Calif. Data Deletion Draft Rules Tackle Direct Relationships, Inferences
Privacy experts said they’re closely watching how a direct relationship is defined in California Privacy Protection Agency draft rules for the Delete Request and Opt-Out Platform (DROP), an upcoming data deletion mechanism required by the California Delete Act. The CPPA last week posted draft rule changes to data broker registration rules (see 2502270066). The board is scheduled to weigh the draft and get a DROP update from staff at its meeting Friday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
A direct relationship “means that a consumer has intentionally interacted with a business for the purpose of accessing, purchasing, using, requesting, or obtaining information about the business’s products or services,” the Feb. 27 draft rules say.
However, “A business does not have a ‘direct relationship’ with a consumer simply because it collects personal information directly from the consumer; the consumer must intend to interact with the business. A business is still a data broker and does not have a direct relationship with a consumer as to personal information it sells about the consumer that it collected outside of a ‘first party’ interaction with the consumer.”
The definition is important because claiming a direct relationship with a consumer lets data brokers avoid deletion requests, said Emory Roane, Privacy Rights Clearinghouse associate director of policy. Previously, “brokers could only claim a direct relationship … if someone intentionally interacted with them within the past three years. Now, the agency has dropped that explicit time limit, broadening the definition in a way that might give data brokers a bit more leeway to hold onto consumer information.” Despite that concession, said Roane, consumer advocates are “not overly alarmed yet, given that most people still won't have knowingly interacted with the vast majority of the 500+ registered brokers.”
Gary Kibel, a Davis + Gilbert privacy lawyer who represents businesses, said “one of the biggest changes is the expansion to the definition of ‘direct relationship.’” Kibel continued, “As a result, many companies that never considered themselves to be a data broker will be swept into this definition and the Delete Act.” The last sentence of the proposed definition means “it’s not enough to have a direct relationship with the consumer,” the attorney said. “It must be a direct relationship with the consumer ‘as to’ certain personal information,” so “you have to analyze each data transaction independently.”
Another significant development in the draft -- and a win for consumers -- is that the CPPA addressed inferences, said Tom Kemp, a tech policy advisor. That’s especially so, he added, after the agency last week specifically raised concerns about a people-search company using public data to make inferences, including about people who may be associated with a searched-for user (see 2502270023). The draft says that when deleting personal information in response to a request, data brokers must delete “all consumer personal information, including inferences based in whole or in part on personal information collected from third parties or from consumers in a non-‘first party’ capacity, that is associated with a matched identifier in the data broker’s records.”
Kemp agreed that data brokers got a win with the CPPA possibly removing the three-year timeframe from the direct relationship definition. “This was a big bone of contention [with] industry as they would have to track in detail the date of ‘interactions’ they had with consumers.” Now under the revised rules, if a customer interacted with and provided personal information to a company six years ago, “but never in the end did business with them,” they would still be considered to have a direct relationship and not have to comply with deletion requests, he said.
Kemp highlighted the draft’s emphasis that the "consumer must intend to interact with a business.” This could mean “it probably behooves businesses [to] capture some sort of proof or documentation on ‘intent of interaction’ with each consumer if they want to make sure that the CPPA does not investigate them if consumers are complaining that they still see their data residing with a given data broker."
However, that line raises questions for Mintz privacy attorney Cynthia Larose. “What does ‘interact’ mean?” she asked. “Does that include the entry of [personal information] into a form on the business website without anything more?”
The drafted language on direct relationships “seems to push explicit opt-in consent as the strongest legal foundation for data collection,” Ronni Gothard, CEO of privacy compliance software company AesirX, argued on LinkedIn last week. “Wouldn’t the safest way to demonstrate consumer awareness and intent be through clear, documentable opt-in consent? Otherwise, businesses relying on implied consent or passive data collection could be on shaky legal ground.”
Roane said what’s in the CPPA draft “isn't particularly surprising -- but we are getting deep into the practical nuts-and-bolts of how” the data deletion mechanism is “going to work, which is genuinely thrilling.” When DROP goes live for consumers, currently expected Jan. 1, “it's going to be a big win for consumer privacy rights,” he said.