As California begins to write regulations implementing the California Privacy Rights Act (CPRA), the leading nonprofit trade association for the market research and data analytics industry recommended eight key points for the regulator to follow in implementing this latest comprehensive consumer privacy law.

The Insights Association told the California Privacy Protection Agency (CPPA) on November 8, 2021 that insights companies preparing to comply with CPRA, the 2020 voter-approved initiative that dramatically alters the California Consumer Privacy Act (CCPA) will face "tremendous costs," especially so for small and medium-sized firms "updating and expanding on their already-extensive compliance efforts in connection with" CCPA.

The Insights Association urged CPPA, the new regulator, to:

1. Limit processing which presents a “significant risk" to consumers’ privacy or security to highly sensitive personal information, such as financial account information

CPRA directs CPPA to issue regulations "requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy" to perform annual cybersecurity audits and submit regular risk assessments to CPPA. The agency specifically requested feedback on this provision. The Insights Association urged that "processing which presents a 'significant risk' be limited to processing of highly sensitive personal information, such as financial account or payment card information, social security numbers, or other personal information which, if breached, could result in immediate financial harm to consumers."

2. Limit processing which presents a "significant risk" to processing which occurs on a regular basis or a minimum number of times per year

In addition to limiting “significant risk” scenarios as described above, CPPA "could also clarify that such processing must occur on a regular basis, or at least with some minimal frequency, to trigger the auditing and risk assessment requirements. It does not meaningfully further the spirit of the CPRA, and imposes particularly unnecessary burdens on small businesses, to require an audit and security assessment solely on the basis of one, two, or a handful of isolated instances of processing deemed to present a 'significant risk' in a given year."

3. Limit processing which presents a "significant risk" to processing of at least 100,000 records

Alternatively, the Inssights Association suggested that CPPA "could incorporate some numerical trigger into what constitutes 'significant risk' processing," such as by tracking the figure in the CPRA’s “business” definition of 100,000 records, or selecting "some lower number." CPRA's underlying statutory language "counsels in favor of some such numerical limit. The statute contemplates 'significant risk to consumers’ privacy or security,' language which connotes larger concerns of aggregate risk, not every isolated presentation of risk to any individual consumer or small group of consumers."

4. Limit the audit and risk assessment requirement to businesses who meet one of the first two prongs of the CPRA’s "business" definition

There are three different ways for an organization to be defined as a “business” under CPRA:

  1. annual gross revenues in excess of $25 million;
  2. buying, selling, or sharing the personal information of at least 100,000 consumers or households; or
  3. deriving 50 percent or more of its annual revenues from selling or sharing personal information.

"Because the third prong is not tied in any way to business size or processing volume," the Insights Association said, "it includes a substantial number of small and medium-sized firms in the market research and data analytics industry."

Therefore, the association told the regulator that companies "subject to CPRA solely on the basis of this third prong should be exempt from any annual audit and risk assessment requirements. These audits and risk assessments will be time consuming and expensive, and could in fact cripple small businesses who are just trying to do legitimate marketing research and data analytics work which benefits larger businesses, nonprofit and educational organizations, government entities, and individual consumers.

As an alternative, the Insights Association suggested that the regulator "could limit the audit and assessment requirements based on smaller limits than those in the CPRA’s 'business' definition (e.g., firms that do $15 million in revenue or deal with at least 50,000 records), to protect the smallest businesses from overly onerous regulatory requirements."

5. Clarify that use in research results and reports of "sensitive personal information" is a "reasonably expected" use of information provided in connection with corresponding surveys and research studies

Under CPRA, consumers have the right to request that a business “limit its use of the consumer’s sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.” CPPA has specifically requested comment on “what use or disclosure of a consumer’s sensitive personal information by businesses should be permissible notwithstanding the consumer’s direction to limit the use or disclosure of the consumer’s sensitive personal information.”

The Insights Association registered concern that "if research subjects who have provided sensitive personal information in connection with a survey or study (for example, in connection with a poll about an important political issue) submit such a request, this may compromise research results and leave market research firms in a legally unclear relationship with the research subject. Accordingly, the regulations should stipulate that use of sensitive personal information in research results, and the continued use of those results to draw insights about consumers, is a “reasonably expected” use of sensitive personal information which was freely provided in connection with a survey or research study."

6. Define “disproportionate effort” as those efforts which “do not, in the reasonable discretion of the business, meaningfully add to the consumer’s understanding of the business’s historical practices"

CPRA preserves a consumer’s right to know what personal information is being collected and what personal information is sold or shared and to whom. Previously, under CCPA, these rights were limited to a 12-month “look-back” period. Under CPRA, if a consumer requests to know how information has been collected, sold, or shared, no matter how far back that request might reach, the only limitation on the request is whether it would be “impossible, or involve a disproportionate effort” on the part of the business.

CPPA specifically requested input on what standard should govern a business’s determination that providing information beyond the 12-month window is “impossible” or “would involve a disproportionate effort.”

As explained by the Insights Association, in the insights industry, "information relating to a particular research subject (especially if that research subject participates in a research panel, for example) may appear in multiple studies across a long period of time. A research firm could spend theoretically limitless time and resources to reconstruct all the times a research subject was involved in a study, what information that study collected, and with whom the results were shared. Reconstructing every such instance would not meaningfully advance the consumer’s rights under CPRA, and it is not clear how much of this 'reconstruction' would constitute 'disproportionate effort.' "

Accordingly, the association urged the regulator to "clarify that 'disproportionate efforts' beyond the 12-month window are 'those additional efforts which require time and expense on the part of the business, but do not, in the reasonable discretion of the business, meaningfully add to the consumer’s understanding of the business’s historical practices.' In the above-referenced panel participant scenario, for example, rather than reconstructing the facts around every past study, the business would only be required to make the requested disclosures beyond the 12-month window as necessary to ensure the research subject has a complete (if not completely granular) view of how the research subject’s information is being processed."

7. Exempt market research from notices of financial incentives

"For our members’ research to be effective," the Insights Association said, "they must ensure robust participation," often through the offering of incentives. "For example, a doctor may be offered an honorarium to answer a survey about various pharmaceuticals, or an individual may be offered a gift card to participate in a half-day focus group about the latest television shows."

The insights industry "has worked hard to comply with the financial incentive notice requirement under CCPA," the association asserted, "but the notice of financial incentives requirements were not written with market research in mind; they inhibit research in an unintended way."

That's why the Insights Association resubmitted a request made previously in the drafting of CCPA regulations "that market research incentives and similar rewards to research subjects be exempt from notices of financial incentives requirements under the CPRA. Most significant of all, appropriate notices of financial incentives are already provided in every legitimate market research execution. Adding parallel and/or potentially conflicting requirements will only confuse the issue for Insights members, their clients and the public at-large that participates in this research."

8. Limit the “authorized agent” concept to minors, and elderly or incapacitated individuals

Under CPRA, a consumer can designate an "authorized agent" to submit opt-out requests, and requests to know and delete, without limitation (anyone can submit a request through an authorized agent).

Increasingly, Insights Association members "are receiving requests from purported authorized agents and are caught between, on one hand, wanting to honor legitimate requests and, on the other, the pervasive concern that the authorized agent mechanism invites fraud. Of course, our members take steps to verify such requests, as required by law, but those verification efforts are sometimes difficult to complete without requesting additional information, and tend to frustrate agents and/or consumers as much as they frustrate the business."

The option of using a registered agent "is unnecessary in the vast majority of cases," the association said. It "increases paperwork associated with the verification process, and opens the door for fraudulent requests designed to harm consumers. Except in cases where the consumer is a minor, or someone who genuinely needs an authorized agent to submit a request (such as an elderly or incapacitated individual), the purpose of the law is better served by requiring requests to be submitted by consumers themselves."

--

The Insights Association is the leading nonprofit trade association for the market research1 and data analytics industry. We are the world’s leading producers of intelligence, analytics and insights defining the needs, attitudes and behaviors of consumers, organizations, employees, students and citizens. With that essential understanding, leaders can make intelligent decisions and deploy strategies and tactics to build trust, inspire innovation, realize the full potential of individuals and teams, and successfully create and promote products, services and ideas.