March 23, 2019

March 22, 2019

Subscribe to Latest Legal News and Analysis

March 21, 2019

Subscribe to Latest Legal News and Analysis

March 20, 2019

Subscribe to Latest Legal News and Analysis

Hidden in Plain Sight: California Consumer Privacy Act of 2018 Signals a Path Forward for Data Collection

Much has been made of California Governor Gavin Newsom’s recent endorsement of “data dividends”: payments to consumers for the use of their personal data. Common Sense Media, which helped pass the CCPA last year, plans to propose legislation in California to create such a dividend. The proposal has already proven popular with the public; one recent poll showed 45% of California voters support the idea while only 28% are opposed.

While this proposal has been treated like an unwelcome after-shock following last year’s CCPA earthquake, perhaps it should not have been such a surprise to the denizens of the digital economy. After all, contained in the CCPA’s “Right to Nondiscrimination” provisions is a clear and explicit endorsement of “pay to play” arrangements between data collectors and consumers. Section 1798.125 b. of the CCPA provides:

  1. A business may offer financial incentives, including payments to consumers as compensation, [emphasis added] for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.

  2. A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. 

  3. A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

  4. A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

While the CCPA explicitly declares consumer waivers to be against the public policy of the State and hence unenforceable, it looks with approval on voluntary, informed “pay-to-play” incentive plans. By allowing businesses to pay consumers for the privilege of using, selling and deleting personal information and offer different service levels based on access to consumer data, the CCPA diverges markedly from the GDPR. .The GDPR holds that a company may not charge extra to anyone who chooses to exclude her data from collection. As a result, businesses subject to the GDPR are unable to differentiate on price between a person whose data is collected and one whose data is not.

With spring training in progress and Opening Day around the corner, a time-honored baseball aphorism suggests a strategy for progressive companies: “Go with the pitch.” Businesses with broad exposure to the CCPA and business models dependent on the collection and use of personal information could follow the State’s lead and include a consumer incentive in their terms of use in exchange for greater freedom to use consumers’ personal information. The cost of such incentives might be easily offset by increased freedom to use consumer data, ability to differentiate service levels based on access to those data, and reduced risk of enforcement. Not to mention the benefit of being seen as taking the high road and paying consumers for the “raw materials” of the services they desire. Companies with well-developed loyalty programs could easily tie in information incentives, offering consumers willing to part with more meaningful data more “points” or rewards than those opting out of providing data “related to the value provided to the consumer”.

Current terms of use would need to be amended to include the necessary consent under the CCPA and offer the information incentive program to consumers in accordance with the guidelines set out in the CCPA.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

TRENDING LEGAL ANALYSIS


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.

...

704-331-4910
Philip Gura, Womble Dickinson Law Firm, Atlanta, Cybersecurity Law Attorney
Of Counsel

Phil Gura has more than 30 years of experience helping companies manage privacy, data security, governance and regulatory compliance challenges. For the past 15 years, he has served as the Chief Legal Officer of major corporations, including Merchant Customer Exchange LLC (MCX), RaceTrac Petroleum Inc. and LaRoche Industries, Inc. His in-house experience includes managing and directing corporate governance, regulatory/compliance, privacy/ data security and intellectual property efforts.

Phil most recently served as Chief Legal Officer of Sionic Mobile Corporation, a cloud-based connected commerce company. In this role, Phil led partnership negotiations with major financial institutions, acquirers, automobile manufacturers, technology platform providers, and merchants. 

404-888-7480