CCPA Update: Analyzing Articles 5 and 6 of the AG’s Proposed Regulations

January 14, 2020

In a prior article, we analyzed Articles 1 through 4 of the California Attorney General’s proposed California Consumer Privacy Act (“CCPA”) regulations. This article discusses Article 5 (Special Rules Regarding Minors) and Article 6 (Non-Discrimination).

Before we turn to our analysis, it is worth discussing where we stand with the CCPA and its implementing regulations. The proposed regulations were originally published in October 2019. The AG’s office subsequently held a series of public hearings on the regulations and solicited written comments. That process ended on December 6, 2019, and the AG’s office is expected to issue final regulations shortly. The CCPA went into effect on January 1, 2020, which means that businesses should, at a minimum, be updating their online privacy policies and accepting and responding to consumer requests. However, the Attorney General’s office cannot enforce the CCPA until July 1, 2020.

With that background, we now turn to analyzing Articles 5 and 6.

Article 5. Special Rules Regarding Minors

As a starting point, § 1798.120(c) (as amended) of the CCPA provides that “a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years or age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information.” Stated differently, businesses cannot sell the personal information of California residents under 16 unless they have an opt-in to that sale. That opt-in must come from the parent (if the resident is under 13) or the consumer (if the resident is 13 and less than 16). Further, if a business willfully disregards the consumer’s age, it “shall be deemed to have had actual knowledge of the consumer’s age.”

In turn, Article 5 of the regulations attempts to operationalize those statutory requirements. First, § 999.330(a) provides the process for opt-ins of minors under 13. It requires businesses to “establish, document, and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information” is the parent or guardian of that child. The regulation then identifies six methods that are reasonable, including collecting a signed parental consent form, having a parent call a toll-free telephone number and checking a parent’s government-issued identification against databases of such information.

With respect to receiving opt-ins from minors between 13 and less than 16, § 999.331 requires businesses to establish a “reasonable process,” which should be consistent with the business’s process for obtaining opt-ins of adults after they have opted-out of sales.

Finally, businesses must describe these procedures in their privacy policies.

Article 6. Non-Discrimination

By way of background, § 1798.125 of the CCPA prohibits a business from discriminating against a consumer because the consumer exercised any of his/her CCPA rights. That includes denying goods or services, charging a different price, or providing a different level or quality of goods or services. However, a business can charge a consumer a different price or rate or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to the business by the consumer’s data. Businesses also can offer financial incentives for the collection or sale of personal information as long as the financial incentive is not unjust, unreasonable, coercive or usurious in nature.

In turn, Article 6 of the regulations does not provide much more insight into how the anti-discrimination provision will operate and, in large part, just reiterates the statute. It also is unclear whether, prior to being published, the regulation was updated to reflect one of the final amendments to the CCPA, namely, that the different treatment or financial incentive must be reasonably related to the value provided to the business by the consumer’s data. The pre-amended version provided that it must be reasonably related to the value provided to the consumer by the consumer’s data. Section 999.337 of the regulation still uses the pre-amended phrase (although it appears to try to link that phrase to the amended phrase).

In any event, the regulation requires businesses to “use and document a reasonable and good faith method for calculating the value of the consumer’s data” and provides eight proposed methods, including the “marginal value to the business of the sale, collection or deletion of a consumer’s data or a typical consumer’s data” and the “revenue generated by the business from sale, collection, or retention of consumers’ personal information.”

Conclusion

As discussed, it is anticipated that the AG’s office will publish final regulations at any time. In the meantime, the AG’s proposed regulations (along with the text of the CCPA) provide businesses with the best means by which to drive compliance.

David Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David regularly assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also regularly counsels clients on complying with existing and emerging privacy and information security laws, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018 (CCPA) and state information security statutes. To stay up to date on these issues, subscribe to Husch Blackwell’s privacy blog. Stauss can be reached at david.stauss@huschblackwell.com.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

Organized Retail Crime (ORC) is a serious problem that has been on the rise for several years. The unprecedented event of the current pandemic will rival or even exceed any previous events. If COVID-19 by itself wasn't bad enough, add civil disturbance, bail reform, and the state of law enforcement, and you have a perfect storm.

Security Magazine

2020 August

This month in Security magazine, we examine how physical security leaders are being propelled into a unique position of revenue preservers and risk managers for their businesses. In addition, we profile Scott Ashworth, Director of Security for Atlanta United. Also, security leaders discuss how to develop cybersecurity careers, election security, data protection strategies, measuring and reporting security operations maturity and more!

View More Create Account

CCPA Update: Analyzing Articles 5 and 6 of the AG’s Proposed Regulations

Article 5. Special Rules Regarding Minors

Article 6. Non-Discrimination

Conclusion

Recent Articles by David Stauss

EDPB issues guidance for cross-border data transfers in wake of Schrems II judgment

CJEU invalidates EU-U.S. Privacy Shield; Upholds standard contractual clauses

Analyzing the California Attorney General’s comments on drafting privacy policies

Bipartisan Group of Senators Proposes Privacy Bill for COVID-19 Contact-Tracing Apps

Senators to Introduce COVID-19 Consumer Data Protection Act

Security Magazine

2020 August

CCPA Update: Analyzing Articles 5 and 6 of the AG’s Proposed Regulations

Article 5. Special Rules Regarding Minors

Article 6. Non-Discrimination

Conclusion

Recent Articles by David Stauss

Related Articles

Report Abusive Comment