No.

Much like the GDPR, the CCPA gives consumers certain rights over their data. In particular, California residents have the right to request access to their personal information, the right to request the deletion of their personal information, and the right to opt out of the sale of their personal information.¹

Businesses that are already GDPR-compliant will have pre-existing methods for fielding data subject requests, such as web portals, email addresses, or dedicated phone numbers. While these methods may be adequate, businesses should double check that all of the CCPA’s requirements are met. Whereas the GDPR has very few requirements governing submission methods, the requirements under the CCPA and Proposed Regulations are numerous.²

The end result is that if a business is GDPR compliant with respect to how data subjects are able to submit rights requests, it may not be CCPA compliant. In contrast, if a business is CCPA compliant with respect to how consumers are able to submit rights requests, it will almost certainly be GDPR compliant.

Below is a comparison of the requirements for methods to submit requests under the GDPR and under the CCPA.

No.

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in three situations:

1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.¹  In other words, if a consumer consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.²
2. Sale of information about minors. The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer (in the case of individuals between 13 and 16) or the guardian (in the case of individuals under the age of 13) has “affirmatively authorized the sale” of personal information.³ In other words, opt-in consent is needed to sell the information of a minor.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph technically the information transfer might not be a “sale” at all.
3. Re-soliciting the ability to sell. The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”⁴

No.

The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in two situations when dealing with employees:

1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.¹  In other words, if an employee consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.²
2. Sale of information about minors.  The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer has “affirmatively authorized the sale” of personal information.³ In other words, opt-in consent is needed to sell the information of a minor-employee.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph the information transfer might not be a “sale” at all.
3. Re-soliciting the ability to sell.  The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”⁴ As a result, if a company sells the information of its employees, and provides employees a do not sell option, it is not permitted to ask those employees that opt-out for permission to sell for 12 months.

For more information and resources about the CCPA visit http://www.CCPA-info.com.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code § 1798.140(t)(2)(A).

2. Cal. Civil Code § 1798.140(t)(2)(A).

3. Cal. Civil Code § 1798.120(c).

4. Cal. Civil Code § 1798.135(a)(5).

As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act.  While many companies are prepared to update their websites at the end of the year, websites that are preemptively changed before year-end are reviewed and scrutinized for signs of emerging industry standard practice.

To-date, the placement of a “do not sell” link on a website has not arisen to the level of an industry practice. 

In order to help companies understand and benchmark standards and practices, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.¹ Based upon that sample, and as of December 20, 2019, only 4% of the total sample population had placed a “Do Not Sell My Personal Information” link either within their privacy notice or on their homepage.² The percentage is slightly higher when viewed as a function of only those websites that have already updated their privacy notices for the CCPA.  Within that sub-sample, 18% of companies have included a “Do Not Sell My Personal Information” link.

Interestingly, none of the companies that have included such a link appear to have a working mechanism for effectuating a “do not sell” request.  One company’s link takes users to a data subject request portal that does not contain a “do not sell” option; the other company’s link takes users to an online chat bot that does not respond to requests for information not to be sold.  It remains to be seen whether regulators and the plaintiff’s bar will view the inclusion of a link that is not functional as raising legal concerns under the Federal Trade Commission Act (“FTCA”) and state Unfair and Deceptive Trade Practice Acts (“UDTPA”).

Co-authored by Zach DeFelice.

No.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”¹  The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to include a “do not sell my personal information” link on the company’s homepage.²

The California Unfair Competition Law (“UCL”) defines “unfair competition” as including “any unlawful, unfair, or fraudulent business act or practice.”³  Plaintiffs’ attorneys in California have historically attempted to use the text of the UCL to bring suit against companies that allegedly violated any other California or federal law arguing that the secondary violation constituted an “unlawful” practice for which the UCL might permit recovery.  It is unlikely, however, that such a strategy would succeed in connection with the CCPA, as the Act expressly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”⁴

An amendment to the CCPA – Senate Bill 561 – has been proposed, which, if passed, would extend the private right of action and the ability for plaintiffs’ attorneys to seek statutory damages for all alleged violations of the CCPA.  While the amendment received the endorsement of the California Attorney General, on May 16, 2019, it was held in committee under submission pending fiscal review.

The net result is that the CCPA, as it currently stands, will not permit consumers to sue businesses that are alleged to have failed to include a “do not sell my personal information” link, and it is unlikely that courts will permit such suits through the auspices of the UCL.  The California legislature could, however, decide at any time to amend the CCPA to provide a private right of action in connection with a failure to include the opt-out link on webpages.

<4%

As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their websites and privacy notices to comply with the new disclosure requirements of the Act.  While many companies are prepared to update their sites at the end of the year, websites that are preemptively making changes before year-end are being reviewed and scrutinized for trends and signs of any emerging industry standard practices.

In order to help companies understand and benchmark industry practice, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies.¹  Based upon that sample, only one company (3.33% of the total sample population) has placed a “Do Not Sell My Personal Information” link on their homepage to-date. ²  It should be noted that in the context of that one company, the link appeared to be non-functional.

Co-authored by Zach DeFelice

No.

The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.¹ Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”²  The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”³ It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.

No.

The CCPA contains four references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.¹ Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business in response to an access request “shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request . . . ”²  The statute reiterates that access is limited to a 12 month lookback in California Civil Code Section 1798.130(a)(3)(B) by stating that access requests which seek information about a business’s collection practices (as opposed to requests that seek the specific pieces of information held by the business) are similarly limited to “the preceding 12 months.”³ It is unclear, from this text, whether the legislature intended that a company provide access only to data that was collected during the 12 month lookback period, or provide access to data that was held by the company during some portion of the 12 month lookback.

Not necessarily.

California has two statutes that apply to the sale of information – The California Shine the Light Law and the California Consumer Protection Act.

The California Shine the Light Law applies to companies that have a business relationship with a consumer that is “primarily for personal, family, or household purposes” and that collect personal information online.¹  As a result, the statute generally applies to B2C loyalty programs that are operated online.  If the statute applies, it generally requires that a business that allows third parties to use information collected from consumers for the third parties’ own direct marketing tell consumers how they can request more information concerning the identity of those third parties.²  It is important to note, however, that if a business does not sell personal information (or allow other third parties to use personal information for their direct marketing), the business is not required to make an affirmative statement to that effect.  In other words, if a loyalty program provides personal information to other companies and allows those companies to market products and services to consumers, the statute requires that the company discloses that fact; it does not require a loyalty program that does not share information with third parties for their own use to make any disclosures.

The CCPA requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”³  The business must then include a link on its homepage titled “Do Not Sell My Personal Information” and allow consumers to opt-out of the sale.

The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.

Sometimes.

The CCPA states that a business should disclose any information that it is required to disclose in response to an access request “in writing” and “delivered through the consumer’s account with the business.”¹  The requirement, of course, assumes that a business maintains an “account” or portal through which it typically communicates with a consumer.  For businesses that do not maintain consumer portals, the CCPA requires the business to provide the requested information “by mail or electronically at the consumer’s option.”²  As a result, businesses should first attempt to leverage any customer portal that they maintain; absent such an option, they should defer to any request from the consumer to receive the data electronically or by mail.  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.³

In comparison, the European GDPR gives individuals two separate rights – a right to access the personal data that a company holds about them,⁴ and a right to receive personal data in a “portabl[e]” format.⁵ While those rights are interrelated, they are not co-extensive.

An individual’s right of “access to the personal data” that a company holds about them (or at least to receive a description of the type of personal data that a company holds about them) applies regardless of why a company that is considered a “controller” maintains personal information about the individual.  When a request relating to this right is received, the GDPR does not mandate that a company provide the information to the data subject in any particular format.  Some supervisory authorities have recognized that while a data subject may prefer a response electronically, a company can satisfy its obligation by producing the information in any “intelligible form” including by providing a “photocopy or print-out of the relevant information.”⁶

In contrast, an individual’s right to receive their personal data in a portable format only applies when a company’s processing is based either on the fact that the data subject provided their consent for the processing, or the data subject entered into a contract with the company.⁷ When a request relating to the portabiltiy right is received, the company is obligated to provide the data in an electronic format.

No.

The CCPA requires businesses that sell personal information to, among other things, explain that consumers have a “right to opt-out” of the sale,¹ and provide a clear and conspicuous link on their homepage titled “Do Not Sell My Personal Information,” which takes the consumer to a mechanism that permits the exercise of the opt-out right.²  If a business does not sell personal information, and if the business affirmatively states that it does not sell personal information in its privacy notice, it is not required to provide a notice of [the] right to opt-out” or post the “Do Not Sell” link.³

It depends.

The CCPA applies to the personal information of California employees of a business that is subject to the statute.  The specific rights afforded to employees were set to phase-in throughout 2020.

Beginning in 2020, the CCPA required that a business subject to the Act disclose (1) the type of personal information that it collected about its California employees and (2) the purpose of the collection “at or before the point of collection.” ¹  While the same information was required to be disclosed when a business collected personal information about other types of California residents (e.g., California customers), for other types of California residents the CCPA required that a privacy notice contain twelve additional disclosures.  These only apply to employee-privacy notices beginning on January 1, 2021.  The following provides a summary of those disclosure requirements that apply to employees on January 1, 2020, and those that apply on January 1, 2021:

The net result is that, between January 1, 2020 and January 1, 2021, an employee privacy notice does not have to contain all of the information contained in privacy notices given to other types of California residents.  In essence, it can be thought of as a “short form” privacy notice.  After January 1, 2021, the same provisions must be included in an employee and non-employee privacy notice that is subject to the CCPA.

No.

The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing; its members include both media companies and advertising technology companies.

In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).¹ The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold.  The proposal was presented as a means of complying with the CCPA’s requirement that companies that sell personal information include a “Do Not Sell My Personal Information” link on their website, and honor the preference of consumers that opt out of such sales.²

At the time that it published the IAB Do Not Sell Framework, the IAB and the IAB’s affiliated organization, IAB Tech Lab, made clear that they were not willing to represent, warrant, or guarantee that companies that adopt the final version of the IAB Do Not Sell Framework will be in compliance with the CCPA’s requirement that a business “refrain from selling personal information” after a consumer expresses their desire to “opt-out” of such sales.³ Indeed, the IAB included the following disclaimers and warnings to companies in the IAB Do Not Sell Framework materials:

“The authors and IAB make no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.”⁴

“We take no position on legal conclusions, and leave it to industry participants to consult with their own legal counsel.”⁵

“We recognize that there is no single, agreed upon compliance interpretation of the CCPA. We take no position on any legal conclusion and leave it to industry participants to consult with their own legal counsel.”⁶

“TECH LAB DOES NOT WARRANT THAT THE PRODUCTS AND SERVICES PROVIDED TO OR USED BY YOU HEREUNDER SHALL CAUSE YOU AND/OR YOUR PRODUCTS OR SERVICES TO BE IN COMPLIANCE WITH ANY APPLICABLE LAWS, REGULATIONS, OR SELF-REGULATORY FRAMEWORKS, AND YOU ARE SOLELY RESPONSIBLE FOR COMPLIANCE WITH THE SAME.”⁷

Beginning in 2020, the CCPA required that businesses subject to the Act provide their employees with a privacy notice that identified (1) the type of personal information collected about California employees and (2) the purpose of the collection.¹  Beginning on January 1, 2021, employers are required to include twelve additional topics in employee privacy notices.

While the CCPA does not dictate the manner in which a privacy notice is distributed to employees, many employers consider using one, or more, of the following distribution techniques:

1. Computer log-in notice.  Some employers add a link to the employee privacy notice on the log-in screen of all workstations.
2. Email.  Some employers email a copy (e.g., PDF) or a link (e.g., internal SharePoint) of the employee privacy notice to all employees at least once a year.
3. Employee handbook. Some employers include a copy of the employee privacy notice in the employee handbook.
4. Open enrollment.  Some employers include a link to the employee privacy notice on the page or portal used by employees to select, or confirm, their benefits elections each year.
5. Paper Distribution.  Some employers distribute a hard copy of the privacy notice to each employee, or post a copy of the privacy notice in a public space available to employees (e.g., break rooms).

It is important to note that, regardless of the distribution manner selected, if the Modified Proposed Regulations to the CCPA are adopted, an employer should also take steps to make the privacy notice “reasonably accessible” to employees with disabilities.² As a result, if some employees do not have access to some format as a result of a disability (e.g., visually impaired employees might not utilize computers or email), a business may need to consider alternative methods of communicating.  It is also important to note that the Modified Proposed Regulations imply that even if a business elects to distribute a privacy notice in hard copy (e.g., paper distribution) it may still need to post an electronic copy of the privacy notice “online.”³

The distribution technique that is best suited for a particular company may depend on a number of factors, including whether employees have access to computers at work, maintain work email addresses, receive benefits, or have access to an employee handbook.

As the CCPA’s effective date approaches, businesses are actively monitoring how companies will update their privacy notices to comply with the new disclosure requirements of the Act.  While many companies are prepared to update their own privacy notices at the end of the year, policies that are preemptively changed before year-end are being reviewed and scrutinized by the industry for trends and signs of any industry standard practices surrounding such things as the disclosure of the “sale” of information or the collection of information by “enumerated category.”

In order to help companies understand and benchmark emerging industry practice, BCLP analyzed a random sample of the privacy notices of Fortune 500 companies and will continue to monitor each week how the sample-set evolves and changes as January 1, 2020 approaches and thereafter.¹  The following summarizes the “state” of privacy notice revisions as of the week of December 2, 2019:

The CCPA requires that a business “deliver” the information that is required to be produced under the Act within “45 days of receiving a verifiable consumer request.”¹  The 45 day time period can be extended by an additional 45 days when “reasonably necessary.”²  If a business seeks to rely upon the extension it must inform the requestor of that fact within the first 45 day period.

The CCPA does not specify what type of situations might qualify as “reasonably necessary” to extend the response time period.  It is possible that a court, or the California Attorney General, could look to the GDPR for guidance.  The GDPR similarly allows an organization to extend the time within which information must be provided by an access request and specifies that two factors that might contribute to the need for an extension would be the “complexity and number” of requests that a person makes.

Anytime a new statute or regulation comes along, some law firms unfortunately flag issues that may not be of true concern to companies, or highlight problems that may not, in fact, exist.  Unfortunately, that continues to happen in connection with the California Consumer Privacy Act (“CCPA”).  In the context of retailer loyalty or reward programs, firms have said that the CCPA may spell the “end of loyalty programs,” or implied that the CCPA could lead to “the potential elimination of loyalty programs due to the nondiscrimination requirements.”  Some law firms have gone so far as to advise retailers to “address the issue[s]” caused by their loyalty programs by “not offer[ing] preferential pricing through loyalty programs” or by “mak[ing] loyalty program pricing available to all customers” regardless of whether they are, in fact, members of the loyalty program.  Such changes would, of course, destroy the business-case for having a loyalty program in the first place.

These concerns are incorrect and demonstrate a lack of understanding of the requirements of the CCPA.  While the Act is, without a doubt, flawed, poorly drafted, and prone to misinterpretation, it does not lead to the conclusion that most loyalty programs are inherently problematic, nor should it cause most retailers to drastically change the terms and structure of their program.  The hyperbolic treatment of loyalty programs by some law firms may also have contributed to several companies and industry groups echoing these concerns with the California legislature and the California Attorney General and alleging (incorrectly) that “the CCPA may prevent[] marketers from offering loyalty programs,” or that the CCPA, as currently written, prohibits “tiered pricing, discounts or coupons.”

The following dispels five (mis)statements that have been made in connection with the CCPA’s impact on loyalty programs.

1. Myth: The CCPA prohibits “charging different prices or rates for goods or services.”

It does not.

The prohibition against price discrimination in the CCPA only applies to situation in which a consumer exercises a right conferred by the CCPA.  Nothing within the CCPA confers a right to join (or not join) a loyalty program.  For more information, see FAQ: Is a business prohibited from giving discounts to  loyalty program members?

2. Myth: The CCPA states that the benefit provided to the consumer through a loyalty program must be reasonably related to the value provided to the business by the consumer’s data.

It does not.

As indicated above, the CCPA prohibits a business from engaging in price discrimination when a consumer exercises  a right under the CCPA.  The CCPA provides an exception to that prohibition when the discrimination relates to a “price or difference” that is related to the value provided to a business by the consumer’s data.¹

While some lawyers have misinterpreted this as requiring that all loyalty program benefits be related to the value provided to the business by the consumer’s data, as noted above, the operation of the loyalty program itself is not prohibited by the CCPA and, thus, does not require the benefit of this exception.

For more information, see FAQ: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?

3. Myth: Businesses must honor deletion requests for loyalty members.

They generally do not.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”²  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.), there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  For more information about each of those exceptions, and a description of how they apply to most loyalty programs, see FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an active member? and FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an inactive member?

4. Myth: Businesses that offer loyalty programs must include a “do not sell my personal information” link.

Not necessarily.

The CCPA requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”³  The business must then include a link on its homepage titled “Do Not Sell My Personal Information” and allow consumers to opt-out of the sale.

The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.

For more information go to FAQ: Is a business required to post a “do not sell” link if it offers a loyalty program?

5. Myth: Businesses that allow consumers to redeem points with third parties are selling information.

They generally are not.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.⁴  In the context of loyalty programs, it is not unusual for the operator of a loyalty program to enter into an agreement with a business partner (e.g., another company) to permit a consumer to redeem points accumulated through the loyalty program of business A in order to receive goods or services provided by business B.  For example, a hotel may have an agreement with a car rental service through which a consumer can redeem hotel loyalty points to receive a free car rental.

Such redemption arrangements may require the disclosure of personal information from one business (e.g., business A) to a second business (e.g., business B), and may include the payment of money or other consideration for the ability to receive advertising or promotion as a rewards provider.  As a result, and depending upon the structure of the business relationships, it is possible that, at first glance, the arrangement could fit the definition of “sale” under the CCPA.

Assuming that the transfer of information to a redemption partner did satisfy the definition of a “sale,” the CCPA contains an exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information.”⁵  As a result, if a consumer uses a loyalty program in order to interact with another business, or directs a loyalty program to disclose personal information as part of a points redemption, the loyalty program operator arguably has not “sold” information.

For more information, go to FAQ: If a business allows consumers to redeem loyalty program benefits for products or services offered by a partner, does that constitute the sale of information?

Nothing within the CCPA inherently prohibits an employer from sharing the names of employees that have been infected with a contagious disease with other employees who may have come into contact with the infected employee and, as a result, might take preventative measures (e.g., self-isolation).  The CCPA arguably requires only that the business take the following steps:

• The CCPA requires that a business include within its notice of collection and/or privacy notice a general disclosure that informs employees of the business purposes for which their information was collected.  While it is not certain whether disclosure of  the identity of an infectious employee would be considered a “business purpose,” businesses should consider stating within their privacy notices that information may be shared with third parties (which, of course, would include fellow  employees) for the purpose of protecting employees, protecting the public, or protecting other individuals.¹
• In the event that an employee submits an access request upon the business, the CCPA requires (beginning on January 1, 2021) that the business state what information was “disclosed for a business purpose.”² While it is not certain whether disclosing to an employee the name of an infectious person would be considered a “business purpose,” businesses should consider stating in response to an access request that information was shared with employees to promote health and safety.³

It is important to note that other federal or state labor and employment laws may preclude a business from sharing the identity of a potentially contagious employee with other employees without the infected employee’s consent.  For example, the federal Americans with Disabilities Act requires that any information which is obtained as part of a voluntary medical examination, or as part of voluntarily collecting medical information from an employee, be kept “confidential.”⁴  Although this confidentiality requirement is subject to certain exceptions, there is currently no exception for providing an employee’s confidential medical information to other employees for purposes of promoting their health and safety.  As a result, if an infectious employee was recently around other employees many employers try to inform the employees that are at heightened risk that they have been exposed without specifically identifying the individual that exposed them.

The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing.  Its members include both media companies and advertising technology (“adTech”) companies.

In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “Draft IAB Do Not Sell Framework”).¹  The draft proposed that website owners would provide consumers with a “do not sell” link, transmit a do not sell signal to IAB framework participants if a consumer opted-out, and the framework participants would agree to abide by a “Limited Service Provider Agreement” in their treatment of such data.  The proposal was presented as a means of complying with the CCPA’s requirement that companies disclose if they sell personal information, and, if a sale is occurring, include a “Do Not Sell My Personal Information” link on their website.²

Numerous questions and concerns were raised by privacy advocates and the business community with the draft.  In December, the IAB released a final version of the framework (the “IAB Do Not Sell Framework”) which addressed some (but not all) of those concerns.  The following are some of website owners’ concerns with the viability of the framework as it was finalized:

1. Website owners would be contractually limited to dealing with adTech companies that participate in the framework.  The IAB Do Not Sell Framework effectuates a do not sell request by attempting to convert adTech companies that have joined the framework, and that have executed a “Limited Service Provider Agreement” provided by the IAB, into “service providers” when such companies receive a do not sell signal from a website owner.  From a website owner’s perspective, however, if they participate in the IAB Do Not Sell Framework they are effectively self-restricting the adTech companies with whom they can partner to those that have joined the framework.  Specifically the Limited Service Provider Agreement that website owners are required to accept requires that they represent and warrant that if a consumer clicks their do not sell link the website owner will “only” transmit “bid requests . . . to Downstream Participants that are Signatories” of the IAB Do Not Sell Framework.³ Given uncertainty concerning how many companies in the behavioral advertising ecosystem will join the framework, many website owners are concerned about the cost, and the potential disruption, that could be involved in (1) identifying which of their behavioral advertising partners have joined the framework, (2) terminating relationships with behavioral advertising companies that choose not to participate in the framework, and (3) conducting ongoing monitoring of behavioral advertising partners to ensure that they continue their framework participation.
2. Website owners that continue to transmit data to non-IAB participants could be alleged to have engaged in deceptive practices.  The IAB Do Not Sell Framework requires that website owners post a “do not sell my personal information” link on their website, and disclose in their privacy notice that by clicking the link a consumer’s information will no longer be sold.  To the extent that the website owner continues to transmit data to non-IAB participants (i.e., companies that have neither entered the IAB Do Not Sell Framework, or agreed via a separate contract to refrain from using, sharing, or disclosing information that they receive from the website owner for their own purpose if the website owner broadcasts the IAB do not sell signal) it is possible that a regulator or a privacy advocate may allege that the website owner has misrepresented the effect of clicking on the Do Not Sell link.
3. The effectiveness of the Limited Service Provider Agreement is unknown.  In order for a company to be considered a “service provider” under the CCPA the Act states that there must be a “written contract” and implies that the contract must be “with the business.”⁴ Although the “Limited Service Provider Agreement” published by the IAB purports to be a contract between and among “all other Signatories to this Agreement” there is ambiguity about whether a court will interpret such an arrangement as a sufficient “contract” between a website owner and downstream adTech companies.⁵  Furthermore, although the Limited Service Provider Agreement purports to take precedence over pre-existing contracts entered into between a website owner and its adTech partners, the order of precedence identified in the Limited Service Provider Agreement may itself conflict with priority designations within those existing contracts.⁶ Existing contracts may also prohibit, or nullify, contractual arrangements, like the Limited Service Provider Agreement, that are created without bilateral signatures from both parties.
4. IAB, and the adTech participants, refuse to accept any liability for the effectiveness of the framework. The “Limited Service Provider Agreement” disclaims any representation that the the IAB Do Not Sell Framework complies with the CCPA.  To the contrary it states that “changes in the interpretation of the CCPA by an enforcement authority or court of competent jurisdiction . . . may hold that this Agreement, in whole or in part, is not permissible.”⁷  The IAB reiterates its reluctance to warrant that its framework complies with the CCPA in the IAB CCPA Compliance Framework for Publishers & technology Companies document itself where it states that the “IAB make[s] no representations or warranties, express or implied, as to the completeness, correctness, or utility of the information contained in this Framework and the accompanying Agreement and assume no liability of any kind whatsoever resulting from the use or reliance upon its contents.”⁸  The reluctance to assume any monetary liability if a CCPA penalty is assessed as a result of the use of the framework is reiterated in the Limited Service Provider Agreement where it states in all CAPS that “IN NO EVENT WILL A SIGNATORY BE LIABLE TO ANY OTHER SIGNATORY . . . FOR ANY DAMAGES OF ANY KIND . . . ARISING FROM OR RELATING TO THIS AGREEMENT, REGARDLESS OF WHETHER SUCH SIGNATORY WAS ADVISED, HAD OTHER REASON TO KNOW, OR IN FACT KNEW OF THE POSSIBILITY THEREOF.”⁹ It is unclear to what extent website owners who may be directly liable for a violation of the CCPA will be comfortable relying upon a compliance framework that ascribes no liability to their adTech partners.
5. The Limited Service Provider Agreement may erode existing liability protections.  To the extent that a website owner has entered into a separate contract with an adTech partner that provides contractual remedies (e.g., damages) if the adTech partner fails to comply with data privacy laws, the Limited Service Provider Agreement may erode those protections. Specifically, the Limited Service Provider Agreement states that in the face of a conflict with pre-existing contract terms, the Limited Service Provider Agreement will take precedence in connection with the “Sale and/or use of Personal Information.”¹⁰ As the Limited Service Provider Agreement states that “IN NO EVENT WILL A SIGNATORY BE LIABLE TO ANY OTHER SIGNATORY . . . FOR ANY DAMAGES OF ANY KIND” an adTech company may attempt to argue that any monetary recovery permitted by an underlying agreement is eroded by the Limited Service Provider Agreement.¹¹
6. Device/Browser level opt-out may not comply with the CCPA.  The IAB Do Not Sell Framework appears to contemplate that when a user clicks on a website owner’s Do Not Sell My Personal Information link it would typically trigger a “Device/Browser Level Opt Out.”¹² A “Device/Browser Level Opt Out means that the consumer’s instruction for their information not to be sold would only apply “to the particular device (e.g., mobile or desktop hardware unit) or browser on which the applicable Consumer has Opted Out.”¹³  It is unclear whether a device-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and the requirement that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹⁴ Put differently, while the CCPA prohibits a business from selling a consumer’s personal information after they click a Do Not Sell link, under the IAB Do Not Sell Framework it would appear that a consumer’s personal information would continue to be sold each time they visit a website owner’s site from a different device or a different browser.
7. Failure to adequately disclose device/browser level opt-out could result in allegations of deception.  The draft IAB Do Not Sell Framework suggested that websites notify consumers who opted out under the framework that if they visited the website from a different device (e.g., a work computer instead of a smartphone, or a smartphone instead of a personal computer) their information would again be sold until, or unless, the consumer submitted a new opt-out request on the new device.¹⁵ Specifically it required website owners to state in their privacy notices that “opt out is at a device level and how to opt out across different devices.”¹⁶  Interestingly, the final IAB Do Not Sell Framework does not contain such an explicit requirement and instead requires the website owner to generally explain “the effective scope of the opt out.”¹⁷  If a website owner does not accurately describe to consumers that the IAB Do Not Sell Framework’s opt-out mechanism appears to be limited to the device/platform used by the consumer to submit an opt-out request, privacy advocates may attempt to allege that the website owner has misrepresented the consumers’ ability to opt-out.”¹⁸
8. Non-persistent opt-outs may not comply with the CCPA.  When a user clicks on a website’s Do Not Sell My Personal Information link, it appears that the framework contemplates that the user’s preference would be recorded in a cookie placed on the user’s machine.¹⁹ If a user clears their browser’s cache, that preference selection would, presumably, be erased and, as a result, the user’s personal information would again start to be sold by a business.  Put differently, by suggesting that website owner’s utilize cookies to store user Do Not Sell requests, the framework appears to be endorsing a non-persistent system for recording consumer preferences.  It is unclear whether a non-persistent opt-out mechanism fully complies with the CCPA’s requirement that a business “refrain from selling personal information collected . . . about the consumer” after receiving an initial opt-out request and wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”²⁰
9. Offline to online sales.  The CCPA arguably requires a company that receives a do not sell request to cease the selling of information that is collected by the business both online and offline.  The IAB framework’s focus on the online collection, and transmission, of do not sell requests does not appear to anticipate that many organizations may not collect sufficient information about a consumer to effectuate the request in the offline environment.
10. Admission that most website visitors are “consumers.” The CCPA applies to “consumers” a term defined under the Act as including only residents of the state of California.  Many website owners have struggled with how to identify whether a website visitor is, in fact, a California resident.  While data points that are sometimes collected by website owners (e.g., IP address, shipping information, or billing information) might bear some correlation to residency, such data points are far from conclusive.  For example, a resident of Colorado who works for a company that is headquartered in Los Angeles might ship information to a California office address, present with a California billing address, and even have a California IP address (e.g., via a corporate VPN), but would not be a California resident.  The Limited Service Provider Agreement requires that website owners represent and warrant that they have “undertaken commercially reasonable efforts to determine that the User [that clicks on a Do Not Sell My Personal Information Link] is a Consumer” for the purposes of the CCPA, or that the website owner “has assumed that all Users on the Digital Property are Consumers.”²¹ Both representations may be problematic.  The former may state or imply that some effort has been undertaken to verify the residency of website visitors when most websites do not collect residency, or take efforts to verify residency.  The latter would require that the website confer upon all visitors the rights of Californians.  It also raises the specter that the California attorney general might use the contractual representation in an enforcement action to prevent a company from arguing that a particular visitor was not a Californian.

The Interactive Advertising Bureau (“IAB”) is a trade association comprised of companies that participate in digital marketing; its members include both media companies and advertising technology companies.

In October of 2019, the IAB published a draft IAB CCPA Compliance Framework for Publishers & Technology Companies (the “IAB Do Not Sell Framework”).¹  The IAB Do Not Sell Framework proposed a system for companies that participate in third party behavioral advertising to provide consumers with an option for expressing their preference that their information not be sold.  The proposal was presented ostensibly as a means of complying with the CCPA’s requirement that companies that sell personal information include a “Do Not Sell My Personal Information” link on their website, and honor the preference of consumers that opt out of such sales.²

Numerous questions and concerns have been raised by privacy advocates and businesses with the IAB Do Not Sell Framework.  These include, but are not limited to, the following issues:

1. Websites would be limited to dealing with adTech companies that participate in the framework. The IAB Do Not Sell Framework attempts to effectuate a do not sell request by converting any adTech company that has joined the framework, and that has executed a “Limited Service Provider Agreement” provided by the IAB, into a “service provider” when they receive a do not sell signal from a participating website.  From a website’s perspective, however, if they participate in the IAB Do Not Sell Framework they may be effectively restricting the adTech companies (including the behavioral advertising network providers) with whom they can partner to those that have joined the framework.  Websites may incur significant disruption if they are forced to terminate current adTech partners that decide not to join.
2. The terms of the Limited Service Provider Agreement are unknown. Advertising technology companies that participate in the framework (e.g., third party behavioral advertising networks) would contractually agree to be bound by a “Limited Service Provider Agreement.”  Although the IAB provides a high level description of the provisions that might be included in the Limited Service Provider Agreement, as of November 20, 2019, the agreement itself had not been published.³  As a result, it is not possible to determine whether the agreement comports with the service provider requirements of the CCPA.
3. The effectiveness of the Limited Service Provider Agreement is unknown. In order for a company to be considered a “service provider” under the CCPA the Act states that there must be a “written contract” and implies that the contract must be “with the business.”⁴  Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that the agreement will not be entered into between a website and a technology company directly as “Digital Properties lack privity with many Downstream Framework Participants.”⁵  It may be that the IAB anticipates that adTech companies will agree to a set of industry rules or terms to which a website will be a third party beneficiary.  Assuming that is the case it is unclear whether a court will interpret such a contractual arrangement as a “contract” between the parties sufficient to create a service provider relationship.
4. The Limited Service Provider Agreement will contain no indemnification of websites. Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that it will include “no indemnification provisions.”⁶ It is unclear to what extent websites that may be directly liable under the CCPA will be comfortable with the risk that arises from service providers that are unwilling to provide any indemnification for privacy-related violations.
5. The Limited Service Provider Agreement will impose no liability on adTech companies. Although the “Limited Service Provider Agreement” contemplated in the IAB Do Not Sell Framework has not been published, the IAB states that it will include “a complete limitation of liability.”⁷ It is unclear to what extent websites that may be directly liable under the CCPA will be comfortable with the risk that arises from service providers that are unwilling to assume any liability for privacy related violations.
6. Device level opt-out may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would trigger a device-level opt-out.⁸  Among other things, the IAB Do Not Sell Framework suggests that websites notify consumers that if they visit the website from a different device (e.g., a work computer instead of a smartphone, or a smartphone instead of a personal computer) their information will again be sold until, or unless, the consumer submits a new opt-out request on the new device.  It is unclear whether a device-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and the requirement that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”⁹
7. Browser level opt-out may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would trigger a browser–level opt-out.¹⁰  Among other things, the IAB Do Not Sell Framework suggests that websites notify consumers that if they visit the website from a different browser (e.g., Chrome instead of Safari) their information will again be sold until, or unless, the consumer submits another opt-out request on the new device.  It is unclear whether a browser-level opt-out fully complies with the CCPA’s requirement that businesses “refrain from selling personal information collected by the business about the consumer” after receiving an initial opt-out request and that businesses wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹¹
8. Non-persistent opt-outs may not comply with the CCPA. Under the framework when a user clicks on a website’s Do Not Sell My Personal Information link it would record their preference in a cookie placed on the user’s machine.¹²  If a user clears their browser’s cache that preference selection would, presumably, be erased and, as a result, the user’s personal information would again start to be sold by a business.  It is unclear whether a non-persistent opt-out mechanism fully complies with the CCPA’s requirement that a business “refrain from selling personal information collected . . . about the consumer” after receiving an initial opt-out request and wait “at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.”¹³
9. Offline to online sales. The CCPA arguably requires a company that receives a do not sell request to cease the selling of information both online and offline.  The IAB framework’s focus on the online collection, and transmission, of do not sell requests does not appear to anticipate that many organizations may not collect sufficient information about a consumer to effectuate the request in the offline environment.
10. Misrepresentation and deception litigation risk. Some privacy advocates have asserted that the IAB framework would, if adopted, “result in significant misrepresentations of the law.”¹⁴ It is not precisely clear what misrepresentations they believe would be made through the framework. However, their statements may be a signal that they intend to work with plaintiff attorneys to test whether use of the framework might be the foundation of a deception claim in litigation.