iWith most of the world in some stage of quarantine, retailers of nonessential goods are enjoying huge spikes in online shopping.1 Marketers, correspondingly, are having to get creative to cater to a populace trapped inside and coming down from its Tiger King high.2 Leveraging available technology, like Zoom and social features of websites and apps, brands are bringing content and advertisements into peoples’ homes — and people are loving it.3 As it becomes clear that lockdown may be the new normal for the foreseeable future, market researchers predict a rise in AR marketing campaigns that allow consumers to interact with products from home.4
With the California Consumer Privacy Act (CCPA) regulations slogging through the final stage of approval, companies that currently have, or are looking to implement, AR marketing campaigns need to start asking some basic questions. First, does the CCPA apply? Second, what types of personal information is the app collecting, or will it collect? Third, what kinds of disclosures does the company need to make? We examine these questions below.
Does the CCPA apply?
As we have discussed in some earlier advisories (please click here to read our CCPA-related advisory from May 2019 and here for our CCPA-related advisory from April 2019), the CCPA is a state law with a global reach. It applies to a for-profit entity doing business in California that collects personal information and meets one of the following thresholds: (1) annual gross revenues of $25 million; (2) annually buys, sells, receives or shares, for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices; or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information.5
Large companies likely will find themselves subject to the CCPA under the first threshold. Mid-sized operations, and even some smaller businesses, may be subject to the CCPA by virtue of the second threshold.6
What type of personal information is the app collecting, and how will it be used?
AR applications function by accessing the camera in a user’s smartphone. Especially in location-based AR apps that do not rely on QR codes to generate information, this means that the app can see (and store) what the user sees. Indeed, some apps rely on this access to determine where to place virtual objects in the user’s real-world surroundings. These apps offer an unprecedented treasure trove of information to marketers who make AR apps available. For example, L’Oreal’s ModiFace has partnered with Amazon to enable customers to try makeup virtually on Amazon’s site using AR. The hyper-realistic app permits users to try the makeup live by accessing a consumer’s camera or to try on the makeup using a still photo. In its privacy policy, L’Oreal states: “If you use one of our virtual try on features, we may collect and store your image(s), for example, if you use social sharing to send your image to a friend or post it online or if you save it to your profile.”7 This might not seem like much, but when coupled with the dozens of other details an app might collect, including gender, address, in-app interactions and the inferences the app can draw, like a person’s behaviors and preferences, AR apps can create a potentially significant personal profile.
The CCPA classifies virtually all of the above as “personal information,” including the inferences that can be drawn from the data collected.8 Likewise, what businesses can do with this information — and to whom businesses can give it — are subject to specific disclosure and other requirements under the CCPA. Unlike prior US law, the CCPA specifically addresses repurposing data or so-called “scope-creep” — when collecting personal information, what information is being collected must be disclosed, as well as the purposes for which the data will be used, and the CCPA prohibits new uses of personal information that were not specified at the time of collection.
What types of new disclosures does the retailer need to make?
The CCPA requires disclosures or notices in a number of contexts, including: (1) at or before the point of collection, and (2) as a generally available privacy policy on the website homepage or, in our case, the landing page of the app.
Regarding the first context for an AR app — at or before the point of collection — the notice would need to appear either before the app is downloaded or through prompts after the app is downloaded but before it collects any information about the user or the device into which it is downloaded. Under the CCPA, businesses need to disclose at or before collection (1) the categories of personal information being collected; (2) the purpose for which the information will be used; (3) if the business is selling the information, then a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link, and (4) a link to the privacy policy.
The privacy policy is a more comprehensive description of privacy practices relating to the collection, use, disclosure and sale of personal information and should likewise be available by link from the website homepage or app download or landing page. In addition to the disclosures above, the privacy policy requires (1) a description of the consumer’s specific rights under the CCPA, including the right to deletion and the right to request disclosure regarding the collection and sale of personal information; (2) a description of the process to submit rights requests and of the verification process; (3) the categories of personal information collected about consumers in the past 12 months; and (4) the categories of sources of personal information collected. As applicable, the privacy policy also needs to disclose (5) a list of categories of personal information disclosed for a business purpose or sold in the past 12 months.
The CCPA also has specific requirements relating to the collection and processing of the personal information of minors.
The CCPA also requires disclosure of the types of third parties to whom the personal information is transferred, and certain transfers — to third parties who are not under a contract with specific terms limiting their use of the data for their own benefit, and to whom the data is transferred for consideration — that would qualify as “sales” under the CCPA, giving rise to additional requirements. In its public announcement that it was beginning to enforce the CCPA, the California Attorney General highlighted two provisions of the CCPA: Cal. Civ. Code § 1798.120, which permits consumers to direct businesses not to sell their information to third parties, and Cal. Civ. Code § 1798.135, which requires businesses to provide clear links to a web page that would permit consumers to opt out of the sale of personal information.
Companies with AR apps must take care to disclose all of the types of personal information the app is collecting, including identifying information, biometric information, geolocation data, audio/electronic/visual information, internet or other electronic network activity, and the fact that the company may use the information to draw further inferences about a consumer. Given the complexity of these apps and the likelihood that they will have added features going forward, it is particularly important for businesses to plan in advance and consider the specific ways that the information is likely to be used, both in the short and medium terms, to ensure that proper disclosures are made.
Footnotes
(2) https://twitter.com/dennysdiner/status/1243278315982589969?lang=en;
(3) https://www.mobilemarketer.com/news/chipotle-tackles-social-distancing-with-virtual-hangouts-on-zoom/574258/. https://www.mobilemarketer.com/news/pokemon-go-spending-jumps-67-after-indoor-play-adjustments/574910/
(5) Cal. Civ. Code § 1798.140(c).
(6) For example, Instagram influencers often use the program“LIKEtoKNOW.it” to provide followers around the world with the inside scoop on exactly where they bought their ensemble. Although influencers often purchase from well- known brands or stores, influencers can drive web traffic to lesser-known brands and boutiques by using “LIKEtoKNOW.it,” which provides links directly to the product where it is available for purchase online.
(7) https://www.lorealparisusa.com/services/privacy.aspx
(8) Cal.Civ.Code1798.140(o)(1).
