Thanks to groundbreaking legislation like the CCPA and CPRA, opt-out requests and other privacy rights are starting to put a price tag on user data.
Many businesses are aware of the consumer’s rights, but they do not know their own. Exercising these rights is a form of negotiation, and how companies go about doing so will impact the current cost of data and its value in the future.
The Privacy Rights of The Consumer Under CCPA
Most familiar with the CCPA are aware that consumers now have the right to deny businesses permission to sell their data. Many consumers that don’t read the California consent pop ups choose to opt-out thinking that their personal data is still private. What they fail to realize is that this specific opt-out does not relate to the collection of their data. They are only denying the business the right to sell the data.
The CCPA not only provides consumers the right to opt-out, it also grants them the right to delete any data collected. This right is a bit more tedious than the consent pop-ups because it requires consumers to proactively reach out to businesses with their data.
Coming Privacy Rights Changes from CPRA
Now that prop 24 passed, in addition to denying the selling of data, Californians now have the right to deny businesses permission to share their personal information with third parties. As you will see, this amendment may have significant implications on the existing justifications businesses use to deny opt-out requests.
According to a CISCO Consumer Privacy Survey, 84% of respondents want more control over how others use their data. It is unclear how many users, in reality, elect to opt-out and exercise these rights, but as more people become aware of these rights, businesses will need to further negotiate and disclose the value of user data.
The Data Rights of Businesses
Legislators didn’t write the CCPA and CPRA with only consumer interests in mind. The final version of the law was the result of negotiations between both ends of the spectrum. It takes a critical in-depth review of the law to understand how business rights are represented.
Businesses can deny user data opt-out requests if the data is sensitive personal information and a legitimate business interest.
Prior to the recent prop 24 amendment, the law exempted businesses from these opt-out requests by classifying legitimate business needs as data sharing instead of data selling.
This provision was arguably the strongest business interest advocation in the CCPA, but it also required the most robust justification. Facebook went to great lengths to argue that their Facebook pixel fell under this exemption. The Facebook pixel is a free tracking code snippet that anyone can install on their website. It allows individuals and business owners to retarget visitors or people under a similar audience profile with Facebook and Instagram ads.
Suppose businesses using the Facebook Pixel could demonstrate that the shared data served one of the many business purposes listed in the CCPA. Prior to prop 24, they would have been able to deny opt out requests by arguing that they are sharing the data with Facebook instead of selling.
Since Prop 24 now provides consumers the rights to deny the sharing of personal information, businesses using the Facebook Pixel need to revisit the justifications they used to deny these opt out requests.
Businesses still have rights to collect and share user data for business purposes in prop 24; however, these exemptions have been narrowed down to a new classification of user data called sensitive personal information (SPI). This new category of personal information is defined in page 28 of the CPRA.
The law states that when it comes to SPI, consumers can limit the use of this new category to business purposes. Businesses may be able to argue that sharing SPI with a third party is an essential business interest. Here is a list of legitimate business interests recognized by the CCPA:
- Security and fraud prevention
- Internal research and service improvement
- Short-term, transient use
- Maintaining customer accounts
- Processing orders
- Providing advertising or marketing services (The business interest used to exclude data collected from the Facebook Pixel)
Reasons User Data Deletion Requests Can Be Denied
Keep in mind that in all of this, companies still have the right to collect information. This legislation effects how they use it, share it, and store it. We just covered how the law effects using and sharing user data. When it comes to storing the data, companies need to prepare for deletion requests. Here is a list of exemptions that allow businesses to deny these requests:
- The user’s data was used to complete a transaction, provide a good or service, or perform a contract with the consumer.
- The data is needed to detect security incidents.
- The data is needed to protect against fraud and illegal activity.
- The data is needed to debug and repair errors.
- The data is needed to enable solely internal uses that are reasonably aligned with the consumer’s expectations or other internal uses that are lawful and compatible with the context in which the consumer provided the information.
This article did not include all the rights of business owners. Now that Prop 24 passed, arguing that your company shares data instead of selling is less relevant. Businesses that use a Facebook pixel may need to find new justifications for sharing data with Facebook and other third parties. Consulting with the right lawyer helps defend and protect the value of user data to businesses.
Take advantage of our free consultation to see how we can protect your business from data sharing/selling opt-out, deletion, and restrict of use requests.