On January 1, 2020, the California Consumer Privacy Act (CCPA) becomes operative.  As we reported last month, the California Attorney General (AG) released long-awaited draft regulations to the CCPA. This is the third installment in a series of posts discussing the regulations most relevant to companies as they determine whether they are covered under the law and how to comply.  This post discusses the key regulations on business verification of requests made by consumers and the non-discrimination provision of the CCPA. 

Business Verification of Requests from Consumers

Since the CCPA’s enactment, companies have looked for guidance on how they could verify that a request for disclosure or deletion of information comes from the correct consumer. The AG’s regulations set out guidance for verifying these requests from consumers. The regulations encourage businesses, when feasible, to match identifying information provided by the consumer to information already maintained by the business, or to use a third-party verification service. They also instruct companies to avoid asking for sensitive information—such as social security or other government ID numbers, financial numbers and access codes, medical information, health insurance information, biometric data, or information that would permit access to an online account—for verification purposes.

The regulations do not set out a specific protocol verifying requests. Instead, to allow a “significant amount of discretion and flexibility,” the regulations list several factors that a business should weigh when considering how stringent their verification process should be.

The factors include:

1. The type, sensitivity, and value of the personal information collected and maintained about the consumer. This requires some balancing, because the categories of information mentioned above are considered presumptively sensitive and therefore warrant a more stringent verification process when there is a request to delete them. As discussed in our previous post, however, companies may not disclose this sensitive information regardless of the strength of the verification required.
2. The risk of harm to the consumer posed by any unauthorized access or deletion.
3. The likelihood that fraudulent or malicious actors would seek the personal information.
4. Whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated.
5. The manner in which the business interacts with the consumer.
6. Available technology for verification.

The regulations state that during the verification process, businesses should “avoid requesting additional information from the consumer for the purposes of verification” when possible. If the business has to use different information to verify a consumer’s identity, they cannot keep that new information.

Notably, the regulations require businesses to implement “reasonable security measures” for detecting fraudulent activity and preventing unauthorized access to or deletion of consumer personal information. The regulations also provide a instructions for businesses that have no reasonable method to verify a consumer’s identity. The businesses must respond to consumer requests and explain why they have no reasonable method to verify the requestor’s identity. The businesses must also re-evaluate their ability to verify requests annually and document this process.

Non-Discrimination Provision

Under Section 1798.120 of the CCPA, businesses cannot discriminate against consumers because the consumers choose to exercise their rights under one of the CCPA’s provisions. This provision raised many questions for businesses, especially those with loyalty programs. The Attorney General acknowledged that this section caused “a significant amount of confusion and misunderstanding.”

The regulations state that a “financial incentive or a price or service difference” qualifies as discrimination and is thus prohibited. However, if the price or service difference is “reasonably related” to the value of the consumer’s data, a business can offer such a price or service difference. The regulations give examples, including that a streaming service may provide the options of a $5 per month memberships that allows for opting out of the sale of personal information or a free membership without opt-out rights only if the $5 per month price is reasonably related to the value of the data to the business. Otherwise it is discriminatory.

The regulation offers businesses several acceptable methods for calculating the value of a consumer’s data for the purpose of offering a financial incentive or a price or service difference. Those methods include: marginal value or average value of the data or typical data; revenue or profit generated by having separate data tiers; revenue or profit generated from the sale, collection, or retention of personal information; expenses related to the sale, collection, or retention of personal information or to the provision of financial incentives or price or service differences; or any other good faith practical and reliable method. 

The regulations also provide the example of a retail store that offers discounted prices to consumers who sign up for a mailing list. The regulations explain that: “If the consumer on the mailing list can continue to receive discounted prices even after they have made a request to know, request to delete, and/or request to opt-out, the differing price level is not discriminatory.”  The AG’s statement of reasons explains that the regulations purposefully do not include a wholesale exemption for loyalty programs, but instead provide a blueprint for how an exempt loyalty program could be designed. 

We will continue to update you about CCPA developments on this blog.