- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
What qualifies as aggregate or de-identified information under the CCPA?
The CCPA defines both “aggregate consumer information” and “deidentified information.” Aggregate consumer information is defined to mean “information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information’ does not mean one or more individual consumer records that have been deidentified.”1
Deidentified information is defined under the CCPA to mean “information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:
(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(2) Has implemented business processes that specifically prohibit reidentification of the information.
(3) Has implemented business processes to prevent inadvertent release of deidentified information.
(4) Makes no attempt to reidentify the information.”2
Notably, the definition of “aggregate consumer information” explicitly excludes deidentified information from its scope, even though it is possible that both definitions could apply to the same data set. The functional difference between the two definitions is primarily that the definition of aggregate consumer information applies solely to the data itself, whereas the definition of deidentified information also incorporates and considers the conditions under which such data is held. In any event, the effect is the same: whether aggregated or deidentified, the data is no longer “personal information.”
Does “personal information” include aggregate or de-identified information?
By its terms, the definition of personal information excludes aggregated or de-identified information. Specifically, pursuant to an amendment enacted by the California legislature in late 2019, the definition of personal information was modified to state that “’[p]ersonal information’ does not include consumer information that is deidentified or aggregate consumer information.”1
Do job applicants need to be given a privacy notice?
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute – including the right to receive a privacy notice — apply to any job applicants about whom the business collects personal information that are California residents.
What personal information does an employer typically collect about its employees?
- Benefits elections.
- Correspondence to/from the employee and the employer.
- Correspondence to/from the employee and other employees.
- Correspondence to/from the employee and customers or clients of the employer.
- Complaints made about the employee.
- Complaints made by the employee.
- Disciplinary actions and related investigation files..
- Employment eligibility verification information (e.g., I-9, Social Security Number).
- Job application.
- Pay details (e.g., direct deposit information).
- Pay history.
- Performance reviews.
- Personnel files.
- Salary and salary history.
- Time and attendance.
Does the CCPA apply to the personal information of employees?
The CCPA applies to personal information held about “consumers” – a term which is defined as referring to any resident of California.1 As a result, if a business is governed by the CCPA, the rights conferred by the statute apply to the business’s employees.
While the CCPA applies to data collected about employees, the California legislature passed an amendment in 2019 (Senate Bill 25) that effectively phased-in the rights afforded to employees over the course of 2020. Pursuant to the amendment, those provisions of the CCPA found within Sections 100(b) and 150 applied immediately to employees.2 These included the obligation that a business inform an employee “at or before the point of collection” of the personal information to be collected and the purposes for which the information will be used.3 They also included the ability of an employee to bring suit if an employer failed to adequately protect sensitive category information.5 Employee’s personal information was exempted from other provisions of the CCPA until January 1, 2021 (e.g., access rights, deletion rights, sale rights, etc.).5
Are consumers in Europe more likely than consumers in the United States to “opt-in” to cookies?”
Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners. If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.1
Companies often struggle with anticipating the percentage of users that are likely to accept the deployment of cookies when prompted. There is relatively little empirical data publicly available concerning website visitors’ interactions with cookie banners. The little data that exists, however, indicates that acceptance rates differ depending upon the location of the website visitor. Specifically, users in some European countries (e.g., Sweden and the Netherlands) appear to “accept” cookies when presented with a cookie notice that solicits opt-in at rates that may be more than double the acceptance rate in the United States.2
Are the “unified business provision” and the “affiliate exception” within the CCPA the same thing?
The CCPA includes within the definition of a “business” an entity “that controls or is controlled by [another] business” and that “shares common branding with the business.” 1 This provision has been referred to by some companies as the “unified business provision” as it functionally states that entities under common control and common branding should be treated under the CCPA as a single “business” instead of as multiple business entities. Other companies have referred to this as the “affiliate exception” owing to its functional impact on compliance. Specifically, if the Act did not treat businesses that were under common ownership, control, and branding as a single business, then affiliates might find themselves in the situation in which transfers of data between and among members of a corporate group might constitute the “sale” of information as they might be viewed as transfers from one business to a separate business for consideration (if, for example, the affiliated entities were performing services for one another or cross-marketing products). Viewing corporate affiliates as a single business unit for the purposes of the CCPA functionally creates an exception to the definition of “sale” for those situations in which Affiliate A transfers personal information to a commonly branded Affiliate B.
Can retargeted advertising campaigns be done under service provider agreements?
The definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider. In order for an adtech company to meet the definition of a “service provider,” at least two conditions must be met.
First, the transfer of information to the service provider must be “necessary” for the website’s business purpose.1
Second, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”2
One common use of third party behavioral advertising cookies is to allow businesses to contact consumers that have left the business’s website in order to serve those consumers with targeted advertising. Similarly, businesses may serve targeted advertising not through the use of behavioral advertising cookies, but by providing adtech partners lists (e.g., names, email addresses, or telephone numbers) of customers or potential customers. These practices are commonly referred to as retargeting campaigns, as they often attempt to “retarget” consumers that expressed interest in a product or service, but failed to complete a transaction.
Questions have been raised about whether third parties that provide retargeting services can be classified as “service providers” under the Act. Specifically, some commenters have asserted that such a use might not be “necessary” for a business purpose under the CCPA, or that by performing a retargeting campaign an adtech partner may be using data for its own purposes. In response to these concerns, the California Attorney General clarified that “[t]he CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.”3 The Attorney General further cautioned, however, that to be considered a service provider the adtech partner must not use the personal information that it collects from one business to “provide advertising services to other businesses.4 Furthermore, under the regulations implementing the CCPA the adtech partner must be prohibited from “building or modifying household or consumer profiles” from the data that it receives.5
Does the CCPA apply to cookies that are used for data analytics?
It is not clear.
The California Attorney General was asked to clarify whether the CCPA applies to a website that utilizes “cookies to track traffic” assuming that such cookies were not utilized to sell data or to market products.1 The Attorney General refused to provide guidance stating only that the determination as to whether cookies that track website traffic (e.g., analytics cookies) are governed by the Act “raises specific legal questions that may require a fact-specific determination.”2 The Attorney General further advised a business that utilizes such cookies to “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.”3
Although the California Attorney General did not specify what “facts” and “concerns” he believes are relevant to the analysis, whether an analytics cookie is governed by the CCPA arguably turns on the Act’s definition of “personal information.”
The phrase “personal information” is defined within the CCPA to mean any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”4 The CCPA includes a non-exhaustive list of data types that might fall within that definition. That list includes “unique personal identifiers,”5 a term which itself is defined as including “cookies” that are used to “recognize a . . . device that is linked to a consumer or family, over time and across different services.”6 When the qualifiers found within the definition of “personal information” are combined the CCPA suggests that an analytics cookies should not be considered personal information regulated by the statute unless, at a minimum, the following three conditions are met:
- The analytics cookie is persistent (i.e., tracks “over time”),
- The analytics cookie is used to track across multiple websites (i.e., “across different services”), and
- The analytics cookie can “reasonably be linked” to a particular consumer or household (as opposed to a particular device that may, or may not, be shared among a number of individuals).
Do companies have to “flow down” access requests to service providers?
When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.1 If the business decides to grant the request and provide the personal information in its possession, the CCPA does not specifically state that the business must also direct its service providers to produce the personal information that may be in their possession. This contrasts with deletion requests where the CCPA expressly states that a business which intends to honor such a request must “direct any service providers to delete the consumer’s personal information from their records.”2
Although the CCPA does not expressly state that a business must direct its service providers to search for and produce information collected from a consumer, privacy advocates are likely to take the position that flowing down an access request is implicitly required for the following reasons:
- Service providers are an extension of a business. The CCPA states that a service provider “processes information on behalf of a business.”3 To the extent that a service provider functions as an agent of a business, an argument could be made that a failure by the business to instruct the service provider to search for and produce information could constitute a violation by the business itself.
- The CCPA refers to access to the information “collected.” The CCPA states that a consumer should be able to request access to the “specific pieces of personal information the business has collected.”4 To the extent that a business collects personal information and then transmits it to a service provider for storage or further processing, the personal information was still “collected” by the business and, therefore, may need to be identified and produced regardless of whether it currently resides with the business or with its service provider.
- Access requests under the European GDPR are typically flowed down. Like the CCPA, the European GDPR does not expressly state that a controller must flow down an access request to a processor. In practice, however, it is well accepted in Europe that if a controller grants an access request it should flow down an instruction to its processors to provide the impacted personal information. In turn, the GDPR requires processors to “assist the controller . . . [in] the fulfilment of the controller’s obligation to respond to requests for exercising data subject’s rights . . . .”5
The act of instructing service providers to provide personal information in response to a consumer’s request is often referred to as “flowing down” an access request, or an “access request flow down.”