CCPA Right To deletion and non-discrimination
In this entry, let us take a look at the rights under the CCPA – Deletion and Non-discrimination.
The Deletion requirements
The right to deletion under the CCPA is set out at as follows:”A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.” (Section 1798.105(a))
While the term “from the customer” implies that only data directly falls in the purview of deletion of data, further clarifications of the law indicated that all data about the customer as owned by the company was in the scope of the law. The company also needed to list how and from whom the data was collected, so that the customer could remedy their right from the third-party provider as well.
Exemptions
Even when the right to deletion does apply, then there are a number of exemptions to keep in mind.
A business can continue to retain the data where it is necessary to:
- Complete a transaction, provide a good or service or perform a contract with the consumer,
- Detect security incidents,
- Protect against fraud and illegal activity,
- Debug and repair errors,
- Enable solely internal uses that are reasonably aligned with the expectations of the consumer, or
- For other internally uses that are lawful and compatible with the context in which the consumer provided the information.
Companies that have implemented GDPR will be able to respond to requests, as they will already have the technical capabilities to permanently delete personal data within their systems and internal procedures for handling and responding to requests. There are many cases to consider where the legal team is the right choice over the IT Compliance tea. For example, if a business receives two deletion requests from an EU individual and a Californian individual then it will need to consider those requests quite differently, depending on the use of the data. However, in the vast majority of the cases, the processing should be straightforward, once defined by the legal and compliance teams.
The Non-discrimination requirements
To complement and help reinforce the other consumer rights, the CCPA contains a non-discrimination provision:”A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title…” (Section 1798.125(a)(1))This means that a business cannot treat a consumer differently simply because they have chosen to exercise any of their rights under the CCPA – for instance, if they requested their information be deleted or they opted out from the sale of their personal information.
The CCPA contains a non-exhaustive list of discriminatory practices, which includes:
- Denying goods or services to the consumer,
- Charging different prices or rates for goods or services (including through the use of discounts, other benefits or penalties),
- Providing a different level or quality of goods or services to the consumer, and
- Merely suggesting that the consumer will receive a different price or rate or a different level or quality.
Financial incentives
As an exception to the non-discrimination requirements, the CCPA allows a business to offer ‘financial incentives’ relating to the collection, sale or deletion of personal information (Section 1798.125(b)). This means that a business may, for example, encourage consumers (through monetary or other valuable consideration) to allow the business to sell the consumer’s information or, similarly, discourage consumers from requesting their information be deleted. These types of incentives would not fall within the scope of non-discrimination even though they would clearly involve the use of discounts, benefits and/or penalties.The CCPA also allows a business to offer a different price or quality of goods or services if the difference “is directly related to the value provided to the consumer by the consumer’s data” (Section 1798.125(b)(1)). This implies that where the value of the service is tied to the value of the consumer’s data, then the business can justify setting a different price or withholding a service depending on whether, for example, the consumer opted out from the sale of their personal information or requested their information be deleted.
In any event, the CCPA places conditions around the offering of financial incentives – firstly, a business must not offer incentives in a way that is “unjust, unreasonable, coercive, or usurious in nature” and, secondly, the business must:
- Notify consumers about the use of incentives in a way that clearly describes the material terms of the program, and
- Obtain the consumer’s prior opt-in consent (which can revoked at any time).
Techniti provides multiple services that can meet your organizations needs to assess applicable laws and the required steps for compliance. You can find out more by contacting us using our contact form listed here.