The Insights Association filed comments with the California Attorney General (AG) urging changes to protect the insights industry in the proposed regulations implementing the California Consumer Privacy Act (CCPA).

California's comprehensive and complex privacy law comes into effect on January 1, 2020. Final CCPA regulations should come out not long before the AG begins enforcement of the new law in summer 2020.

"The CCPA will have a profound impact on the business community, including the marketing research and data analytics industry," according to the Insights Association letter. The AG's regulatory impact cost estimate ranges from $467 million to $16.454 billion.

The AG's draft regulations not only flesh out some details left vague or undefined in the law (even after the amendments approved with IA's help in 2019), they also introduce a lot of new concepts and complex requirements. 

The Insights Association advocated in its comments for the AG to: limit the use of “authorized agents” who can file requests on an individual's behalf to minors, and elderly or incapacitated individuals; exempt marketing research from the requirement for notices of financial incentives for research participation or replace the notices with an opt-in regime; allow for email requests in lieu of an interactive webform; clarifying how the Do Not Sell provisions relate to California's existing “Do Not Track” requirements and delay implementation of the requirement; set the required response times for requests to know, delete and opt-out at a uniform 45 days; and issue further guidance on how CCPA applies to personal information collection via telephone.

Learn more about compliance in IA’s CCPA Portal.

Read the Insights Association's comments to the AG on the draft CCPA regulations in PDF or below.

Dear Attorney General Becerra,

The Insights Association (“IA”) submits the following comments regarding the proposed regulations[1] implementing the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code, § 1798.100 et seq.).

IA represents more than 530 individual and company members in California, with more than 5,300 members in total. Virtually all of these members will fall within the jurisdiction of the CCPA due to the fact that personal information of California residents is collected and transmitted for legitimate purpose by marketing research and data analytics companies and organizations in most instances.

IA is the leading nonprofit trade association for the marketing research and data analytics industry. IA’s members are the world’s leading producers of intelligence, analytics and insights defining the needs, attitudes and behaviors of consumers, organizations, employees, students and citizens. With that essential understanding, leaders can make intelligent decisions and deploy strategies and tactics to build trust, inspire innovation, realize the full potential of individuals and teams, and successfully create and promote products, services and ideas.

What is “marketing research”? Marketing research is the collection, use, maintenance, or transfer of personal information as reasonably necessary to investigate the market for or marketing of products, services, or ideas, where the information is not otherwise used, without affirmative express consent, to further contact any particular individual, or to advertise or market to any particular individual. An older definition of marketing research, used in California S.B. 756 in 2017, was “the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior.”

The CCPA will have a profound impact on the business community, including the marketing research and data analytics industry. According to the August 2019 estimate from Berkeley Economic Advising and Research for the Attorney General’s office, compliance with CCPA regulations (not including compliance with the statute itself) would amount to $467 million to $16.454 billion per year.[2] In this regard, we appreciate the opportunity to submit IA’s recommendations on the draft regulations.

Our primary concerns focus on: (1) limiting the “authorized agent” concept to minors, and elderly or incapacitated individuals; (2) exempting marketing research from notices of financial incentives for research participation or, alternatively, providing for an opt-in regime in place of the notices; (3) allowing for email requests in lieu of an interactive webform; (4) clarifying how § 999.315 relates to existing “Do Not Track” requirements, and delaying implementation of this requirement; (5) setting the response times for requests to know or delete and opt-out requests at a uniform 45 days; and (6) issuing further guidance on how CCPA applies to personal information collection via telephone.

1. Limit the “authorized agent” concept to minors, and elderly or incapacitated individuals.

Under the draft regulations, a consumer may designate an authorized agent[3] to submit opt-out requests, and requests to know and delete. Per § 999.326, when a consumer makes a request through an authorized agent, “the business may require that the consumer: (1) Provide the authorized agent written permission to do so; and (2) Verify their own identity directly with the business.”

As currently drafted, there would be no tangible limitation on this procedure; anyone could submit a request through an authorized agent.

This option will be unnecessary in most cases, increase paperwork associated with the verification process, and open the door for fraudulent requests. Except in cases where the consumer is a minor, or someone who genuinely needs an authorized agent to submit a request (such as an elderly or incapacitated individual), requiring requests to be submitted by consumers themselves would better serve CCPA’s purpose.

2. Exempt marketing research from notices of financial incentives for research participation or, alternatively, provide for an opt-in regime in place of the notices.

Under § 999.307, businesses would need to give notice of financial incentives for the purpose of explaining to the consumer “each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate.”[4] The notice would have to include a “good faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive.” Section 999.337 spells out eight different methods for calculating that value.[5]

The regulations requiring notice of financial incentives seem primarily designed to deal with situations where companies offer some discount or free service in return for the sharing or sale of the consumer’s personal information. Such situations often involve passive data collection under terms that are not entirely transparent.

Financial incentives in marketing research are different.

Marketing research requires robust participation and representation to be effective. IA members frequently achieve this by offering financial incentives to research participants (also known as respondents). For example, a doctor may be offered an honorarium to complete a survey about various pharmaceuticals, or an individual may be offered a gift card to participate in a half-day focus group about important public policy issues in their community.

In these and other similar cases, research respondents often participate for a variety of non-monetary reasons, including a desire to share opinions that will help improve product/service quality or simply on subject matter that a respondent may be passionate about. People care about the issues our members ask about, and like giving their opinions. Nevertheless, because of the costs sometimes associated with fielding a research study, insights professionals cannot afford to take participation for granted. Financial incentives of various kinds help complete research as quickly and effectively as possible.

Many exchanges between businesses and consumers involving personal information (such as those between researcher and respondent) are complicated interactions motivated by a variety of reasons. Often, there is no simple quid pro quo involving money for information.

These exchanges are also, at least in the research context, generally entered into freely by both parties. If consumers knowingly consent to a financial incentive like those described in the marketing research scenarios described above, the CCPA’s drafters likely did not intend to interfere in such a relationship.

The regulations do not appear to have been written with marketing research in mind and would inhibit research in an unintended way. Accordingly, the regulations should exempt marketing research participation from notices of financial incentives.

In the alternative, if such an exemption is not feasible,  the regulations should provide an opt-in regime whereby the amount of the financial incentive (if any) will be disclosed prior to the commencement of the marketing research, and the respondent (or individual whose information is being used for marketing research purposes) will have the sole option to determine whether their personal information will be used for research or not.

3. Allow for email requests in lieu of an interactive webform.

Under Sections 999.312 and 999.315 of the draft CCPA regulations, businesses must provide two or more designated methods for submitting requests to know and opt-out, including, at a minimum, a toll-free telephone number and, if the business operates a website, an “interactive webform” accessible through the business’s website.

Many California businesses, including many of our members, have limited resources, both in terms of personnel and technological expertise. Requiring these businesses to launch an interactive webform imposes new burdens without furthering CCPA’s purposes.  As such, email correspondence would better serve CCPA’s purposes by allowing consumers to state their questions and concerns directly, and to start a conversation regarding their privacy on their own terms.

4. Clarify how § 999.315 relates to existing “Do Not Track” requirements, and delay implementation of this requirement.

Under § 999.315, “[i]f a business collects personal information from consumers online, the business shall treat user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid [opt-out] request.”

IA seeks clarification on how this regulation relates to existing requirements related to “Do Not Track” signals. Under current California law, businesses are required to disclose in their privacy policies how they respond to such signals, but are not required to honor them. Would the regulations require that businesses honor “Do Not Track” signals, or would the regulations only apply to “a browser plugin or privacy setting” which more specifically communicates a consumer’s desire that a business not sell their personal information?

A “Do Not Track” signal is not the same as a “do not sell” request. For example, a consumer may set her browser to “Do Not Track” because she does not want businesses tracking her browsing activities (and perhaps serving her with targeted ads), but it does not necessarily follow that the consumer would want to opt out of the sale of her information in every scenario.

Irrespective of this desired clarification, IA requests that the Attorney General’s office delays implementation of any regulation related to a “browser plugin or privacy setting or other mechanism” for an additional year. As discussed above, many of our members are smaller companies with limited technological capabilities. This concern is obviously not just limited to the marketing research and data analytics industry. We believe such smaller businesses will need additional time to work out the complicated implementation and response procedures related to this question. 

5. Set the response times for requests to know or delete and opt-out requests at a uniform 45 days.

Under §999.313 of the draft CCPA regulations, businesses must confirm receipt of requests to know or delete information within 10 days, and respond substantively to the requests within 45 days. Under § 999.315, businesses must “act upon [an opt-out] request as soon as feasibly possible, but no later than 15 days from the date the business receives the request.”

These deadlines are unnecessarily complicated. The timeframe to respond to all requests should be set at a uniform 45 days.

However, the extension to 90 days under § 999.313 (“provided that the business provides the consumer with notice and an explanation of the reason that the business will take more than 45 days to respond to the request”) and the requirement under § 999.315 that third parties be notified of opt-out requests within 90 days should both remain unchanged.

6. Issue further guidance on how CCPA applies to personal information collection via telephone.

Finally, the CCPA applies to the collection of all personal information, by whatever means, but does not give any guidance on unique compliance issues with different modes of collection.

In particular, the current draft regulations do not efficiently address information collection via telephone. For example, in a marketing research phone call where a financial incentive is involved, the caller would have to verbally read out the contents of three different notices: the notice at collection, notice of the opt-out right, and the notice of financial incentive. Such a three-part notice, delivered at the outset of the call, would be unduly cumbersome and likely result in significantly fewer respondents ever completing a research interaction via telephone (current response rates for U.S. telephone surveys rarely break 10 percent already). Such an outcome would not further the purposes of the CCPA.

As an alternative, the finalized regulations could require instead that, where information is collected via telephone, listeners may be directed to a URL where the required notices are posted, or callers may read out a short-form version of the notices.

Conclusion

The Insights Association hopes that the above comments will be useful to you and your staff.

We look forward to answering any questions you or your staff may have about the marketing research and data analytics industry, and working with you and your office in furtherance of consumer privacy in California.

Sincerely,

Howard Fienberg                                              Stuart L. Pardau
Vice President, Advocacy                                 Outside General Counsel
Insights Association                                          Insights Association (and Ponemon Institute Fellow)

 

[2] "Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations." August 2019. http://www.dof.ca.gov/Forecasting/Economics/Major_Regulations/Major_Regulations_Table/documents/CCPA_Regulations-SRIA-DOF.pdf

[3] As defined by § 999.301, an “authorized agent” is “a natural person or a business entity registered with the Secretary of State that a consumer has authorized to act on their behalf subject to the requirements set forth in section 999.326.”

[4] § 999.307. “Notice of Financial Incentive (a) Purpose and General Principles (1) The purpose of the notice of financial incentive is to explain to the consumer each financial incentive or price or service difference a business may offer in exchange for the retention or sale of a consumer’s personal information so that the consumer may make an informed decision on whether to participate. (2) The notice of financial incentive shall be designed and presented to the consumer in a way that is easy to read and understandable to an average consumer. The notice shall: a. Use plain, straightforward language and avoid technical or legal jargon. b. Use a format that draws the consumer’s attention to the notice and makes the notice readable, including on smaller screens, if applicable. c. Be available in the languages in which the business in its ordinary course provides contracts, disclaimers, sale announcements, and other information to consumers. d. Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format. e. Be available online or other physical location where consumers will see it before opting into the financial incentive or price or service difference. (3) If the business offers the financial incentive or price of service difference online, the notice may be given by providing a link to the section of a business’s privacy policy that contains the information required in subsection (b). (b) A business shall include the following in its notice of financial incentive: (1) A succinct summary of the financial incentive or price or service difference offered; (2) A description of the material terms of the financial incentive or price of service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference; (3) How the consumer can opt-in to the financial incentive or price or service difference; (4) Notification of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and (5) An explanation of why the financial incentive or price or service difference is permitted under the CCPA, including: a. A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and b. A description of the method the business used to calculate the value of the consumer’s data.”

[5] § 999.337 “(b) To estimate the value of the consumer’s data, a business offering a financial incentive or price or service difference subject to Civil Code section 1798.125 shall use and document a reasonable and good faith method for calculating the value of the consumer’s data. The business shall use one or more of the following: (1) The marginal value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data; (2) The average value to the business of the sale, collection, or deletion of a consumer’s data or a typical consumer’s data; (3) Revenue or profit generated by the business from separate tiers, categories, or classes of consumers or typical consumers whose data provides differing value; (4) Revenue generated by the business from sale, collection, or retention of consumers’ personal information; (5) Expenses related to the sale, collection, or retention of consumers’ personal information; (6) Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference; (7) Profit generated by the business from sale, collection, or retention of consumers’ personal information; and (8) Any other practical and reliable method of calculation used in good-faith.”