- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Does the CCPA require that the benefits conferred by a loyalty program be “reasonably related” to the value of a consumer’s data to the business?
The CCPA makes clear that a business can offer different prices or rates to consumers as part of a financial incentive program if those different prices or rates are “directly related to the value provided to the business by the consumer’s data.”1 The CCPA does not, however, directly prohibit the offering of a financial incentive if the value provided to the business by the consumer’s data is not “directly related” to the value of the financial incentive.
The CCPA also states that a business may not, through a financial incentive program (or any other activity), discriminate against a consumer because the consumer “exercised any of [their] rights” under the CCPA (e.g., access, deletion, or opt-out of sale), unless the difference in price, rate, or quality that forms the basis of the discrimination is “reasonably related to the value provided to the business by the consumer’s data.”2
In commentary published with the issuance of the regulations implementing the CCPA, the California Attorney General informally suggested that the Act might be interpreted as requiring that the benefit provided by all loyalty programs should be “reasonably related to the value of the consumer’s data to the business.”3 The California Attorney General did not explain, however, the basis for his assertion, and such a position would directly conflict with the text of the CCPA (described above) which applies the “reasonable relationship” test only to situations in which “discriminat[ion]” is prompted by the “exercise . . . of the consumer’s rights.”4 Furthermore, in other statements made by the Attorney General, he concedes that the “reasonable related” standard applies only in the context of discrimination.5
As a result, there is a strong argument that the price or rate discounts offered through a loyalty program do not need to be reasonably related to the value that a business derives from data, so long as the business does not discriminate against a consumer that attempts to exercise a privacy right.
Does the CCPA require that the benefits conferred by a loyalty program be “directly related” to the value of a consumer’s data to the business?
The CCPA states that a business “may offer” different prices or rates to consumers if those prices or rates are “directly related to the value provided to the business by the consumer’s data.”1 Interestingly, the CCPA does not prohibit a business from the opposite activity. In other words, it does not state that a business is prohibited from offering different prices or rates if the benefits of a loyalty program are not directly related to the value provided to the business.
What rights does a consumer have in relation to a loyalty program under the CCPA?
Loyalty programs are structured in a variety of different ways. Some programs track dollars spent by consumers, others track products purchased. Some programs are free to participate in, others require consumers to purchase membership. Some programs offer consumers additional products, other programs offer prizes, money, or third party products. Although neither the CCPA nor the regulations implementing the CCPA define a “loyalty program” as a practical matter, most, if not all, loyalty programs share two things in common: (1) they collect information about consumers, and (2) they provide some form of reward in recognition of (or in exchange for) repeat purchasing patterns.1
Because loyalty programs collect personal information about their members, if a business that sponsors a loyalty program is itself subject to the CCPA, its loyalty program will also be subject to the CCPA. In situations in which the CCPA applies to a loyalty program, the following table generally describes the rights conferred upon a consumer in relation to the program:
|Right||Applicability to Loyalty Program|
|Notice at Collection||A loyalty program that collects personal information from its members should provide a notice at the point where information is being collected regarding the categories of personal information that will be collected and how that information will be used.2|
|Privacy Notice||A loyalty program that collects personal information of its members should make a privacy notice available to its members.3|
|Notice of Financial Incentive||To the extent that a loyalty program qualifies as a “financial incentive” under the regulations implementing the CCPA, a business should provide a “notice of financial incentive.”4|
|Access to Information||A member of a loyalty program may request that a business disclose the “specific pieces of personal information” collected about them.5|
|Deletion of information||A company may generally deny a request by a loyalty program member to delete information in their account based upon one of the exceptions to the right to be forgotten.|
|Opt-out of sale||A loyalty program that sells the personal information of its members should include a “do not sell” link on its homepage and permit consumers to opt-out of the sale of their information. To the extent that a consumer has directed the loyalty program to disclose their information to a third party (e.g., a fulfillment partner), it would not be considered a “sale” of information.|
How can a business distribute an employee privacy notice to job applicants?
While the CCPA does not dictate the manner in which a privacy notice should be distributed to job applicants, many employers consider using one or more of the following distribution techniques:
- Homepage. Some employers include references to the personal information collected from job applicants in a unified privacy notice posted on the company’s homepage in a persistent footer.
- Online application submission form. Businesses that solicit applications through an online submission form often add a link to the privacy notice that describes the collection of information from job applicants on the form submission page.
- Email. Some employers email a copy (e.g., PDF) of the privacy notice that applies to job applicants to each candidate that submits an application.
- URL on paper applications. Some employers that accept paper job applications include a reference to where the applicant can find a full copy of the business’s privacy notice on the paper application form.
- Copy on paper applications. Some employers include a copy of either the full privacy notice, or a short form privacy notice, on any paper application forms.
It is important to note that regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to job applicants with disabilities.2 The Modified Proposed Regulations also imply that if a business elects to distribute a privacy notice in hard copy (e.g., copy on the back of a paper application), it may still need to post an electronic copy of the privacy notice “online.”3
How can a business distribute an employee privacy notice to current employees?
Beginning in 2020, the CCPA required that businesses subject to the Act provide their employees with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.1 Beginning on January 1, 2021, employers are required to include twelve additional topics in employee privacy notices.
While the CCPA does not dictate the manner in which a privacy notice is distributed to employees, many employers consider using one, or more, of the following distribution techniques:
- Computer log-in notice. Some employers add a link to the employee privacy notice on the log-in screen of all workstations.
- Email. Some employers email a copy (e.g., PDF) or a link (e.g., internal SharePoint) of the employee privacy notice to all employees at least once a year.
- Employee handbook. Some employers include a copy of the employee privacy notice in the employee handbook.
- Open enrollment. Some employers include a link to the employee privacy notice on the page or portal used by employees to select, or confirm, their benefits elections each year.
- Paper Distribution. Some employers distribute a hard copy of the privacy notice to each employee, or post a copy of the privacy notice in a public space available to employees (e.g., break rooms).
It is important to note that, regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to employees with disabilities.2 As a result, if some employees do not have access to some format as a result of a disability (e.g., visually impaired employees might not utilize computers or email), a business may need to consider alternative methods of communicating. It is also important to note that the Modified Proposed Regulations imply that even if a business elects to distribute a privacy notice in hard copy (e.g., paper distribution) it may still need to post an electronic copy of the privacy notice “online.”3
The distribution technique that is best suited for a particular company may depend on a number of factors, including whether employees have access to computers at work, maintain work email addresses, receive benefits, or have access to an employee handbook.
Does an employee facing privacy notice need to contain different types of information from a privacy notice provided to other types of consumers?
The CCPA applies to the personal information of California employees of a business that is subject to the statute. The specific rights afforded to employees were set to phase-in throughout 2020.
Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” 1 While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures. These only apply to employee-privacy notices beginning on January 1, 2021. The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:
|Privacy Notice Disclosures Required as of January 1, 2020
In All Privacy Notices (e.g., employee and non-employee)
|1. Identify the enumerated categories of personal information collected.2|
|2. Identify the general purpose for which information will be used3|
|Additional Privacy Notice Disclosures Required as of
January 1, 2020 in Non-Employee Privacy Notices and as of
January 1, 2021 in Employee Privacy Notices
|1. Explain the ability of a California resident to request access to their personal information.4|
|2. Identify the enumerated categories of personal information shared with services providers.5|
|3. Identify the enumerated categories of personal information sold to third parties (or affirmatively state that the business does not sell personal information).6|
|4. State that a California resident has the ability to opt-out of sale of information (if applicable).7|
|5. Provide contact information that can be used to request access, deletion, or opt-out (if applicable).8|
|6. Explain the ability of a California resident to request deletion of their personal information.9|
|7. Provide general information concerning the sources from which personal information was collected.10|
|8. Provide general information concerning the third party recipients of personal information11|
|9. Explain in general terms the process used to verify or authenticate a California resident that requests access to, or the deletion of, their information.12|
|10. Explain that California residents will not be discriminated against if they choose to exercise one of their rights under the CCPA.13|
|11. Explain how an authorized agent can make a request under the CCPA on behalf of a California resident.14|
|12. Provide contact information for how questions or concerns regarding privacy practices can be raised with the business.15|
The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents. In essence, it can be thought of as a “short form” privacy notice. After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.
Does an employee privacy notice need to be separate and distinct from a consumer privacy notice?
The CCPA requires that a business subject to the Act disclose the type of personal information that it collects about its California employees and the purpose of the collection “at or before the point of collection.” The CCPA does not, however, require that such information be presented in a separate employee-specific privacy notice.
While some employers choose to create a stand-alone privacy notice that applies to employees, other employers choose to include disclosures concerning their collection and use of employee data as part of the broader privacy notice that they provide to clients, customers, and business partners, which discusses all of the business’s data-related practices.
Do current employees need to be given a privacy notice?
A privacy notice typically discloses the following information to the public:
- The categories of information collected from a data subject directly and from third parties about a data subject,
- The purpose for which information is collected and used,
- The extent to which the business tracks or monitors data subjects,
- The extent to which the business shares the data subject’s information with third parties,
- The standard by which the business protects the information from unauthorized access,
- The ability (if any) of a data subject to request access to their information,
- The ability (if any) of a data subject to request the deletion of their information,
- The ability (if any) of a data subject to request the rectification of inaccurate information, and
- The process by which a business will inform data subjects about changes in its privacy practices.
While the CCPA requires that a business that collects a consumer’s personal information about its employees disclose the first two categories of information “at or before the point of collection,” it does not require that all of the information typically contained in a privacy notice be disclosed to the employee at that time.1
Does the CCPA apply to the personal information of employees?
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute apply to the business’s employees.
While the CCPA applies to data collected about employees, the California legislature passed an amendment in 2019 (Senate Bill 25) that effectively phased-in the rights afforded to employees over the course of 2020. Pursuant to the amendment, those provisions of the CCPA found within Sections 100(b) and 150 applied immediately to employees.2 These included the obligation that a business inform an employee “at or before the point of collection” of the personal information to be collected and the purposes for which the information will be used.3 They also included the ability of an employee to bring suit if an employer failed to adequately protect sensitive category information.5 Employee’s personal information was exempted from other provisions of the CCPA until January 1, 2021 (e.g., access rights, deletion rights, sale rights, etc.).5
Are businesses required to offer the same methods for submitting DSR requests under the CCPA as they are under the GDPR?
Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.1
Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.2
The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.
Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.