In a prior article, we analyzed Articles 1 through 4 of the California Attorney General’s proposed California Consumer Privacy Act (“CCPA”) regulations. This article discusses Article 5 (Special Rules Regarding Minors) and Article 6 (Non-Discrimination).

Before we turn to our analysis, it is worth discussing where we stand with the CCPA and its implementing regulations. The proposed regulations were originally published in October 2019. The AG’s office subsequently held a series of public hearings on the regulations and solicited written comments. That process ended on December 6, 2019, and the AG’s office is expected to issue final regulations shortly. The CCPA went into effect on January 1, 2020, which means that businesses should, at a minimum, be updating their online privacy policies and accepting and responding to consumer requests. However, the Attorney General’s office cannot enforce the CCPA until July 1, 2020. 

With that background, we now turn to analyzing Articles 5 and 6.

Article 5. Special Rules Regarding Minors

As a starting point, § 1798.120(c) (as amended) of the CCPA provides that “a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years or age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.” Stated differently, businesses cannot sell the personal information of California residents under 16 unless they have an opt-in to that sale. That opt-in must come from the parent (if the resident is under 13) or the consumer (if the resident is 13 and less than 16). Further, if a business willfully disregards the consumer’s age, it “shall be deemed to have had actual knowledge of the consumer’s age.”

In turn, Article 5 of the regulations attempts to operationalize those statutory requirements. First, § 999.330(a) provides the process for opt-ins of minors under 13. It requires businesses to “establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information” is the parent or guardian of that child. The regulation then identifies six methods that are reasonable, including collecting a signed parental consent form, having a parent call a toll-free telephone number and checking a parent’s government-issued identification against databases of such information.

With respect to receiving opt-ins from minors between 13 and less than 16, § 999.331 requires businesses to establish a “reasonable process,” which should be consistent with the business’s process for obtaining opt-ins of adults after they have opted-out of sales.

Finally, businesses must describe these procedures in their privacy policies.

Article 6. Non-Discrimination

By way of background, § 1798.125 of the CCPA prohibits a business from discriminating against a consumer because the consumer exercised any of his/her CCPA rights. That includes denying goods or services, charging a different price, or providing a different level or quality of goods or services. However, a business can charge a consumer a different price or rate or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to the business by the consumer’s data. Businesses also can offer financial incentives for the collection or sale of personal information as long as the financial incentive is not unjust, unreasonable, coercive or usurious in nature.

In turn, Article 6 of the regulations does not provide much more insight into how the anti-discrimination provision will operate and, in large part, just reiterates the statute. It also is unclear whether, prior to being published, the regulation was updated to reflect one of the final amendments to the CCPA, namely, that the different treatment or financial incentive must be reasonably related to the value provided to the business by the consumer’s data. The pre-amended version provided that it must be reasonably related to the value provided to the consumer by the consumer’s data. Section 999.337 of the regulation still uses the pre-amended phrase (although it appears to try to link that phrase to the amended phrase).

In any event, the regulation requires businesses to “use and document a reasonable and good faith method for calculating the value of the consumer’s data” and provides eight proposed methods, including the “marginal value to the business of the sale, collection or deletion of a consumer’s data or a typical consumer’s data” and the “revenue generated by the business from sale, collection, or retention of consumers’ personal information.”

Conclusion

As discussed, it is anticipated that the AG’s office will publish final regulations at any time. In the meantime, the AG’s proposed regulations (along with the text of the CCPA) provide businesses with the best means by which to drive compliance.