In support of "consumer privacy in California and streamlining CCPA compliance for both businesses and consumers," the Insights Association urged further changes to the second draft of regulations implementing the California Consumer Protection Act (CCPA).

Filing comments with the California Attorney General on February 25, 2020, the leading nonprofit association representing the insights industry explained that almost all members of the Insights Association -- whether or not they are based in the Golden State -- "will fall within the jurisdiction of the CCPA due to the fact that personal information of California residents is collected and transmitted for legitimate purpose by marketing research and data analytics companies and organizations in most instances."

The redrafted CCPA rules make a variety of changes to the first draft, partially responding to some of the concerns raised by IA in December, but more work remains, and enforcement will commence this summer, likely not long after the regulations are finalized.

The Insights Association advocated for the AG to:

  1. "Promulgate additional clarification on telephone notices, including a short-form option";
  2. "Expand the email-only option for all requests, and apply to all relationships with consumers that are 'exclusively online' ";
  3. "Broaden financial incentive disclosure guidance to contemplate situations where additional, non-monetary consideration is given in exchange for personal information";
  4. "Clarify mobile notice requirements, particularly the meanings of 'reasonably expect' and 'just-in-time' ";
  5. "Loosen restriction on passing through costs of verification to accommodate special circumstances"; and 
  6. "Provide time for businesses to comply before enforcement."

Read the pdf of the Insights Association's comments to the AG, or the full text below:

Dear Attorney General Becerra

The Insights Association (“IA”) submits the following comments regarding the proposed regulations implementing the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code, § 1798.100 et seq.), particularly the most recent edits to the regulations circulated by your office on February 10, 2020.[1]

IA represents more than 545 individual and company members in California, with more than 5,500 members in total (and many of those non-California-based businesses driving revenue for the state through investment, travel and research and analytics studies in California). Virtually all of these members will fall within the jurisdiction of the CCPA due to the fact that personal information of California residents is collected and transmitted for legitimate purpose by marketing research and data analytics companies and organizations in most instances.

IA is the leading nonprofit trade association for the marketing research and data analytics industry. IA’s members include both marketing research and data analytics companies and organizations, as well as the research and analytics professionals and departments inside of non-research companies and organizations. They are the world’s leading producers of intelligence, analytics and insights defining the needs, attitudes and behaviors of consumers, organizations, employees, students and citizens. With that essential understanding, leaders can make intelligent decisions and deploy strategies and tactics to build trust, inspire innovation, realize the full potential of individuals and teams, and successfully create and promote products, services and ideas.

What is “marketing research”? Marketing research is the collection, use, maintenance, or transfer of personal information as reasonably necessary to investigate the market for or marketing of products, services, or ideas, where the information is not otherwise used, without affirmative express consent, to further contact any particular individual, or to advertise or market to any particular individual. An older definition of marketing research, used in California S.B. 756 in 2017, was “the collection and analysis of data regarding opinions, needs, awareness, knowledge, views, experiences and behaviors of a population, through the development and administration of surveys, interviews, focus groups, polls, observation, or other research methodologies, in which no sales, promotional or marketing efforts are involved and through which there is no attempt to influence a participant’s attitudes or behavior.”

As IA indicated in comments submitted on December 6, 2019 regarding the first draft of CCPA regulation,[2] the CCPA will have a profound impact on the business community, including the marketing research and data analytics industry. In this regard, we appreciate the opportunity to submit additional recommendations on the latest draft CCPA regulations.

1. Promulgate additional clarification on telephone notices, including a short-form option.

The most recent edits to the regulations clarify in § 999.305(a)(3)(d) that, “[w]hen a business collects personal information over the telephone or in person, it may provide the [collection] notice orally.”

As we argued in previous comments, in many cases the notices required to be read over the phone would include not only collection notices, but also opt-out notices and, potentially, financial incentive notices as well. This extended “preamble” to a phone call would be significantly detrimental to phone researchers. Response rates for U.S. telephone surveys rarely exceeds ten (10) percent. The addition of an extended notice to the front-end of all calls will likely result in significant drop-off rates from these already low rates. It would likely prove impossible to find respondents willing to sit through such a preamble before finally being given an opportunity to provide their opinion for a public opinion or political poll or in response to a government-sponsored survey.

As such, we urgently request that the finalized regulations allow for a short-form collection and opt-out notice for telephone interactions. For example, a short-form notice might, in simple straightforward terms: (i) alert the consumer that personal information will be collected; (ii) alert consumers of their right to opt out; and (iii) direct users to a privacy policy (likely online) where more information can be found or provide them the opportunity to give their email address and receive it via email.

We believe such a short-form notice would, by shortening the amount of “legalese” confronting consumers, better further the goals of the CCPA without unnecessarily inhibiting legitimate research.

2. Expand the email-only option for all requests, and apply to all relationships with consumers that are “exclusively online.”

The recent edits also stipulate in § 999.312(a) that “[a] business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests to know.”

While IA lauds this edit, we suggest the following two additional changes which would better streamline the request process for both consumers and businesses:

First, this email-only option should be expanded to all requests, not just requests to know.

Second, the email-only option should be expanded to all relationships between consumers and businesses that are exclusively online, even if the business itself operates separately in a non-online context.

The reason for this second request is simple. In the marketing research and data analytics industry, as many other industries, firms often have relationships with individual consumers that are exclusively online, but relationships with other consumers that are not. For example, a marketing research firm may operate an online survey panel, but also conduct phone research. As the regulations are currently drafted, a firm that engaged both these modalities would not be able to avail itself of the email-only option with respect to its online survey panel, even though email is a perfectly viable, and indeed the most appropriate, option for communicating with those panel members, who are already accustomed to online interaction with the firm.

3. Broaden financial incentive disclosure guidance to contemplate situations where additional, non-monetary consideration is given in exchange for personal information.

Following the latest edits to the draft regulations, the financial incentive notice remains problematic for the marketing research and data analytics industry. In particular, the “value” calculation imposes an unrealistic and poorly-suited requirement in situations where financial incentives are not being given in a simple quid pro quo for personal information, as in a traditional loyalty program.

In our industry, financial incentives, such as a gift card or reward points (which are usually small in value), are frequently offered to encourage participation in a survey or other research study. These incentives are not designed to be simple compensation for a participant’s services or his or her personal information. Instead, these small incentives are designed to sweeten the value proposition for a potential participant just slightly in an effort to bolster participation rates. Participants generally enjoy participating in research studies and giving their opinions. Indeed, participants often elect to respond without additional financial incentive at all.

In other words, there is a more complicated mix of motivations or “consideration” at play when a person chooses to participate in research. The finalized CCPA regulations should reflect this reality. While the Insights Association understands the need for some kind of notice, such notice should be flexible enough to accommodate more complex situations. For example, the following text could be added at the end of your most recent addition at § 999.337(b) of the draft regulations: “In its notice of financial incentive, a business may also identify any additional consideration the consumer is receiving aside from the incentive, and request the consumer’s acknowledgement that the incentive and additional consideration together constitute fair value for the personal information.”

Insights produced by our industry, often utilizing participant incentives in the development process, drive decisions across all sectors of the economy, including government.

4. Clarify mobile notice requirements, particularly the meanings of “reasonably expect” and “just-in-time.”

The updated draft regulations specify in § 999.305(a)(4) that “[w]hen a business collects personal information from a consumer’s mobile device for a purpose that the consumer would not reasonably expect, it shall provide a just-in-time notice containing a summary of the categories of personal information being collected and a link to the full notice at collection.”

The Insights Association respectfully requests that your office further clarify the meaning of “reasonably expect” in the above edit. The example added in the latest edits, related to the flashlight application, is helpful, but still incomplete and therefore unsatisfactory. For example, must the notification appear each time the app is used? Solely the first instance of collection?

Likewise, IA requests further clarification on the meaning of “just-in-time.” Is a pop-up notification the only way to comply with this requirement? Does the notification need to be presented every time an application is opened, or only the first time a consumer uses the application? We believe these and similar questions remain open, after the edits.

5. Loosen restriction on passing through costs of verification to accommodate special circumstances.

The draft regulations also now prohibit businesses in § 999.233(d) from “requir[ing] the consumer to pay a fee for the verification of their request to know or request to delete.” The regulations go on to explain that a business may not, for example, “require a consumer to provide a notarized affidavit to verify their identity unless the business compensates the consumer for the cost of notarization.”

While this requirement is perhaps necessary as a general rule, it may also be problematic for businesses in certain special cases where the only way to verify a person’s identity or an authorized agent’s authority is through a notarized document. In cases of death, for example, this provision may unnecessarily increase costs for businesses when dealing with executors, relatives or loved ones who are making requests under CCPA on behalf of the deceased, where such dealings regularly require the provision of a notarized death certificate and executor short form.

This provision is also potentially ripe for abuse. When a consumer submits an erasure request on behalf of a friend or relative, for example, how would the consumer prove they are who they claim to be and that they are in fact acting on behalf of another consumer? All of this would require official documents of some form, such as a birth certificate (or a death certificate, as in the prior example), and would require authentication via an apostile or notary, the services of which will not be provided for free. Since the regulations prevent passing such costs on to the party seeking verification, this could quickly become an undue burden on businesses.

6. Provide Time for Businesses to Comply Before Enforcement.

Given the absence of lag time between the release of final CCPA regulations and the onset of CCPA enforcement this summer, the Insights Association urges that CCPA enforcement be delayed until January 1, 2021. This would give businesses the minimum amount of time to comply with these complex new privacy requirements – many of which were not in the original statute or were changed in various ways by the regulation – and ensure that consumers are duly protected and accommodated.

Conclusion

The Insights Association hopes the above comments will be useful to you and your staff. We look forward to answering any questions you may have about the marketing research and data analytics industry and working with you and your office in furtherance of consumer privacy in California and streamlining CCPA compliance for both businesses and consumers.