CCPA Privacy Tabula Rasa
The CCPA will automatically opt-out many consumers, creating a privacy tabula rasa, or clean slate for consumers to start over with businesses not otherwise in compliance.
Businesses that sell personal information, but don’t have an updated web site and privacy policy with the appropriate opt-out notices will have to broadly stop using all Personal Information of all Consumers from whom they collect any additional personal information after December 31st, 2019. It will happen suddenly starting on January 1st, 2020 as soon as consumers visit web sites, receive advertising or get emails and will create a “privacy tabula rasa” – cleaning the privacy slate, giving personal information control to consumers and allowing them to start over with businesses who are not in compliance.
The regulation says:
“A consumer whose personal information is collected while a notice of right to opt-out is not posted shall be deemed to have validly submitted a request to opt-out.” CCPA Proposed Regs § 999.306 (d)
This deemed opt-out appears to be a global opt-out of for all personal information (and not just some personal information) for all consumers for which any additional personal information is collected before the notice is posted, which will be true for many, if not most businesses. Collecting even one piece of personal information from a consumer after 2019 will trigger the deemed opt-out.
A global opt-out must be the most prominently presented opt-out option, so it follows that a deemed out without specificity would be global.
“§ 999.315. Requests to Opt-Out … (d) In responding to a request to opt-out, a business may present the consumer with the choice to opt-out of sales of certain categories of personal information as long as a global option to opt-out of the sale of all personal information is more prominently presented than the other choices.” CCPA Proposed Regs § 999.315 (d)
This interpretation seems reasonable given that the regulation must be construed liberally in favor of its purposes (e.g., protecting consumer privacy).
“1798.194. This title shall be liberally construed to effectuate its purposes.” CCPA § 1798.194
Starting on the morning of January 1st, 2020, there will be a massive amount of violations because “collecting” personal information is defined very broadly (“by any means” “either actively or passively”) and business will continue to do so, many unknowingly.
‘“Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.’ CCPA § 1798.140 (e)
Because the definition of personal information is extremely broad, many businesses will probably collect personal information on consumers without even realizing it.
‘Cal. Civ. Code § 1798.140 (o) (1) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. …’ Cal. Civ. Code § 1798.140 (o)
Personal information includes cookies, IP addresses, and advertising and marketing meta-data. Consumers that are exposed to a business’ web site or any of the business’ advertising, through use of the internet, email, apps or otherwise will have had personal information collected by such businesses, instantly triggering the deemed opt-out.
Personal information includes any inferences drawn from any other personal information to create a profile (such as for marketing or used in real-time bidding advertising), including any assumptions or conclusions derived from the personal information.
“1798.140 … (o) (1) (K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes….” CCPA § 1798.140 (o) (1) (K)
‘1798.140 … (m) “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data’ CCPA § 1798.140 (m)
Personal information also includes behavioral characteristics (because it includes biometrics), such as how a person clicks-through or otherwise interacts with a web site. The combined scope of personal information and inferences from behavior would, among other things, include use of personal information for advertising or marketing, even analytics and the use of artificial intelligence such as deep learning on the data.
“CCPA § 1798.140 (o) (1) (e) … Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household: … (E) Biometric information.” CCPA § 1798.140 (o) (1) (e)
‘CCPA § 1798.140 … (b) “Biometric information” means an individual’s physiological, biological, or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information….”’ CCPA § 1798.140 (b)
The opt-out must be respected for 12 months and businesses are prohibited from requesting that consumers opt back in.
“1798.135. (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
(5) For a consumer who has opted-out of the sale of the consumer’s personal information, respect the consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.” CCPA § 1798.135 (a) (5)
In the mean-time, those businesses cannot use any of the personal information for any purpose other than opt-out. Any other use will have to cease. The statute says the personal information can be used “solely for the purposes of complying with the opt-out request”.
“1798.135. (a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:
(6) Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.”
If the personal information has been already deidentified or aggregated, then the deidentified or aggregated form of it can be used (“collect, use, retain, sell, or disclose”). However, after the moment of deemed opt-out, personal information cannot be used to create deidentified or aggregate information.
“§ 1798.145 (a) (5) … The obligations imposed on businesses by this title shall not restrict a business’ ability to: … Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.” [Note it does not say “create” deidentified information] Cal. Civ. Code § 1798.145 (a) (5)
The affected businesses will have only a few days to “act” – to stop selling all personal information for those consumers.
“§ 999.315. Requests to Opt-Out … (e) Upon receiving a request to opt-out, a business shall act upon the request as soon as feasibly possible, but no later than 15 days from the date the business receives the request.” CCPA Proposed Regs § 999.315 (e)
The affected businesses will have to notify all third parties not to sell any of the personal information of any of the consumers, and then notify the consumers themselves. Perhaps the only practical way to identify and notify these consumers would be to reverse engineer the advertising mechanisms and present notices (“You have opted out”) instead of ads after an initial ad is displayed (collecting their personal information and triggering the opt-out).
“§ 999.315. Requests to Opt-Out … (f) A business shall notify all third parties to whom it has sold the personal information of the consumer within 90 days prior to the business’s receipt of the consumer’s request that the consumer has exercised their right to opt-out and instruct them not to further sell the information. The business shall notify the consumer when this has been completed.” CCPA Proposed Regs § 999.315 (f)
Businesses will have the limited ability to inform consumers of the possibility of opting back in where there is a transaction that requires the sale of personal information as a condition of completing the transaction.
“§ 999.316 Requests to Opt-In After Opting Out of the Sale of Personal Information (a) Requests to opt-in to the sale of personal information shall use a two-step opt-in process whereby the consumer shall first, clearly request to opt-in and then second, separately confirm their choice to opt-in. (b) A business may inform a consumer who has opted-out when a transaction requires the sale of their personal information as a condition of completing the transaction, along with instructions on how the consumer can opt-in.” CCPA Proposed Regs § 999.316 (a), (b)
Otherwise, the affected businesses will have to start over with those consumers, not selling their personal information until they each decide to opt back in on their own or wait 12 months to recontact them.
The privacy tabula rasa will probably apply to many businesses outside of California that don’t even suspect that the CCPA applies to them. The applicability of the CCPA pivots on the definition of “business”.
“1798.140. For purposes of this title: … (c) “Business” means: (1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information. …” CCPA § 1798.140 (c)
Note that the definition includes businesses that ”… [a]lone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” (emphasis added). Because it says “alone or in combination”, the numbers of consumers must be added to the numbers of households and the numbers of devices.
A household means a person or group of people occupying a single dwelling. Assuming that most Californian’s live in dwellings, then each consumer counts for two, not one – the consumer and the household. This means that it would only take the personal information of 25,000 to trigger the CCPA.
1798.301 (h) ‘“Household” means a person or group of people occupying a single dwelling’
Devices also must to be added in. Many people use multiple devices – cell phones, laptops, tablets, desk tops, digital assistant speakers, televisions, cars, thermostats, door bells, etc. If the average Consumer used 3 devices, that would bring the triggering number down to about 8,000. Don’t forget about work computers. While there is an employee exemption to the CCPA, it applies “… solely within the context…” of an employee’s “…role”. CCPA § 1798.145 (h). Arguably a work machine used by an employee to visit a social network or other personal web site would be outside the employee’s role, and thus counted in the number of devices. Consequently, the real number of items from which person information is collected to trigger the CCPA is far fewer than 50,000 Consumers.
To avoid the privacy tabula rasa, businesses would be wise to update their web site and privacy policy to adjust for opt-out notices per CCPA § 1798.120, § 1798.135 and CCPA Proposed Regs § 999.306 and § 999.315.