California Consumer Privacy Act FAQs: Discovery; Tokenization

David A. Zetoony

Email

303.685.7425

Bio and Articles

GT Data Privacy Dish: CCPA Updates January 8, 2021

by: David A. Zetoony of Greenberg Traurig, LLP - Data Privacy Dish

Friday, January 8, 2021

Print Mail Download

i

Circumventing discovery: Can plaintiffs’ attorneys use CCPA access requests to obtain unsupervised discovery?

Litigants traditionally look to the rules of civil procedure in order to get discovery in a litigation. Plaintiff’s attorneys have, however, begun to try to circumvent restrictions within the discovery rules that are designed to limit the number, type, and timing of information requests, by sending out “access requests” on behalf of their clients under the California Consumer Privacy Act (CCPA).

Nothing within the legislative history of the CCPA suggests that it was intended to replace or supplant the discovery process set forth in the Federal Rules of Civil Procedure and in the California Code of Civil Procedure. Furthermore, one interpretation might be that forcing a civil litigant to disclose personal information outside of judicially proscribed and monitored discovery processes could improperly “restrict a business’ ability to . . . [e]xercise or defend legal claims” and, thus, would exceed the scope of the CCPA.^[1]

The Office of the California Attorney General was asked to confirm that access requests could not be used in lieu of discovery in litigation. The Attorney General chose to respond that there is no explicit “exception allowing businesses to refuse to respond to a verifiable request by a consumer for that consumer’s personal information while litigation is pending or allowing the business to deny a consumer request on the basis that the business suspects the request was made in lieu of discovery.”^[2] Ultimately California courts will have to determine whether access requests can be utilized as a means of bypassing traditional discovery procedures.

How many times do you count a person when deciding whether the CCPA applies to a business?

For an entity to be considered a “business” under the CCPA, it must meet one of three thresholds. One of those thresholds is whether the entity “annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.” ^[3]The CPRA modified the threshold such that, as of Jan. 1, 2023, an entity would need to buy, sell, or share personal information of 100,000 or more consumers or households.^[4]

The Office of the Attorney General was asked to clarify how entities should compute the number of households or devices. Specifically, the attorney general was asked whether a California consumer that used multiple devices should be counted once or should be counted multiple times.^[5] The attorney general declined to clarify whether a consumer should be counted more than one time based upon their quantity of devices or households.^[6]

The Office of the Attorney General was also asked to clarify whether the reference to “device” found within the CCPA (note that as of Jan. 1, 2023, such reference is removed) means a device used by a California resident or a device used by a resident of any state.^[7] The attorney general took the position that the device must relate to a California resident, stating that “it would be unreasonable to conclude that a household or device subject to the CCPA would not have some nexus to a natural person who is a California resident.”^[8]

How much control do companies have over how affiliate sharing is classified? Can corporate affiliates that share common branding choose whether they want to be a unified business under the CCPA?

Probably not.

Some companies have objected to the CCPA’s definition of “business,” which purports to treat some affiliated companies that utilize common branding as a single business for the purpose of the Act. Specifically, they have pointed out that there are situations in which corporate affiliates that share common branding might be of disparate size such that Affiliate A has revenues that exceed the minimum set by the CCPA and, thus, would be covered by the Act (i.e., $25 million in annual gross revenue), but Affiliate B does not have revenues that meet the CCPA’s threshold. They have argued that treating Affiliate A and Affiliate B as a unified business, and as a result, subjecting both to the requirements of the statute, disregards the reality that the companies are separate legal entities that are entitled to be treated as such in connection with regulatory requirements.

During the rulemaking process, the California attorney general was asked to establish a rule that would permit affiliated companies that shared common branding not to be treated as a single “business” under the Act on the condition that the affiliates did not engage in data sharing. In essence, the request would allow affiliated entities with common branding to elect by their actions whether they should be treated as a unified business. The attorney general refused the request, noting that, in his opinion, it was “inconsistent with the statute’s definition” of a “business.”^[9]The implication of the refusal is that whether affiliated entities are treated as a single “business” under the Act may be a question of fact regarding the degree of control and the degree of common branding between the companies; it may not be a choice that companies can elect as part of their compliance strategy.

What the heck is a token, and is it considered personal information in California and Europe?

Maybe.

“Tokenization” refers to the process by which you replace one value (e.g., a credit card number) with another value that would have “reduced usefulness” for an unauthorized party (e.g., a random value used to replace the credit card number).^[10] In some instances, tokens are created through the use of algorithms, such as hashing techniques.

Information is not considered “personal information” under the CCPA if it has been “deidentified.”^[11]Deidentification means that the data “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”^[12]An argument could be made that data once tokenized cannot reasonably be associated with an individual. That argument is strengthened under the CCPA if a business has implemented those technical and business processes to help prevent reidentification.

In comparison, in the context of the European GDPR, the Article 29 Working Party^[13] has stated that even when a token is created by choosing a random number (i.e., it is not derived using an algorithm), the resulting token typically does not make it impossible to re-identify the data and, as a result, the token is best described as “pseudonymized” data, which would still be “personal data” subject to the GDPR.^[14]

^[1] Cal. Civ. Code 1798.145(a)(5).

^[2]FSOR Appendix A at 306 (Response 911).

^[3] Cal. Civ. Code 1798.149(c)(1)(B) (Oct. 2020).

^[4] Cal. Civ. Code 1798.140(d)(1)(A).

^[5]FSOR Appendix A at 2 (Response 6).

^[6] FSOR Appendix A at 2 (Response 6).

^[7]FSOR Appendix A at 2 (Response 6).

^[8]FSOR Appendix A at 2 (Response 6).

^[9]FSOR Appendix A at 5, 6 (Response 18).

^[10] Article 29 Working Party, WP 216: Opinion 05/2014 on Anonymisation Techniques at 21 (adopted 10 April 2014).

^[11] Cal. Civ. Code 1798.145(v)(3).

^[12]Cal. Civ. Code 1798.140(h) (Oct. 2020).