in the first place.

These concerns are incorrect and demonstrate a lack of understanding of the requirements of the CCPA.  While the Act is, without a doubt, flawed, poorly drafted, and prone to misinterpretation, it does not lead to the conclusion that most loyalty programs are inherently problematic, nor should it cause most retailers to drastically change the terms and structure of their program.  The hyperbolic treatment of loyalty programs by some law firms may also have contributed to several companies and industry groups echoing these concerns with the California legislature and the California Attorney General and alleging (incorrectly) that “the CCPA may prevent[] marketers from offering loyalty programs,” or that the CCPA, as currently written, prohibits “tiered pricing, discounts or coupons.”

The following dispels five (mis)statements that have been made in connection with the CCPA’s impact on loyalty programs.

1. Myth: The CCPA prohibits “charging different prices or rates for goods or services.”

It does not.

The prohibition against price discrimination in the CCPA only applies to situation in which a consumer exercises a right conferred by the CCPA.  Nothing within the CCPA confers a right to join (or not join) a loyalty program.  For more information, see FAQ: Is a business prohibited from giving discounts to  loyalty program members?

2. Myth: The CCPA states that the benefit provided to the consumer through a loyalty program must be reasonably related to the value provided to the business by the consumer’s data.

It does not.

As indicated above, the CCPA prohibits a business from engaging in price discrimination when a consumer exercises  a right under the CCPA.  The CCPA provides an exception to that prohibition when the discrimination relates to a “price or difference” that is related to the value provided to a business by the consumer’s data.1

While some lawyers have misinterpreted this as requiring that all loyalty program benefits be related to the value provided to the business by the consumer’s data, as noted above, the operation of the loyalty program itself is not prohibited by the CCPA and, thus, does not require the benefit of this exception.

For more information, see FAQ: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?

3. Myth: Businesses must honor deletion requests for loyalty members.

They generally do not.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”2  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.), there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  For more information about each of those exceptions, and a description of how they apply to most loyalty programs, see FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an active member? and FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an inactive member?

4. Myth: Businesses that offer loyalty programs must include a “do not sell my personal information” link.

Not necessarily.

The CCPA requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”3  The business must then include a link on its homepage titled “Do Not Sell My Personal Information” and allow consumers to opt-out of the sale.

The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.

For more information go to FAQ: Is a business required to post a “do not sell” link if it offers a loyalty program?

5. Myth: Businesses that allow consumers to redeem points with third parties are selling information.

They generally are not.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.4  In the context of loyalty programs, it is not unusual for the operator of a loyalty program to enter into an agreement with a business partner (e.g., another company) to permit a consumer to redeem points accumulated through the loyalty program of business A in order to receive goods or services provided by business B.  For example, a hotel may have an agreement with a car rental service through which a consumer can redeem hotel loyalty points to receive a free car rental.

Such redemption arrangements may require the disclosure of personal information from one business (e.g., business A) to a second business (e.g., business B), and may include the payment of money or other consideration for the ability to receive advertising or promotion as a rewards provider.  As a result, and depending upon the structure of the business relationships, it is possible that, at first glance, the arrangement could fit the definition of “sale” under the CCPA.

Assuming that the transfer of information to a redemption partner did satisfy the definition of a “sale,” the CCPA contains an exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information.”5  As a result, if a consumer uses a loyalty program in order to interact with another business, or directs a loyalty program to disclose personal information as part of a points redemption, the loyalty program operator arguably has not “sold” information.

For more information, go to FAQ: If a business allows consumers to redeem loyalty program benefits for products or services offered by a partner, does that constitute the sale of information?

An invitation to a conference or a trade show is generally considered a commercial solicitation. On the federal level, the CAN-SPAM act does not require prior consent for a commercial email, only that it be clearly identified as an advertisement and include an unsubscribe link. It also prevents a company from using an email list that was generated by automated means1, either by scanning and harvesting emails from websites or by generating email addresses by combining names, letters, or numbers, into permutations. A company that buys an email list is still responsible for how it was created.

While the CAN-SPAM act pre-empts state laws that require opt-in consent before sending commercial emails, it does not preempt state laws that govern how companies collect email addresses.  As a result, while companies are permitted to send mass marketing emails concerning upcoming events to the extent that they intend to cull prospective attendees from various lists, that activity may trigger other state privacy laws.  For example, the CCPA requires that a company that collects an email address or any other personal information from a California resident distribute a privacy notice “at or before the point of collection.”2  The CCPA’s requirement is ambiguous as to whether a privacy notice must be provided only when the email address is collected directly from the resident, or whether it must be provided regardless of where the company obtains the email address.

Co-authored by Jason Schultz.

On-site tracking refers to the practice of scanning attendees’ badges manually (e.g., bar code) or automatically (e.g., RFID chip in badges read at doorways). Organizers track this information for various reasons, such as to award credit for attending various panels (e.g., continuing education verification) or for their own analytics (e.g., to track session attendance for future room allocation or to determine future programming).

Assuming that the CCPA applies to a conference organizer (e.g., the organizer does business in California and meets the minimum revenue or data subject thresholds), nothing within the CCPA prohibits the organizer from collecting on-site tracking data, or using that data for first party marketing (e.g., to market additional conferences to attendees, or services at a conference being attended).  The CCPA would require that a conference organizer disclose that they are tracking attendee behavior as well as disclose their purpose for tracking – including the use of the data for marketing purposes.  While the disclosure might come in the form of a privacy policy provided to attendees, it could be less formal – such as via a poster or sign at check-in.  Conference organizers should also consider the additional CCPA related implications:

• If the organizer intends to sell the data to third parties, the organizer will need to provide a “Do Not Sell my Information” link in their online privacy notice.
• An organizer may receive a request from an attendee for access to their information. In response to such a request, they may need to disclose all of the data collected about a particular attendee (e.g., locations tracked, activities recorded).
• An organizer may receive a request from an attendee to delete their information. In response to such a request, they may need to have the ability to selectively delete information about the attendee, or to explain to the attendee why such information is not required to be deleted.  For example, if the information is being collected for a purpose other than marketing – such as security at the conference – the organizer may be able to deny the request on those grounds.

If the organizer relies upon a third party to collect, host, analyze, or manage the data collected about attendees, the contract with the third party should meet the “service provider” requirements of the CCPA.

Co-authored by Jason Schultz

On-site tracking refers to the practice of scanning attendees’ badges manually (e.g., bar code) or automatically (e.g., RFID chip in badges read at doorways). Organizers track this information for various reasons such as to award credit attending various panels (e.g., continuing education verification) or for their own analytics (e.g., to track session attendance for future room allocation or to determine future programming).

Assuming that the CCPA applies to a conference organizer (e.g., the organizer does business in California and meets the minimum revenue or data subject thresholds), nothing within the CCPA prohibits the use of on-site tracking.  The CCPA would require that a conference organizer disclose that they are tracking attendee behavior as well as disclose their purpose for tracking.  While the disclosure might come in the form of a privacy policy provided to attendees, it could be less formal – such as via a poster or sign at check-in.  Conference organizers should also consider the additional CCPA related implications:

• If the organizer intends to sell the data to third parties, the organizer will need to provide a “Do Not Sell my Information” link in their online privacy notice.
• An organizer may receive a request from an attendee for access to their information.  In response to such a request, they may need to disclose all of the data collected about a particular attendee (e.g., locations tracked, activities recorded).
• An organizer may receive a request from an attendee to delete their information.  In response to such a request, they may need to have the ability to selectively delete information about the attendee, or to explain to the attendee why such information is not required to be deleted (i.e., it is being used internally for a purpose consistent with the expectations initially set as part of disclosing the organizer’s privacy practices).
• If the organizer relies upon a third party to collect, host, analyze, or manage the data collected about attendees, the contract with the third party should meet the “service provider” requirements of the CCPA.

Co-authored by Jason Schultz

Nothing within the CCPA inherently prohibits an employer from sharing the names of employees that have been infected with a contagious disease with other employees who may have come into contact with the infected employee and, as a result, might take preventative measures (e.g., self-isolation).  The CCPA arguably requires only that the business take the following steps:

• The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected.  While it is not certain whether disclosure of  the identity of an infectious employee would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with third parties (which, of course, would include fellow  employees) for the purpose of protecting employees, protecting the public, or protecting other individuals.1
• In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”2 While it is not certain whether disclosing to an employee the name of an infectious person would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with employees to promote health and safety.3

It is important to note that other federal or state labor and employment laws may preclude a business from sharing the identity of a potentially contagious employee with other employees without the infected employee’s consent.  For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”4  Although this confidentiality requirement is subject to certain exceptions, there is currently no exception for providing an employee’s confidential medical information to other employees for purposes of promoting their health and safety.  As a result, if an infectious employee was recently around other employees many employers try to inform the employees that are at heightened risk that they have been exposed without specifically identifying the individual that exposed them.

In addition to complying with the general compliance obligations of the CCPA, data brokers are required to take the following actions:

1. Registration. Data brokers are required to register with the California Attorney General.1
2. Fees.  Data brokers are required to pay a fee as part of the registration process.2
3. Opt-out Mechanism.  As data brokers, by definition, sell personal information, they are required to provide an opt-out mechanism by which consumers can instruct the broker to cease such sales.3
4. Respond to Opt-Out Signals.  As data brokers, by definition, sell personal information, they are required by the regulations implementing the CCPA to “treat user-enable global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicates or signal[s] the consumer’s choice to opt-out of the sale” or personal information as an opt-out request.4

A “notice at collection” refers to notice that is provided when a business intends to collect personal information directly from a consumer.  The notice, which must be provided “at or before the point at which” the collection of information occurs,1 should include the following information:

• A list of the categories of personal information that will be collected;
• The business or commercial purpose for which the information is being collected;
• Information on how to opt-out of the sale of personal information (if information is being sold; and
• Information on how to find the company’s complete privacy notice.2

While some businesses may choose to provide consumers with a written document titled “Notice at Collection,” in most situations a formal document is arguably not needed.  Specifically the information required to be communicated at the point of data collection is often communicated implicitly to a consumer or would be understood as part of the context of the data that is being collected.  For example, if a sales associate at a retail store asks a consumer for their credit card at the point of sale, a reasonable consumer would understand that their credit card information (e.g., name, payment card number, expiration date, etc.) is being collected, and that the collection is for the purpose of processing their transaction.  In such a situation, a reference within the store to where the consumer may find the company’s complete privacy notice arguably satisfies the “notice at collection” requirement.

Loyalty programs are structured in a variety of different ways.  Some programs track dollars spent by consumers, others track products purchased.  Some programs are free to participate in, others require consumers to purchase membership.  Some programs offer consumers additional products, other programs offer prizes, money, or third party products.  Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program” as a practical matter, most, if not all, loyalty programs share two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.1

Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, its loyalty program will also be subject to the CCPA.  In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:

Although the CCPA does not itself require that a service provider honor a deletion request that it receives directly from a consumer, a service provider may be contractually obligated to do so by a business.

Many businesses include a contractual provision in their agreement with a service provider requiring the service provider delete personal information that is processed on the business’s behalf at the direction of the business. A less specific “reasonable assistance” provision is also common, which obligates the service provider to reasonably assist the business in fulfilling a deletion request. Although here a service provider retains an argument that facilitating deletion when not required to do so by the CCPA may not be “reasonable assistance,” the existence of this provision signals that a business may be expecting the service provider to honor its deletion requests.

A business may assert that the contractual provisions which are required to meet the definition of “service provider,” imply that a service provider must honor a business’s deletion requests. However, the CCPA specifically allows a service provider to process personal information outside of its relationship to the service provider if such processing is “otherwise permitted by [the CCPA].” 1 As discussed above, the CCPA permits a service provider to refuse a deletion request for a variety of reasons.2

Beyond CCPA specific provisions, a business may argue that other provisions in the agreement with a service provider require deletion of personal information at a business’s direction. If personal information fits the agreement’s definition of confidential information, the confidentiality provision may require confidential information be deleted or returned at the disclosing party’s direction. A provision where a service provider has agreed to abide by the business’s privacy policy may also create an argument that the service provider must delete personal information, depending on the drafting of the privacy policy. If a data protection agreement containing the GDPR’s required Article 28 processor provisions applies, the definition of “personal data” in those provisions may be broad enough to apply to CCPA personal information and thus require deletion.

The CCPA defines the phrase “personal information” to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1  The CCPA includes a non-exhaustive list of data types that fall within that definition including “unique personal identifiers,”2 a term that is itself defined to include “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”3  As a result, the CCPA appears to treat persistent tracking cookies – such as those used by behavioral advertising networks – as “personal information” or a method of capturing “personal information.”  If a business collects “personal information” it is required under the CCPA to provide California residents with a privacy disclosure “at or before the point of [information] collection.”4

In situations in which a website operator deploys its own persistent tracking cookie, the website can presumably provide a description of its privacy practices via its own privacy policy linked at the bottom of the website.

In situations in which a website deploys the tracking cookies of a third party (e.g., behavioral advertising network cookies), it is unclear how the business that owns and controls the tracking cookie (i.e., the behavioral advertising network) will be able to provide California consumers with its privacy disclosure “at or before the point” of information collection, unless the cookie-owner requires that any website that deploys its cookie provide a copy of the cookie-owner’s privacy notice.  This might be accomplished, for example, by requiring websites to deploy a cookie banner that contains links to the privacy notice of each cookie that deploys on the website.