Transparency is a fundamental aspect of the California Consumer Privacy Act. The act creates consumer rights to access data and obligations for businesses to disclose data practices. One of the law’s effects will be increased scrutiny of privacy notices, specifically their details about a business’s data collection and sales practices.

This article applies the CCPA to the current privacy notice of theScore — a sports news application — one of the 17 apps The New York Times recently identified for sharing precise location data. The analysis illustrates how the CCPA will impact privacy notices when it goes into effect Jan. 1, 2020.

Background

In December 2018, The New York Times published a story outlining the precision with which mobile applications track a user’s location and subsequently share it with third-party advertisers. It described recent growth in “location-targeted advertising” and explained that “about 1,200 apps” available for Google’s Android operating system and 200 apps for Apple’s iOS contain location-sharing code from companies that collect location data and sell insights to other businesses. The Times identified “17 apps that [it] saw sending precise location data.”

The story also included anecdotes describing consumers’ surprise in response to the comprehensive nature of the geolocation data their mobile device was sharing with third parties. This type of data collection and sharing was one motivation behind the CCPA, passed by the California Legislature last June “to give consumers an effective way to control their personal information” and create “[t]he right of Californians to know what personal information is collected about them ... [and is] sold or disclosed and to whom.”

The CCPA is the broadest privacy law to date in the United States, and it may signal the beginning of a new era of privacy regulation, motivated by the public’s renewed interest in the data collection practices employed by countless technology companies.

Requirements in the CCPA

The CCPA creates rights for consumers and imposes subsequent obligations on organizations. These rights and obligations can be summarized as follows:

  • A consumer’s right to request disclosure of personal information collected.
  • A consumer’s right to request disclosure of personal information sold or disclosed for a business purpose.
  • A consumer’s right to the deletion of personal information.
  • A consumer’s right to opt out of the sale of personal information.
  • A consumer’s right to access and data portability.
  • A prohibition on discrimination for exercising a consumer right.
  • An obligation to notify a consumer of her rights.

The CCPA executes on its goal of transparency by requiring disclosure or notice in three settings: “at or before the point of disclosure,” in response to a “verifiable consumer request,” and specifically on a business’s website. Although many businesses have a privacy notice that may already at least partially comply with the law, most will need to adapt their existing procedures and digital assets, represented in the privacy notice, to comply.

An illustration: Applying the CCPA to theScore’s data practices

Let’s time travel for a moment and land in July 2020, a world in which the CCPA is in effect and the California attorney general is actively enforcing the law. The CCPA describes its disclosure obligations in two temporal settings: “at or before the point of collection” and “upon receipt of a verifiable consumer request.” In our hypothetical, theScore has not received a verifiable consumer request, so its disclosure requirements for this hypothetical are only those that apply “at or before the point of collection.” From a practical standpoint, at or before collection means disclosure either in a privacy notice or via a prompt during the initial setup of theScore’s application on a user’s mobile device. This analysis will focus on the disclosures required in a business’s privacy notice and review theScore’s current privacy notice compared to the CCPA’s “at or before the point of collection” disclosure requirements.

TheScore’s privacy notice structure

TheScore has a privacy notice publicly available on its website, titled “Privacy Policy.” The notice incorporates by reference and links to other publicly available pages that provide more detail about specific phrases in the privacy notice: “Terms of Use,” “Analytics and Advertising Tracking,” and “List of Third Party Advertising Partners.” The privacy notice also includes specific sections for “California Privacy Rights” and “European Economic Area Data Subject Rights.”

Disclosure required in theScore’s privacy notice

Disclosure “at or before the point of collection” requires that disclosure be made in a privacy notice or via user prompts upon installation of the application. The New York Times described limited disclosure during the setup process within the application, but the disclosure already contained in theScore’s privacy notice is likely easily adaptable to or already compliant with the CCPA. The greatest uncertainty surrounds the disclosure of “categories” of personal information and whether theScore’s privacy notice’s “types of information” collected aligns with the CCPA’s designated categories of personal information.

Table A of the Westin Research Center’s CCPA Rights and Obligations Tool shows that the CCPA’s disclosure requirements regarding a privacy notice primarily flow from two subsections: § 1798.130(a)(5)(A)–(C) and § 1798.125(b).

Section 1798.130(a)(5)(A)–(C) directs that a business “[d]isclose the following information in its online privacy policy or policies ... and update that information at least once every 12 months” (see CCPA Rights and Obligations Tool, Table A.1 for a description of the information to be disclosed). Section 1798.125(b) prescribes that additional disclosures be included in the company’s privacy notice if a financial incentives program exists (see CCPA Rights and Obligations Tool, Table A.2).

Disclosure of personal information collected: TheScore’s privacy notice may already meet CCPA requirements

The company satisfies or nearly satisfies its obligations for disclosure “at or before the point of collection” in its privacy notice. Under the second section of the notice, titled “How we collect and use information,” theScore includes 13 “categories” of data that it collects about users and what and how the company uses each category of data — aligning well with the CCPA’s requirement that categories of personal information collected and the purposes for which those categories of information will be used be disclosed “at or before the point of collection.” This suggests that, even without more detailed notice provided by app permissions within the application, theScore may currently be in compliance with the CCPA’s collection disclosure requirements. The challenge for theScore is to map its types of data to the categories of personal information described in the CCPA.

Chart 1, below, matches the CCPA’s “categories” of personal information with theScore’s privacy notice’s “types of information” collected.

Chart 1: Mapping of theScore’s privacy notice “types of information” collected with CCPA categories of personal information

Chart-1_-Mapping-of-theScore-privacy-notice.png

The CCPA discourages transparency

Chart 1 reveals that the CCPA discourages transparency in certain circumstances.

If the CCPA is enforced strictly and in such a way that its “categories” are deemed restrictively prescriptive and the only “categories” businesses may use, then certain disclosures made in theScore’s privacy notice are more transparent and descriptive than their CCPA equivalents. For example, the CCPA’s “identifiers” category maps to at least seven “types of information” described in theScore’s privacy notice. A restrictively prescriptive reading of the CCPA would deem sufficient a privacy notice that merely describes the category of personal information collected as consumer “identifiers.” By contrast, theScore’s disclosure is perhaps more detailed; it provides multiple data types collected, including “information you provide us directly,” “information we may collect and/or receive from third parties,” “analytics information,” “cookies information,” “log file information,” “device identifiers” and “advertising identifiers,” while also providing descriptions for each. The same type of transparency-discouraging effect may apply to what the CCPA categorizes as “internet or other electronic network activity.” Here, theScore provided more detailed disclosure than the CCPA requires.

The CCPA encourages transparency

The opposite effect, however, is seen for certain “types of information” disclosed in theScore’s privacy notice. The “types of information” illustrative of this phenomenon include “information you provide us directly” and “information we may collect and/or receive from third parties.” These two “types of information” from the privacy notice map to multiple CCPA “categories” — indicating that the CCPA’s required categories may be more descriptive and transparent than theScore’s current privacy notice.

Assessing compliance with the CCPA in its current form is a challenge because the categorization of personal information to be used in disclosures to consumers is still not clear. What is clear, however, is that if theScore’s privacy notice is not already compliant with CCPA disclosure requirements for a privacy notice, it can be easily adapted to comply with the CCPA. At the very least, the disclosures theScore provides seem to be in the spirit of the transparency motivation of the CCPA.

Determining which disclosure is better or worse is a value judgment for consumers and a question for the California Legislature to grapple with as the CCPA’s enforcement date approaches. But, there is an argument in favor of theScore’s current approach to disclosure — one that expands on the CCPA’s “identifiers” category into more specific types of information, for example, rather than adopting the CCPA’s categorization of personal information. The issue, at least, appears to warrant further clarification from the California attorney general or California Legislature prior to 2020.

Disclosure of personal information sold or shared for a business purpose: TheScore’s privacy notice likely already meets CCPA requirements

TheScore’s privacy notice may also already conform with the CCPA’s privacy notice disclosure requirements governing the sale and disclosure for a business purpose of consumer personal information.

The CCPA contains category and temporal disclosure requirements

Section 1798.115(c) states that a business “shall disclose ... [t]he categories of consumers’ personal information it has sold, [or disclosed for a business purpose,] or if the business has not sold [or disclosed for a business purpose] consumers’ personal information, it shall disclose that fact.” The section also references § 1798.130(C) which adds a temporal component to the disclosure: “the categories of personal information it has sold [or disclosed for a business purpose] in the preceding 12 months by reference to the enumerated categories.”

TheScore application meets or exceeds the CCPA’s requirements

In the third section of its privacy notice, titled “Sharing of Your Information,” theScore includes seven subsections that describe its data-sharing practices. In these subsections, the company states that it shares information with “third party business partners” that function on the company’s behalf to assist with serving advertisements within its services, analyzing data, and providing marketing assistance. “Third party business partners” is an undefined phrase. Data shared with third-party business partners includes cookies, server logs, unique identifiers, advertising identifiers, location data and clear GIFs. Each data type is described in the prior section of the privacy notice. Importantly, the company states that it “may also aggregate or otherwise strip data of all personally identifying characteristics ... and may share that aggregated, anonymized data with third parties.” The privacy notice also discloses that theScore uses third-party data analysis service providers to inform the company about consumers’ use of its services. These disclosures appear to satisfy the §§ 1798.130(C)(ii), .115(c) obligation to disclose a list of categories of personal information disclosed about consumers for a business purpose in the preceding 12 months.

The “Ads on the Service” subsection of the privacy notice is particularly relevant to The New York Times’ article and appears to satisfy the §§ 1798.130(C)(i), .110(c) requirement to disclose a list of categories of personal information sold about consumers in the preceding 12 months. It states the following:

"[TheScore] may also share certain information and data, such as [a list of data types described in the prior section] with our advertising partners to deliver advertisements ... that may be of interest to you. We may allow third party advertisers, including but not limited to direct advertisers, ad networks, ad exchanges and private advertising marketplaces ... to serve advertisements on the Service. These Advertisers use technology to send, directly to your browser or mobile device, the ads and ad links that appear on the Service, and will automatically receive your Internet Protocol (IP) address when they do so. They may also use other technologies (such as Cookies, JavaScript, Unique Identifiers, Advertising Identifiers, Location Data, and Clear Gifs) to compile information about your browser’s or device’s visits and usage patterns on or off the Service and between multiple platform such as your computer and your mobile device, measure the effectiveness of their ads, and personalize the advertising content to your interests. You can opt out of receiving certain Cookies."

This subsection also includes the bolded statement, “We do not sell, rent, or share PII we collect directly from you or about you from third parties with third party Advertisers for their own marketing purposes, unless you choose in advance to have such information shared for this purpose.”

Whether the above disclosures satisfy the public’s expectation for adequate transparency or reduce the implied opaqueness of the practices described in The New York Times’ article is a decision beyond the scope of this article, but in terms of the CCPA, theScore’s privacy notice obligations appear to be met — specifically by the inclusion of the statements above.

Conclusion

Privacy professionals will grapple with the requirements imposed by the CCPA over the next year. New internal procedures will be designed and implemented to respond to consumer requests, and changes to webpages and digital assets will be required. Some of these new requirements will be onerous for businesses, but others, like new disclosure requirements, may not require much deviation from current practices. This article took an alarmist example from The New York Times — which suggests that the data-collection practices at issue are surprising to consumers — and demonstrated that new laws like the CCPA may not address the gap, if one exists, between consumer expectations and business’ data practices.

 

Photo by Ross Bonander on Unsplash