CCPA Update: Analyzing Articles 5 and 6 of the AG’s Proposed Regulations

January 14, 2020

In a prior article, we analyzed Articles 1 through 4 of the California Attorney General’s proposed California Consumer Privacy Act (“CCPA”) regulations. This article discusses Article 5 (Special Rules Regarding Minors) and Article 6 (Non-Discrimination).

Before we turn to our analysis, it is worth discussing where we stand with the CCPA and its implementing regulations. The proposed regulations were originally published in October 2019. The AG’s office subsequently held a series of public hearings on the regulations and solicited written comments. That process ended on December 6, 2019, and the AG’s office is expected to issue final regulations shortly. The CCPA went into effect on January 1, 2020, which means that businesses should, at a minimum, be updating their online privacy policies and accepting and responding to consumer requests. However, the Attorney General’s office cannot enforce the CCPA until July 1, 2020.

With that background, we now turn to analyzing Articles 5 and 6.

Article 5. Special Rules Regarding Minors

As a starting point, § 1798.120(c) (as amended) of the CCPA provides that “a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years or age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.” Stated differently, businesses cannot sell the personal information of California residents under 16 unless they have an opt-in to that sale. That opt-in must come from the parent (if the resident is under 13) or the consumer (if the resident is 13 and less than 16). Further, if a business willfully disregards the consumer’s age, it “shall be deemed to have had actual knowledge of the consumer’s age.”

In turn, Article 5 of the regulations attempts to operationalize those statutory requirements. First, § 999.330(a) provides the process for opt-ins of minors under 13. It requires businesses to “establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information” is the parent or guardian of that child. The regulation then identifies six methods that are reasonable, including collecting a signed parental consent form, having a parent call a toll-free telephone number and checking a parent’s government-issued identification against databases of such information.

With respect to receiving opt-ins from minors between 13 and less than 16, § 999.331 requires businesses to establish a “reasonable process,” which should be consistent with the business’s process for obtaining opt-ins of adults after they have opted-out of sales.

Finally, businesses must describe these procedures in their privacy policies.

Article 6. Non-Discrimination

By way of background, § 1798.125 of the CCPA prohibits a business from discriminating against a consumer because the consumer exercised any of his/her CCPA rights. That includes denying goods or services, charging a different price, or providing a different level or quality of goods or services. However, a business can charge a consumer a different price or rate or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to the business by the consumer’s data. Businesses also can offer financial incentives for the collection or sale of personal information as long as the financial incentive is not unjust, unreasonable, coercive or usurious in nature.

In turn, Article 6 of the regulations does not provide much more insight into how the anti-discrimination provision will operate and, in large part, just reiterates the statute. It also is unclear whether, prior to being published, the regulation was updated to reflect one of the final amendments to the CCPA, namely, that the different treatment or financial incentive must be reasonably related to the value provided to the business by the consumer’s data. The pre-amended version provided that it must be reasonably related to the value provided to the consumer by the consumer’s data. Section 999.337 of the regulation still uses the pre-amended phrase (although it appears to try to link that phrase to the amended phrase).

In any event, the regulation requires businesses to “use and document a reasonable and good faith method for calculating the value of the consumer’s data” and provides eight proposed methods, including the “marginal value to the business of the sale, collection or deletion of a consumer’s data or a typical consumer’s data” and the “revenue generated by the business from sale, collection, or retention of consumers’ personal information.”

Conclusion

As discussed, it is anticipated that the AG’s office will publish final regulations at any time. In the meantime, the AG’s proposed regulations (along with the text of the CCPA) provide businesses with the best means by which to drive compliance.

David Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.

You must login or register in order to post a comment.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

ON DEMAND: There's a lot at stake when it comes to cybersecurity. Reputation, productivity, quality. Join us to discuss the future of your global security strategy and a path forward with trusted partners Cisco and Rockwell Automation, and turn your Food & Bev security challenges into strategic advantages that drive business value.

CCPA Update: Analyzing Articles 5 and 6 of the AG’s Proposed Regulations

Article 5. Special Rules Regarding Minors

Article 6. Non-Discrimination

Conclusion

Recent Articles by David Stauss

Analyzing the draft standard contractual clauses

Analyzing the EDPB’s draft recommendations on supplementary measures

What U.S. companies should know about LGPD – Brazil’s new General Data Protection Law

Switzerland’s DPA concludes that Swiss-US Privacy Shield does not provide adequate level of protection

European Commission and EDPB provide update on efforts to address cross-border transfers after Schrems II

The latest news and information

Content written for business-minded executives who manage enterprise risk and security

CCPA Update: Analyzing Articles 5 and 6 of the AG’s Proposed Regulations

Article 5. Special Rules Regarding Minors

Article 6. Non-Discrimination

Conclusion

Recent Articles by David Stauss

Related Articles

Report Abusive Comment

The latest news and information

Content written for business-minded executives who manage enterprise risk and security