December 9, 2022

Volume XII, Number 343


December 08, 2022

Subscribe to Latest Legal News and Analysis

December 07, 2022

Subscribe to Latest Legal News and Analysis

December 06, 2022

Subscribe to Latest Legal News and Analysis

Hidden in Plain Sight: California Consumer Privacy Act of 2018 Signals a Path Forward for Data Collection

Much has been made of California Governor Gavin Newsom’s recent endorsement of “data dividends”: payments to consumers for the use of their personal data. Common Sense Media, which helped pass the CCPA last year, plans to propose legislation in California to create such a dividend. The proposal has already proven popular with the public; one recent poll showed 45% of California voters support the idea while only 28% are opposed.

While this proposal has been treated like an unwelcome after-shock following last year’s CCPA earthquake, perhaps it should not have been such a surprise to the denizens of the digital economy. After all, contained in the CCPA’s “Right to Nondiscrimination” provisions is a clear and explicit endorsement of “pay to play” arrangements between data collectors and consumers. Section 1798.125 b. of the CCPA provides:

  1. A business may offer financial incentives, including payments to consumers as compensation, [emphasis added] for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.

  2. A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135. 

  3. A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

  4. A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

While the CCPA explicitly declares consumer waivers to be against the public policy of the State and hence unenforceable, it looks with approval on voluntary, informed “pay-to-play” incentive plans. By allowing businesses to pay consumers for the privilege of using, selling and deleting personal information and offer different service levels based on access to consumer data, the CCPA diverges markedly from the GDPR. .The GDPR holds that a company may not charge extra to anyone who chooses to exclude her data from collection. As a result, businesses subject to the GDPR are unable to differentiate on price between a person whose data is collected and one whose data is not.

With spring training in progress and Opening Day around the corner, a time-honored baseball aphorism suggests a strategy for progressive companies: “Go with the pitch.” Businesses with broad exposure to the CCPA and business models dependent on the collection and use of personal information could follow the State’s lead and include a consumer incentive in their terms of use in exchange for greater freedom to use consumers’ personal information. The cost of such incentives might be easily offset by increased freedom to use consumer data, ability to differentiate service levels based on access to those data, and reduced risk of enforcement. Not to mention the benefit of being seen as taking the high road and paying consumers for the “raw materials” of the services they desire. Companies with well-developed loyalty programs could easily tie in information incentives, offering consumers willing to part with more meaningful data more “points” or rewards than those opting out of providing data “related to the value provided to the consumer”.

Current terms of use would need to be amended to include the necessary consent under the CCPA and offer the information incentive program to consumers in accordance with the guidelines set out in the CCPA.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 53

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Philip Gura, Womble Dickinson Law Firm, Atlanta, Cybersecurity Law Attorney
Senior Division Counsel

Phil Gura has more than 30 years of experience helping companies manage privacy, data security, governance and regulatory compliance challenges. For the past 15 years, he has served as the Chief Legal Officer of major corporations, including Merchant Customer Exchange LLC (MCX), RaceTrac Petroleum Inc. and LaRoche Industries, Inc. His in-house experience includes managing and directing corporate governance, regulatory/compliance, privacy/ data security and intellectual property efforts.

Phil most recently served as Chief Legal Officer of Sionic...