CCPA Creates Possible Dilemmas for Companies Sending Text Messages. Is Your Business Ready?
Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California.
With the impending implementation of the CCPA, brands and platforms that use text messages to contact consumers (could be customers, employees, others) must be sure their texting programs comply with the CCPA.
Two areas of particular interest for businesses sending texts are: (1) determining whether they are “selling” personal information under the CCPA and managing the requirements for a data seller under the CCPA, and (2) how to simultaneously comply with a request to delete personal information under the CCPA with the need to maintain records of obtaining prior express written consent for purposes of the Telephone Consumer Protection Act (“TCPA”).
What does the CCPA definition of “selling” personal information mean for brands that send text messages?
The term “sell” under the CCPA is defined broadly to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
What this means is that even if a business is not receiving monetary payment in exchange for the consumers’ data, it could still be considered to be “selling” under the CCPA in certain circumstances when the data is shared with third parties.
For example, consider a scenario where a business is collecting personal information for purposes of sending text messages and it makes the information available to a vendor to conduct research and provide additional insight on each consumer. If the vendor is authorized to “mine” the data for its own purposes, that is likely sufficient consideration to make the disclosure to the vendor a sale under the CCPA. If on the other hand, the contract with the vendor includes appropriate language to exclude the disclosure from being such a sale (language largely directed to using the data solely to service the business providing the data), the disclosure can be excluded from being considered a sale under the CCPA. Where two brands share personal information of California consumers for co-marketing or some other mutual benefit, even if no money changes hands, the fact each benefits from the exchange could be sufficient consideration to support a sale having occurred under the CCPA. Whether there is a “sale” for CCPA purposes can be a potential trap for the unwary. The distinction matters, as the CCPA imposes additional obligations on sellers of personal information.
If a business is considered to be “selling” personal information, then the CCPA mandates that the business must implement an opt-out procedure to such selling for California residents, must seek their opt-in to such selling if they are between 13-16 years old, and must obtain parental consent to such selling if they are children under 13.
Additionally, the CCPA provides that a business cannot discriminate against a person opting-out from selling of their personal information. This means that the text messaging business must determine a way to provide the same services to their text users whether they are “selling” the users’ information or not (or come under a CCPA exception that allows for permissible different treatment of different users).
For businesses that work with vendors to send text messages, complying with the CCPA likely includes to:
1. Identify third party vendors involved in collecting or processing such information;
2. Review the contracts with such vendors and update them, as needed;
3. Implement policies and procedures to comply with the new opt-out sales rules in the contracts with your vendors, or alternatively, if feasible, seek to have the vendor contracts exempted from what is considered selling data by including CCPA-compliant terms to do so; and
4. Determine how to address requests for deletion of personal information (more on this topic below).
How to balance the obligation to comply with a request to delete personal information under the CCPA with the need to maintain consent records under the TCPA?
In order to comply with the TCPA, text messaging businesses must be able to prove that they obtained “prior express written consent” of the consumers they are contacting with an “automatic telephone dialing system” for “telemarketing purposes.” Is this in conflict with the consumers’ right to request deletion of their personal information under the CCPA?
The analysis of this question may be different for individuals contacted by the text messaging business that have opted-out from receiving text messages and individuals who have not opted out, but still request their personal information to be deleted under the CCPA.
For individuals who consented to receive text messages and then subsequently submitted opt-out requests, the text messaging businesses can refuse the request to delete relying on the “comply with legal obligations” exception under the CCPA. The justification would be that they have the legal TCPA obligation to maintain an internal do not call list.
For individuals who consented to receive text messages and have not opted out, but still request all their personal information to be deleted under the CCPA, several other exceptions to deletion under the CCPA could apply. The request for deletion could be declined on the basis that the personal information must be retained to complete the transaction or service requested by the consumer (e.g., text updates for shipping status of a product, texted account alerts, texted appointment reminders, texted service progress alerts, etc.). Other possible exceptions involve retaining the personal information solely for internal use by the business for purposes that a consumer would reasonably expect or compatible with the purposes for which the information was collected. Whether a particular exception applies is a factual analysis unique to each business and the analysis the business performed to arrive at the applicability of the exception should be documented by the business.
Although the scope of enforcement and litigation under the CCPA are still to be tried, challenges under the CCPA are expected to commence shortly after the CCPA becomes effective on January 1, 2020. Businesses sending texts should know, understand and be prepared to comply with their CCPA obligations sooner rather than later as it can take some time to implement CCPA-compliant policies, procedures and contractual updates.