PRIVACY, PRICING, AND THE VALUE OF CONSUMER DATA: THE COMPLEX NATURE OF THE CCPA’S NON-DISCRIMINATION REQUIREMENT

By Jeewon Kim Serrato and Lawrence Wu¹

I. INTRODUCTION

Much like how there was debate in the past on whether the goals of antitrust and intellectual property law were incompatible or complementary,² we should anticipate many debates on how the goals of privacy law may affect the way firms compete, particularly when consumers are given a choice of opting in or opting out of providing companies with their personal information and when those choices may be affected by the prices charged and the services offered by those companies. With the passage of the California Consumer Privacy Act (CCPA),³ which went into effect on January 1, 2020, this issue is now front and center.

The CCPA is a first-of-its-kind law that requires businesses to calculate the value of consumer data. While it includes several new consumer rights, such as the right to know, right to delete, and a right to opt-out, this article will focus on the right to non-discrimination and the complexities that businesses will face as they navigate three things: the need to ensure consumers’ right to privacy and non-discrimination under the CCPA; the ability to offer competitive prices and marketing incentives to meet consumer demands; and the opportunity to earn revenue from the consumer data they may be able to collect, sell, and retain. These three interrelated objectives complicate what businesses may have to do to meet one of the fundamental requirements under the CCPA, which is this: if a business offers financial incentives or a price or service difference as compensation for the collection, sale, or retention of consumer data, the business must explain how the incentives or price or service difference are reasonably related to the value of the data to the business. This is uncharted territory; and while we wait to see what enforcement actions the California Attorney General brings under this law, which began on July 1, 2020, we cannot underestimate the lasting impact the law may have on the global privacy discourse and how regulators view the respective rights and powers the consumers and businesses have in controlling the use of personal data that is collected about individuals.

II. THE RIGHT TO NON-DISCRIMINATION UNDER THE CCPA

One of the most groundbreaking aspects of the CCPA is the notion that consumers have a right to non-discrimination, under which businesses are prohibited from discriminating against consumers who exercise their privacy rights, such as the right to know, delete, or opt-out of the sale of their personal information. To comply with the CCPA, businesses must include a statement in their privacy policies informing consumers that they have a right "not to receive discriminatory treatment" for exercising their CCPA rights.

[Page 100]

While the CCPA does not define what it means to "discriminate," it provides a nonexclusive list of practices that may qualify as discriminatory, which includes responding to a consumer by:

• Denying goods or services;
• Charging different prices;
• Providing a different quality of goods or services; and
• Suggesting that the consumer may receive a different price or rate.⁴

Because enforcement of the CCPA has only begun on July 1, 2020, we have yet to see how the Office of the Attorney General of the State of California (OAG), which has the sole authority to bring an enforcement action under the law, interprets this provision. According to the Frequently Asked Questions that were published by the OAG, "Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA."⁵ This does not mean, however, that consumers have an unlimited right to non-discrimination without consequences. The OAG provides two examples of potential consequences: (1) "if you refuse to provide your personal information to a business or ask it to delete or stop selling your personal information, and that personal information or sale is necessary for the business to provide you with goods or services, the business may not be able to complete that transaction";⁶ or (2) "[i]f you ask a business to delete or stop selling your personal information, you may not be able to continue participating in the special deals they offer in exchange for personal information."⁷ Not being able to complete the requested transaction or not allowing customers to participate in special deals, however, are often not the desired outcome for businesses, so how can businesses offer promotions, discounts and other deals in exchange for collecting, keeping or selling your personal information?

The CCPA provides certain exceptions to the general prohibition on discrimination. Businesses may charge different prices or offer different levels of service if the difference is "directly related to the value provided to the business by the consumer’s data."⁸ The CCPA also permits businesses to offer financial incentives—including payments to consumers as compensation for the collection, sale, or deletion of personal information—as long as the programs are not "unjust, unreasonable, coercive, or usurious in nature,"⁹ and if businesses notify consumers of these financial incentives, obtain opt-in consent prior to enrolling a consumer in a financial incentive program, and provide consumers with the opportunity to revoke consent for such programs at any time.¹⁰

[Page 101]

This has generally been interpreted to mean that the CCPA was intended to allow businesses to offer tiered pricing or service levels so long as the financial incentive or price or service difference is reasonably related to the value of the consumer’s data. However, any business that is seeking to rely on this exception must first calculate a good-faith estimate of the value of the consumer’s data or show that the tiered pricing or service levels are reasonably related to the value of the consumer’s data. For example, this means companies need to prepare a good faith estimate of the value of the data that is the basis for the financial incentive, price difference, product difference, or service difference that they may offer to consumers in order to incentivize them to not exercise their right to opt-out from the sale of their personal information. Companies will also need to describe the methodology they are using to calculate that value.

III. "CONSUMER," "PERSONAL INFORMATION," AND "SALE" UNDER THE CCPA

In order for a business to understand when this non-discrimination right may be triggered and to calculate the value of the personal data, it must first understand the key terms under the CCPA which are defined broadly and may be different than what most people expect. Again, there have not been any enforcement actions that provide guidance on how each of these terms should be interpreted and applied in practice.

First, the term "consumer" under the CCPA generally means "a natural person who is a California resident."¹¹ Thus, CCPA requirements should only apply to California residents. However, it is possible that questions may arise relating to the applicability of the law to persons who lived in California only part of the time, California residents whose information was collected before they were California residents but continue to be processed after they have moved to California, and to what extent the legal requirements would apply to data that belong to California residents but collected outside of California. Even if we have determined that CCPA does not apply to a specific data processing activity, over a dozen states are contemplating CCPA-like laws and thus the concept of non-discrimination may be extended to other jurisdictions. Businesses that do not segment their data based on geographic locations or based on the time of collection may also face challenges in determining what data is in scope under the CCPA or other consumer privacy laws that are jurisdiction-specific.

Second, "personal information" under the CCPA is defined as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."¹² This is a very broad definition of what may constitute personal information and therefore protected under the law. For instance, information such as behavioral analytics and inferences based on interaction with websites which are used to create profiles about a consumer reflecting the consumer’s preferences may be in scope. In contrast, the CCPA’s definition of "personal information" does not include information lawfully made available from federal, state, or local government records, which the OAG acknowledges are often sources used by data brokers.¹³

[Page 102]

Third, the terms "sell," "selling," "sale," or "sold," are defined as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration."¹⁴ Because of this broad definition, even transfers that do not involve a financial payment could constitute a sale under the CCPA. Most companies don’t sell their data for money, but they may engage in bulk data sharing for product improvement or inventory control. In order for data transfers to not be considered as a "sale," businesses can rely on the "business purpose" exception. Specifically, a business can use the personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that "the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected."¹⁵

One of the most closely watched areas of CCPA compliance is to determine to what extent a service provider may collect and use personal information for marketing or advertising purposes. Although the CCPA explicitly allows businesses to use the personal information for providing marketing or advertising services under this business purpose exception,¹⁶ it is possible the OAG may have a more limited view on whether and how this business purpose exception may apply to service providers.¹⁷

The final regulations, which went into effect on August 14, 2020, would allow service providers to use the personal information obtained in the course of providing services for "internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source."¹⁸ This is consistent with the CCPA’s definition of "business purpose" which also appears to be concerned with the building of consumer profiles; it allows "[s]hort-term, transient use, provided the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction."¹⁹ Thus, it would seem that use of personal information by businesses and services providers would not constitute a "sale," as long as personal information is either not disclosed to a third party or the third party can meet the requirements under the "business purpose" exception as a "service provider." Although it may be tempting to think of this as a bright-line rule, each of those terms, as we noted above, require a close examination and an assessment based on specific contexts.

[Page 103]

Even if a business is not able to rely on the business purpose or service provider exceptions, there are several other exceptions provided under the CCPA that may apply to specific data processing activities. Thus, any business that is engaging a service provider to provide marketing or advertising services would benefit from an analysis of how the CCPA impacts the business’s ability to engage in such services and whether any assessment of the non-discrimination rights would be appropriate for the data that is transferred to any such service providers.

IV. NOTICE OF FINANCIAL INCENTIVE UNDER THE CCPA

Given the definitions of "consumer," "personal information," and "sale" under the CCPA and the complexities surrounding those key terms that are likely to depend on situation-specific facts, it is possible that many "use case" scenarios involving the transfer of data from one party to another may constitute a sale, and thus be subject to the consumer’s right to opt-out from such sale of personal information. Because in a data economy, the volume, accuracy, and integrity of a data set are important drivers for calculating the value of a certain data set, businesses may be motivated to discourage any consumer actions that would result in the data not being as complete as it can be. Once a business identifies a data processing activity that may be a sale under the CCPA, it may incentivize consumers to not exercise his or her consumer rights, including the right to opt-out or the right to delete, by offering a financial incentive.

A notice of financial incentive must be provided to consumers before they opt-in to any "financial incentive" program, benefit, or other offering that is related to collection, retention, or sale of personal information. For example, businesses that want to incentivize consumers to not opt-out, payment in the form of customer loyalty points, coupons, or discounts may be offered.

The financial incentive notice must include all information a consumer would want to know before consenting to participate in such a program, specifically:

[Page 104]

• A succinct summary of the financial incentive or price or service difference offered;
• A description of the material terms of the financial incentive or price or service difference, including the categories of personal information that are implicated by the financial incentive or price or service difference and the value of the consumer’s data;
• How the consumer can opt-in to the financial incentive or price or service difference;
• A statement of the consumer’s right to withdraw from the financial incentive at any time and how the consumer may exercise that right; and
• An explanation of how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data, including:
1. A good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference; and
2. A description of the method the business used to calculate the value of the consumer’s data.²⁰

The requirement that companies explain how the financial incentive or price difference is reasonably related to the value of the consumer’s data is an important one. This is for two reasons. First, the explanation is part of the notice requirement, which ensures transparency so that a consumer can make an informed decision about whether to accept the incentive. Second, the explanation is needed to ensure that the company can meet the non-discrimination requirement. Specifically, a company cannot treat a customer differently based on whether he or she is opting in or out of the sale of personal information. Both requirements are met if a company can show that the financial incentive (or the product that has a price or service difference) that is offered for the collection or disclosure of consumer information is reasonably related to the value of the consumer’s data.

We can view the requirement as having three components. First, the company needs to explain the material terms of the financial incentive or price or service difference. Second, the company needs to provide a good faith estimate of the value of the consumer’s data, which includes a description of the methodology used to calculate the estimate. Third, the company has to provide those two things together to explain how that financial incentive or price/service difference is related to the value of the consumer’s data. Thus, the requirement is more than coming up with a good faith estimate of the value of the consumer’s data.

It is important to note that the phrase "and the value of the consumer’s data" appears to have been added in the Final Regulations § 999.307(b)(2) by the OAG, to clarify, according to its Final Statement of Reasons, that "’the value of the consumer’s data’ is always a material term of such a financial incentive program."²¹ The OAG adds: "[t]his change is necessary because some public comments appear to mistakenly believe that businesses may operate financial incentive programs without performing a valuation of consumer data. . . . The addition of the words ‘and the value of the consumer’s data’ benefits consumers and businesses by providing clarify and certainty that such value is always among the ‘material terms’ of any financial incentive or price or service difference, as those terms are defined in these regulations."²² Thus, any business seeking to collect or sell personal information may need to evaluate whether its data processing activities actually trigger a potential non-discrimination right and thus a requirement for notice and opt-in consent, which will need to be presented together with the calculation and disclosure of the value of consumer data.

[Page 105]

V. THE TERMS OF THE FINANCIAL INCENTIVE AND THE PRICE OR SERVICE DIFFERENCE OFFERED FOR THE DISCLOSURE OF CONSUMER DATA

Once a business has determined that it seeks to provide a financial incentive for the collection and use of personal information, the incentive offered can be structured in a number of different ways. For example, a company could offer a premium service for $5 per month where users who elect to pay the $5 premium would be able to opt-out from the sale of their personal information, as long as the business can show that the $5 per month payment is reasonably related to the value of the consumer’s data to the business. Another type of incentive is a loyalty program where a company might offer a $5 coupon or discount for purchases of $100 or more. The coupon or discount could be expressed as a percentage discount (e.g., a five percent discount off the price paid) or a dollar amount ($5 off of a $100 purchase). For consumers who join a loyalty program where the personal information is necessary in order for the consumers to enjoy the benefits (e.g., email address and transaction history to provide loyalty benefits), the consumer’s request for deletion maybe denied by the business, as long as the information is necessary for the business to provide the loyalty program requested by the consumer and is reasonably anticipated within the context of the business’s ongoing relationship with the consumer. Indeed, these are two of the examples that appear in the regulation itself.²³ The above examples could get complicated, however, in a number of ways. Here are two examples:

• Scenario 1: Suppose a grocery store would like to start a loyalty program whereby consumers who sign up to the program to receive coupons and discounts must also agree that the information collected from the loyalty program, such as the name and email of the consumer and shopping history, can be shared by the store with other third parties (e.g., consumer goods companies or data brokers). Setting aside the question of whether this is a sale or not, it is worth thinking through how the financial incentive requirement would apply in this context. While the grocer knows that it will be offering some type of coupon, it may not know what coupons it will offer throughout the year, how frequently it will send coupons to members of the loyalty program, and how many or what percentage of the coupons would even be redeemed. Thus, even if the grocer had some idea of the value that a data broker may be willing to pay the company for its data, it is possible that the store cannot say with much certainty the value of the coupons that it will be offering its loyalty program members in the future. What analysis would the grocer have to perform to show that the terms of the financial incentive are reasonably related to the value of the data collected and potentially sold? What terms should the grocer include in the notice and application form for the loyalty program? Can the grocery store avoid this problem by making the data transfer to third parties optional?
• Scenario 2: Suppose the grocer has successfully established a loyalty program whereby it offers a $5 coupon every week to its loyalty program members. Suppose also that the grocer is compliant with the regulation in that it is able to show that the $5 weekly coupons are reasonably related to the value of the data collected and sold. However, market circumstances change and the grocer now wants to offer an additional $10 coupon or discount in addition to the $5 coupon or discount it was previously offering. There could be many reasons why a company may have to offer larger discounts and lower its prices to its customers. The company may be expanding its business into new geographic areas or introducing a new product line. The company also might be facing new or more intense competition from its rivals. Offering an additional coupon or discount in response to competitive conditions would ordinarily be met with appreciation by consumers, but suppose that the revenue that the grocer receives for selling its data has not changed. Would the grocer’s $10 weekly coupon still be viewed as being reasonably related to the value of the data? What analyses would the grocer have to do to show that it remains compliant with the regulation? Should the question of harm and consumer welfare be considered when evaluating the reasonableness of the financial incentive?

[Page 106]

These examples illustrate that complying with the regulation will be no easy task for businesses. Even if it is relatively easy for a company to describe the terms of the financial incentive initially, changes in the marketplace or consumer behavior may make it difficult for the company to describe specifically what those terms are, particularly given certain unknowns. A company may not know in advance how many coupons or discounts it will offer, how many consumers will redeem those coupons or take advantage of those discounts, what types of discounts or coupons are most attractive to consumers, and whether and by how much the coupons and discounts were successful in generating new sales and ultimately, where and how much new revenue was generated by the sale of that data. Moreover, depending on the volume, accuracy and integrity of the data set at large, the value of the individual consumer’s data to the business also may change as a result of market dynamics. Yet the regulation appears to require the company to describe with some reasonable certainty how the financial incentives and any price and service difference offered might be related to the value of the consumer’s personal information that the company may collect, sell, or retain. To estimate the value of any proposed financial incentives and price or service differences, companies may need to draw on market studies, their prior experience with coupons, and other market data that may shed light on the effectiveness of discounts in promoting sales and the use of coupons by consumers of similarly-situated companies, as well as any revenues and expenses related to the collection and sale of personal information.

[Page 107]

VI. ESTIMATING THE VALUE OF CONSUMER DATA

The regulations offer a number of considerations that a company may use to calculate the value of consumer data to the company. These factors include:

• The marginal, average, or aggregate value to the business of the data collected, sold, or deleted;
• The revenue generated by the business from the sale, collection, or retention of consumers’ personal information;
• The expenses that the business may incur in connection with the sale, collection, or retention of the data or with the offer or provision of any financial incentive or price or service difference; and
• The profit generated by the business from the sale, collection, or retention of consumers’ personal information.²⁴

While these factors may appear straightforward at first blush, there are a number of considerations that may come into play as previewed above. First, the value of an individual consumer’s personal information may depend on what other data are being collected. For example, if the data are being sold, the value of an individual’s personal information may not be all that important by itself, but important when aggregated with other individuals’ data. It is also important to think about the different types of data that could be collected. The collection of email addresses is likely to be more valuable if there is associated data on consumers’ home or work zip code location, income category, or age, but less valuable without such data. Thus, it may not be enough for businesses to consider the value of the specific piece of personal information that will be collected by this one particular data processing activity. Businesses also may need to think about how this specific piece of data will be combined with other databases, either internally to be used by the same business or transferred to a third party to be used for a different purpose.

This brings us to our second point. The value of having the data will depend on how the data are used. For example, if the data collected are to be sold to an advertiser, the value may well depend on the value of the data to that advertiser, and the company selling that data may not know this value at the time of data collection. The value of the data to be sold could easily vary from one advertiser to another, based on which other sources of data are available to the advertiser at the time of the sale and which other advertisers are in the market for the company’s consumer data, among other factors. How much an advertiser is willing to pay for the company’s data will affect the price that the company will be able to charge for access to its data, and as the questions above indicate, determining the revenues that the company may earn from selling or licensing its personal data may involve an inquiry into the nature of the personal data being sold and the market in which its buyers of the company’s data may operate.

Third, the regulation asks for the value of the data to the business from selling, collecting, or deleting the data. Consider, for example, the value associated with collecting personal information on one more consumer versus the value associated with deleting that consumer’s personal information. These values may be the same if the individual’s data are sold to an advertiser with many other consumers’ data. But if the company is in the business of selling a product or service to the consumer, it is possible that the added value of obtaining a new consumer’s information is higher than the loss in value associated with deleting that consumer’s information. In the case of gaining consumer information, the company could well be gaining a new customer. In the case of deleting consumer information, the company may have lost that person’s data, but there may be no loss in sales if the expectation is that the consumer is likely to continue purchasing products or services from the company.

[Page 108]

Fourth, the regulation suggests that the company may consider the costs incurred by the company to collect, sell, or retain the data, or to offer the financial incentive or price or service difference when estimating the value of consumer data. For many companies, these costs are likely to be comprised of IT, marketing, and other fixed costs that do not significantly vary depending on how many consumers are served by the company and how many consumers opt-in or opt-out of providing consumer information. In these circumstances, costs may not be useful in determining the value of the consumer’s information to a company, particularly when thinking about the value of any particular individual’s data. However, it may be useful to consider the incremental cost associated with collecting and selling a larger increment of personal data (e.g. data on consumers in a new city or state or new data that had not been collected before), the incremental cost associated with generating an appropriate incremental increase in sales, and/or the incremental cost associated with producing the content that may be available in a premium content offering.

The profit generated by holding or selling consumer data is another factor that may be useful in calculating the value of consumer information. In addition to the complexities associated with estimating the incremental sales revenue associated with collecting or selling the data or the revenue associated with offering the incentive, consideration should be given to the complexities that can arise when assessing the relationship between terms of a financial incentive and profitability.

The relationship may be straightforward in certain cases. Suppose a consumer pays $5 per month for a premium product in order to opt-out of the sale of personal information. This would generate an incremental profit of $5 per month to the company if there is little or no marginal cost associated with serving that one additional consumer. The $5 per month fee for the premium product might make sense if the company is able to sell access to its consumer data for $5 per consumer per month, so the justification for the $5 fee would be the opportunity cost of not being able to sell that consumer’s data. However, the scenarios below highlight some of the issues are likely to complicate the justification for the $5 fee:

[Page 109]

• Scenario 1: Suppose the company faces competition from a new rival that is also selling its consumer data. As a result, the company discovers that it cannot continue selling its data at a price of $5 per consumer per month. Instead, the company has to lower the price to $3 per consumer per month. But the company continues to charge consumers $5 per month for its premium product because the value of the premium product and the cost of producing content for the premium product has not changed. In other words, will businesses be expected to have dynamic pricing where the cost of a premium service to consumers change basedon the ups and downs of the cost to purchase that piece of personal information in the data marketplace? Is it sufficient if that change in price is reflected after periodic review (i.e., annually) or will consumers be able to make a claim that businesses need to offer real-time pricing?
• Scenario 2: Suppose a company that offers a free product decides to introduce a premium product for $5 per month. However, after it introduces its premium product, the company discovers that many of the consumers who were using the free product begin purchasing the premium product. As a result, the company has less data to sell because more of its consumers are buying the premium product and opting out of disclosing their personal information. Because fewer consumers are opting into disclosing their data, advertisers are only willing to pay $3 per consumer per month for the data. With the reduction in the price that the company can charge for its data, is the $5 fee for the premium product still reasonably related to the value of the data collected and sold? What analyses would the company need to do to assess this question?

Complexities also may arise in the situation where a business may have to change the terms of the financial incentives that it offers to its consumers. For example, consider a company that is offering a five percent discount to consumers who are members of its loyalty program (for which they have agreed to disclose their personal information).

• Scenario 3: Suppose the company faces additional competition from the entry of a new rival. In response to that entry, the company decides its best approach is to increase the percentage discount that it offers to its loyalty program members from five percent to ten percent. Suppose, however, that the revenues that the company can generate by selling its consumer data has not changed—the number of loyalty members did not change and the amount and type of data collected by the company did not change. The only change was the increase in the financial incentive that the company is offering its members. After the increase in the percentage discount offered to consumers, is the financial incentive still reasonably related to the value of the data collected and sold?
• Scenario 4: Suppose a retail store discovers that its loyalty program customer retention rates and purchase volume per person over a three year period are not much different from the customer retention rates and purchase volume per person that the retailer experienced before introducing its loyalty program. As a result, the retailer decides that it may be able to improve customer retention rates by offering additional financial incentives. However, because the data collected and sold by the retailer has not changed, the revenues generated by the retailer for its data has not changed. With the introduction of the new financial incentive, is the amount of the financial incentive still reasonably related to the value of the data?

These scenarios illustrate how competition and market dynamics may make the relationship between the financial incentive (or price and service difference) offered and the value of the data more complex. Scenarios 1 and 2 highlight situations where a company has not lowered the price that it is charging its premium service customers, even though the personal data of these customers has become less valuable to parties interested in purchasing or getting access to the company’s data. Scenarios 3 and 4 highlight situations where the company may appear to be offering greater discounts to encourage consumers to disclose their personal data when, in fact, the change was motivated by competitive reasons. In all four scenarios, it was a change in market conditions that led to either a change in the value of the data or a change in the terms of the financial incentive (or price or service difference) offered. Indeed, because competitive conditions in the market for the consumer data sold by the company may not be linked to competitive conditions in the company’s product or service market, complying with the regulation may require the company to explain the nature of competition and pricing in multiple markets—the market(s) for which the data may be used and the market(s) in which the company competes.

[Page 110]

On the surface, explaining how a financial incentive or price or service difference is related to the value of the consumer’s data may seem complex, but it is similar to economic and business analyses that companies undertake in the ordinary course of business. Companies set and adjust the prices of their various products all the time. A company that sells a low-end, mid-range, and high-end product will have to choose the price of each product based on costs, supply, demand, and other competitive market conditions. Companies also study the relationship between their marketing incentives and outcomes all the time. When complexities arise, evidence from these economic and market studies may be more important as part of the compliance process.

VII. CONCLUSION

The CCPA is new and compliance with the regulation raises complex legal and economic issues. This is particularly true with respect to the non-discrimination requirement in the law, which allows companies to offer tiered pricing or service levels along with the opportunity to opt-in or opt-out of providing consumer information as long as they can explain how the financial incentive or price or service difference is reasonably related to the value of the consumer’s data.

The regulation recognizes the basic issues that companies have to address, which is that companies have to (a) explain the terms of the financial incentive or price or service difference; (b) calculate the value of the consumer’s data; and (c) explain how the two are reasonably related. On the surface, this may seem straightforward, but in practice, the terms of the financial incentive may not be easy to explain, particularly if there are unknowns that relate to how often the incentives will be given, how much the incentive will be, how frequently a discount or coupon will be redeemed, or what data the business is collecting and what it’s worth.

There are challenging economic issues that companies must address when they explain how the financial terms that are being offered relate to the value of the consumer data collected. First among these issues is the need to consider the effect of market conditions and competition on the value of the data to the company, the financial terms offered to consumers, and the revenues that a company may earn from the data they collect. Value and price are complex economic concepts and they are central to the compliance process. For example, there is the price of the data sold and the price of a premium product that a company may charge consumers along with the option to opt in or opt out of disclosing personal information. The regulation would seem to require that these two elements be reasonably related, yet the underlying factors that determine the price at which a company may be able to sell its data may be quite different from the factors that determine the price that the company may have to charge its consumers for opting into a loyalty program or some premium product. These are challenging issues because in today’s competitive, dynamic, and fast-moving markets, market changes could easily affect both the value of the data to the company and the financial terms that a company may need to offer consumers who want to participate in a loyalty program or purchase a premium product. As the CCPA has become law, these are issues that companies must be prepared to navigate.

[Page 111]

More broadly, these pricing-related data issues will only broaden the intersection of privacy law and antitrust law. For example, questions related to nascent competition, the acquisition of data in adjacent markets, data grabs, and the role of data in potentially facilitating collusion are all examples of ways the lines between antitrust and privacy objectives and thus enforcement are increasingly becoming blurred.²⁵

California Attorney General Xavier Becerra stated in his press release while announcing the approval of the Final Regulations that "privacy is an inalienable right" and "Californians should control who possesses their personal data and how it’s used."²⁶ By requiring businesses to provide notice and obtain opt-in consent if they wish to offer a different price, rate, level, or quality of goods or services to the consumer based on the collection and use of personal information, the CCPA in essence becomes a first-of-its-kind law that requires businesses to calculate and disclose the value of the consumer’s data. This step of calculating the value of the consumer’s data is an important one, but it will be a complex undertaking due to the interrelationships that touch on consumers’ right to privacy and non-discrimination under the CCPA, the need for businesses to compete and to be able to price and market their products in response to market conditions, and the revenues that a company may be able to earn by collecting, selling, and retaining consumer data. The first step to interrogating the value of consumer’s data may need to begin with the businesses understanding what data they collect, retain or sell.

[Page 112]

——–

Notes:

^1. Jeewon Kim Serrato is a Partner and Co-lead of the Digital Transformation and Data Economy team at BakerHostetler. Lawrence Wu is an economist and President of NERA Economic Consulting. The authors thank Garrett Glasgow for his thoughts and comments.

^2. See U.S. Dep’t of Justice & Federal Trade Comm’n, Antitrust Enforcement and Intellectual Property Rights: Promoting Innovation and Competition (2007), available at https://www.ftc.gov/sites/default/files/documents/reports/antitrust-enforcement-and-intellectual-property-rights-promoting-innovation-and-competition-report.s.department-justice-and-federal-trade-commission/p040101promotinginnovationandcompetitionrpt0704.pdf.

^3. Cal. Civ. Code §§ 1798.100-1798.199 (2018) (effective Jan. 1, 2020).

^4. See Cal. Civ. Code § 1798.125 (a)(1)(A-D) (2018).

^5. California Consumer Privacy Act (CCPA), State of California Department of Justice, https://oag.ca.gov/privacy/ccpa#sectionf (last visited Aug. 31, 2020).

^6. Id.

^7. Id.

^8. See Cal. Civ. Code § 1798.125(b)(1) (2018).

^9. See id. § 1798.125(b)(4) (2018).

^10. See id. § 1798.125(b)(2) (2018).

^11. See id. § 1798.140(g) (2018).

^12. See id. § 1798.140(o)(1) (2018).

^13. See California Consumer Privacy Act (CCPA), State of California Department of Justice, https://oag.ca.gov/privacy/ccpa#sectiong (last visited Aug. 31, 2020).

^14. See Cal. Civ. Code § 1798.140(t)(1) (2018).

^15. See id. § 1798.140(d) (2018) (emphasis added).

^16. See id. § 1798.140(d)(5) (2018).

^17. The OAG, in its Final Statement of Reasons which is part of its rulemaking package, states that "the intent of the CCPA is to prohibit a service provider from using personal information collected from one business for its own business purposes or to then provide services on behalf of a different business." See Final Statement of Reasons, State of California Department of Justice, at 32, available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-fsor.pdf (last visited Aug. 31, 2020) [hereinafter Final Statement of Reasons]. The OAG adds, as an explanation of the modifications in the regulations in § 999.314(c): "[s]ubsection (c) thus accurately reflects the CCPA’s requirement that service providers act on behalf of a business by processing information to further the business’s specific business purpose and not for the service provider’s own business purposes." Id.

^18. Cal. Code Regs. § 999.314(c)(3).

^19. Cal. Civ. Code § 1798.140(d)(4) (2018).

^20. Cal. Code Regs. § 999.307(b)(1)-(5).

^21. See id. § 999.307 (b) (2); see also Final Statement of Reasons, supra note 17, at 17.

^22. See Final Statement of Reasons, supra note 17, at 17.

^23. See Cal. Code Regs. § 999.336(d).

^24. See id. § 999.337(a).

^25. See generally Alyse F. Stach, Ann M. O’Brien and Jeewon Kim Serrato, The thin line between privacy and antitrust, The Privacy Advisor, IAPP (June 23, 2020), https://iapp.org/news/a/the-thin-line-between-privacy-and-antitrust/.

^26. Press Release, State of California Department of Justice, Attorney General Becerra Announces Approval of Final Regulations under the California Consumer Privacy Act (Aug. 14, 2020), https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-approval-final-regulations-under-california.