We're now on the home stretch in our run-down of the CCPA's core rights. So far, we've covered the Notice, Access and Opt-out requirements. Now, we'll be looking at the two final rights under the CCPA – Deletion and Non-discrimination. Compared to some of the other rights, these provisions may seem relatively straightforward. However, a closer look raises some tricky questions – in particular how the deletion exemptions under the CCPA tie in with the GDPR's Article 17 grounds for deletion, and how the right to non-discrimination sits alongside the CCPA's allowance for 'financial incentives'.
The Deletion requirements
The right to deletion under the CCPA is set out at as follows:
"A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer." (Section 1798.105(a))
The first point to note relates to the scope of personal information within the deletion right. What isn't clear is whether the wording "which the business has collected from the consumer" is intentional. Elsewhere, with respect to other rights, the CCPA refers more broadly to personal information "about the consumer". If this distinction is intentional, then the right to deletion only extends to personal information provided voluntarily by the consumer, and possibly, data collected from consumers automatically (e.g. device data). However, other information such as data from third party sources, inferential data, passively observed and recorded data (like CCTV) would seemingly fall out of scope.
Assuming the right to deletion does apply, then there are a number of pretty broad exemptions to keep in mind. For example, a business can continue to retain the data where it is necessary to:
complete a transaction, provide a good or service or perform a contract with the consumer,
detect security incidents,
protect against fraud and illegal activity,
debug and repair errors,
enable solely internal uses that are reasonably aligned with the expectations of the consumer, or
for other internally uses that are lawful and compatible with the context in which the consumer provided the information.
A business that has already implemented data deletion processes under the GDPR will be in a good position to respond to requests, as they will already have the technical capabilities to permanently delete personal data within their systems and internal procedures for handling and responding to requests.
However, a mental shift is required for the CCPA. Under the GDPR, a data controller must delete data only if one of the preconditions set out in Article 17(1) applies – for instance, if the personal data is no longer needed (Art 17(1)(a)) or where a data subject objects to processing based on legitimate interests and there are no "overriding legitimate grounds" for the processing (Art 17(1)(c)). In addition, the right does not apply if the business needs the data for certain purposes – such as to comply with a legal obligation (Art 17(3)(b)) or to establish or defend legal claims (Art 17(3)(e)).
The upshot of this is that if a business receives two deletion requests from an EU individual and a Californian individual then it will need to consider those requests quite differently, depending on the use of the data. For example, if the data is being used by the business for internal analytics then under the GDPR it's likely the request would need to be honoured (under Art 17(1)(c)), whereas under the CCPA the request could be refused (due to the exemption for internal uses reasonably aligned with the expectations of the consumer).
Each request will, of course, turn on its own facts – but lawyers will need to consider different legal thresholds and exemptions under the two pieces of legislation.
The Non-discrimination requirements
To complement and help reinforce the other consumer rights, the CCPA contains a non-discrimination provision:
"A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title…" (Section 1798.125(a)(1))
This means that a business cannot treat a consumer differently simply because they have chosen to exercise any of their rights under the CCPA – for instance, if they requested their information be deleted or they opted out from the sale of their personal information.
The CCPA contains a non-exhaustive list of discriminatory practices, which includes:
denying goods or services to the consumer,
charging different prices or rates for goods or services (including through the use of discounts, other benefits or penalties),
providing a different level or quality of goods or services to the consumer, and
merely suggesting that the consumer will receive a different price or rate or a different level or quality.
As an exception to the non-discrimination requirements, the CCPA allows a business to offer 'financial incentives' relating to the collection, sale or deletion of personal information (Section 1798.125(b)). This means that a business may, for example, encourage consumers (through monetary or other valuable consideration) to allow the business to sell the consumer's information or, similarly, discourage consumers from requesting their information be deleted. These types of incentives would not fall within the scope of non-discrimination even though they would clearly involve the use of discounts, benefits and/or penalties.
An obvious example of a financial incentive is where an individual signs up to a mailing list and receives a free e-book or download – a simple quid pro quo where the individual provides their email address in exchange for free content. Another example could be a wellness app that sends the user offers or discount codes if they share information with the app about their daily step count or weekly class attendance. Similarly, financial incentives could include a broad range of loyalty schemes.
The CCPA also allows a business to offer a different price or quality of goods or services if the difference "is directly related to the value provided to the consumer by the consumer’s data" (Section 1798.125(b)(1)). This implies that where the value of the service is tied to the value of the consumer's data, then the business can justify setting a different price or withholding a service depending on whether, for example, the consumer opted out from the sale of their personal information or requested their information be deleted.
In theory, this could potentially cover a number of different use cases – for instance, where a service is funded entirely through advertising and the consumer's data is needed to deliver and target advertising to the consumer. There is, however, some uncertainty as to how broadly this allowance will be interpreted – this is certainly one area where further clarification or guidance would be welcome.
In any event, the CCPA places conditions around the offering of financial incentives – firstly, a business must not offer incentives in a way that is "unjust, unreasonable, coercive, or usurious in nature" and, secondly, the business must:
notify consumers about the use of incentives in a way that clearly describes the material terms of the program, and
obtain the consumer's prior opt-in consent (which can revoked at any time).
Non-discrimination and the GDPR
Interestingly, the GDPR doesn't contain an equivalent provision to the CCPA's right of non-discrimination. However, Article 5(1)(a) of the GDPR states that processing of personal data must be ‘fair’ – which arguably prohibits discriminatory treatment of a data subject based on their choice to exercise their rights under the GDPR.
The GDPR also doesn't explicitly address financial incentives, but these types of exchanges involving personal data pose certain difficulties. For instance, if a controller is relying on the individual's consent to process personal data, then the individual's consent must be "freely given" – as is clear from Article 7(4) of the GDPR and the European Data Protection Board's Guidelines on Consent, consent is not "freely given" if the service is conditional on consent or the individual would suffer a detriment by not providing it. In other words, an individual cannot consent to a quid pro quo to receive a good or service in exchange for their personal data, as such consent would not be considered valid. So the controller would need to rely on one of the other lawful grounds for processing under the GDPR, such as "contractual necessity" or "legitimate interests".
That's a wrap…
We've made it through the CCPA's core rights – phew! But there is still a lot to talk about. Keep checking in for more thoughts and updates about the CCPA, both in terms of how the CCPA will impact your business and what you should be doing to stay compliant.