Hidden in Plain Sight: California Consumer Privacy Act of 2018 Signals a Path Forward for Data Collection
Much has been made of California Governor Gavin Newsom’s recent endorsement of “data dividends”: payments to consumers for the use of their personal data. Common Sense Media, which helped pass the CCPA last year, plans to propose legislation in California to create such a dividend. The proposal has already proven popular with the public; one recent poll showed 45% of California voters support the idea while only 28% are opposed.
While this proposal has been treated like an unwelcome after-shock following last year’s CCPA earthquake, perhaps it should not have been such a surprise to the denizens of the digital economy. After all, contained in the CCPA’s “Right to Nondiscrimination” provisions is a clear and explicit endorsement of “pay to play” arrangements between data collectors and consumers. Section 1798.125 b. of the CCPA provides:
A business may offer financial incentives, including payments to consumers as compensation, [emphasis added] for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.
A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.
A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
While the CCPA explicitly declares consumer waivers to be against the public policy of the State and hence unenforceable, it looks with approval on voluntary, informed “pay-to-play” incentive plans. By allowing businesses to pay consumers for the privilege of using, selling and deleting personal information and offer different service levels based on access to consumer data, the CCPA diverges markedly from the GDPR. .The GDPR holds that a company may not charge extra to anyone who chooses to exclude her data from collection. As a result, businesses subject to the GDPR are unable to differentiate on price between a person whose data is collected and one whose data is not.