Companies find the California Consumer Privacy Act much more prescriptive than most other privacy laws. It contains a multitude of definitions, defined terms, and technical drafting errors and ambiguities, and the state legislature is considering numerous amendments. One term that is used multiple times in the statute and not defined in the current version of the CCPA or any of the amendment bills is the term âaccount.â Therefore, businesses must develop a perspective on the definition of account as they work to operationalize their CCPA compliance programs with respect to data access requests.
If a California resident asks for the personal information that a business holds about the Californian, the business must provide a copy âdelivered through the consumerâs account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumerâs option if the consumer does not maintain an account= with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance.â Companies that operate websites or mobile apps wonder whether account narrowly means the segment of their web or mobile site where consumers register for use of the site or whether account means more broadly the entirety of their offline and online relations, which may include communications via phone, SMS, snail mail and other channels. A narrow definition could be convenient for some companies and consumers. Other businesses may be forced into additional development work, and some consumers may find it inconvenient or an outright hindrance if they are forced to receive data access through online accounts if they do not usually access their accounts online.
The GDPR is less specific and avoids definitional ambiguity
For comparison, the EU General Data Protection Regulation provides in Article 15(3): âThe controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.â There is no mention of account in the data access context, but there is a focus on user choice and convenience for data subjects.
The plain language meaning of account supports a broad definition
The CCPA does not provide a formal definition of account. In everyday language, âaccountâ means a formal business arrangement that involves regular transactions, payments, payment terms and offset arrangements. Many consumers maintain accounts with banks, credit card companies, utility companies, fitness studios, airline loyalty program operators, retail club card providers and other businesses. A consumer who is in collections will have an âaccountâ with the collection agency, but that does not mean that the account is accessible online.
In recent years, more and more businesses enable consumers to access accounts online through websites and mobile apps, but in many cases, consumers access accounts at ATMs, in stores, via the phone or other communication channels, and they receive account statements and other materials on paper via postal mail. In many use cases, there are significant limitations due to screen size, connection bandwidth, or data input and output mechanisms to allow for a user to effectively request or receive information within the product or service.
Therefore, based on the literal meaning of the term âaccount,â businesses are not required under the CCPA to deliver personal information requested by a California resident via an account segment on a website or mobile app but merely to communicate via one of its routine communication methods established in the account relationship.
Use of the term within the CCPA supports a broad definition over a narrow definition
The CCPA provides multiple detailed definitions for terms found in the statute in Section 1798.140, but it does not include a definition for account. Canons of statutory construction dictate that account must be understood in its ordinary, everyday meaning, unless the context indicates that it bears a technical sense (borrowing former Justice Antonin Scaliaâs and Professor Bryan Garnerâs influential description of the ordinary meaning canon of statutory construction in âReading Law: The Interpretation of Legal Textsâ). Historically, account has not meant âwebpage or mobile app segment,â and the context within the CCPA supports a broader, common language understanding of the term. The term âaccountâ appears 13 times in the CCPA â nine times as a noun or adjective and four times as a verb:
§ 1798.130(a)(2) â referring to a consumer
request exercising one of the consumer
rights contained in the CCPA, except for
the right to opt out of the sale of personal
information.
§ 1798.135(a)(1) â placing limitations on
a business in reference to a consumer
exercising the right to opt out of the sale of
personal information.
§ 1798.140(d)(5) â offering an example of a
âbusiness purpose.â
§ 1798.140(o)(1)(A) â offering examples of
identifiers under the definition of âpersonal
information.
§ 1798.145(g)(1) â referring to
ânotwithstanding a businessâs obligations
to respond to and honor consumer rights
requests pursuant to this titleâ; account
is used as a verb and is irrelevant to the
discussion in this article.
§ 1798.145(g)(3) â setting parameters for
the elements a business may consider when
responding to a consumer request; account
is used as a verb and is irrelevant to the
discussion in this article.
§ 1798.185(a)(7) â referring to the attorney
generalâs responsibility for rulemaking
Use of the word as a noun or as a descriptor attached to a noun has compliance implications for businesses. A narrow definition of account merely refers to a consumer created profile, whereas a broad definition of account refers to a general consumer business relationship.
The CCPA requires that a business â[d]isclose and deliver the required information to a consumer [after] receiving a verifiable consumer request from the consumerâ (§ 1798.130(a)(2), describing operational capabilities necessary to comply with various consumer rights sections of the CCPA). The delivery of information âshall be made in writing and delivered through the consumerâs account with the business, if the consumer maintains an account ⌠, or by mail or electronically at the consumerâs option if the consumer does not maintain an account with the businessâ (Id.).
The above phrase is the first appearance of âaccountâ in the CCPA and serves a gateway function: If a consumer âmaintains an account,â the consumer does not have access to a choice in how a request is delivered. Without an account, a consumer may choose how a business delivers a response to a consumer request. For a business, the existence of a consumer account lowers the potential administrative burden represented by a consumer request because the business, not the consumer, has the choice in how the response is delivered: If an account refers narrowly to a consumer-facing profile within a businessâs systems, then a business may only insist upon delivery of a request through that type of profile if a consumer has proactively created an online profile. If, instead, an account refers more broadly to a consumer-business relationship, then the business may exercise more control over how it responds to a consumer request, and the control is independent of any action taken by a consumer.
For example, consider a situation in which a consumer ordered a product online from a business and checked out as a âguestâ but included an email address to receive the order confirmation, rather than choosing to create an online account with the business when prompted during the checkout process. In this situation, a consumer may have an âaccountâ with a business â an existing relationship and even a digital representation of that relationship in the form of a transaction number â but the consumer does not have a narrow definition of account in the form of a consumer created profile. When the consumer later submits a verifiable consumer request to the business, does the consumer have the choice to receive the response from the business âby mail or electronically,â or can the business leverage the existing broad-definition account â a pre-existing consumer-business relationship â that produced a communication channel from the previous transaction, the email address, and make the choice unilaterally to deliver the response to the email address? The meaning of account determines the answer.
Subsequent uses of the word âaccountâ in the CCPA show similar ambiguity:
âA business shall not require a consumer to create an account in order to direct the business not to sell the consumerâs personal informationâ (§ 1798.135(a)(1), prohibiting a business from requiring that a consumer create an account to exercise the consumerâs right to opt out of the sale of personal information to third parties). âPerforming services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service providerâ (§ 1798.140(d)(5), offering examples of a âbusiness purposeâ). âIdentifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driverâs license number, passport number, or other similar identifiersâ (§ 1798.140(o)(1)(A), offering examples of identifiers under the definition of âpersonal informationâ).
Subsection 1798.185(a)(7), directing the attorney general to conduct rulemaking, appears to offer some clarification for âaccount,â but a question about the application of the subsection to other sections of the CCPA leaves open ambiguity:
âEstablishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumerâs or the consumerâs authorized agentâs ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account [(used as a verb here and irrelevant to this discussion)] available technology, security concerns, and the burden on the business, to govern a businessâs determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the businessâs authentication of the consumerâs identity, within one year of passage of this title and as needed thereafter.â
Here, the CCPA references a specific type of account, a âpassword-protected account maintained by the consumer,â which implies a narrow definition of the term. This level of specificity, however, does not appear anywhere else in the statute, so it indicates that less-specific references are intended as a broader concept, including online and offline communication channels. The distinct uses of the term within the statute suggests that its definition is different in different contexts (see the presumption of consistent usage canon of statutory construction, which presumes that a word or phrase has a consistent meaning throughout the text, unless a material variation in usage suggests a variation in meaning), and most frequently the context dictates a broad-definition for account. The subsection explicitly references Sections 1798.110, .115, and .130 â a consumerâs right to request the disclosure of personal information collected, a consumerâs right to request the disclosure of personal information sold to a third party or disclosed for a business purpose, and general compliance requirements placed on a business, respectively â and by reference via Section 1798.130, Sections 1798.100, .105, and .125 â the right to request access to personal information collected, the right to request deletion of personal information collected, and a prohibition on discrimination, respectively. Consequently, the rulemaking subsection references every consumer right found in the CCPA except for a consumerâs right to opt out of the sale of personal information to a third party, Section 1798.120.
Moreover, the provisions of the CCPA should be interpreted in a way that renders them compatible, not contradictory, to each other (see the harmonious-reading canon). The CCPA does not only apply to companies that operate websites, mobile sites or other online offerings. âBusinessâ is defined to include brick-and-mortar companies. Therefore, in the legislative context, account cannot be interpreted to mean only âaccount segment of a web or mobile siteâ because it would practically exempt offline operators from CCPA requirements contrary to the statutory scope (see the whole-text canon).
Additionally, Section 1798.130(a)(1) states that a business is required to make available âtwo or more designated methods for submitting requests, including at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.â Subsection 1798.130(a)(1) clarifies that requests pursuant to Sections 1798.110 and 1798.115 can be made through âdesignated methods for submitting requests,â which includes âa mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.â If consumers can submit requests via mail or phone within their account arrangement, businesses should be able to respond within the same catalogue of options.
Moreover, the largely parallel wording in Subsections 1798.100(d) and 1798.130(a) supports a broader and common-language understanding of account. The legislative context shows a focus on âwithout hindrance,â which appears in both subsections, as opposed to âthrough the consumerâs account,â which only appears in Subsection 1798.130(a). Subsection 1798.130(a) is more comprehensive and supports an understanding of both subsections to mean that âthrough the consumerâs accountâ is intended to clarify the meaning of âwithout hindrance.â This, in turn, means that the function of the requirement âthrough the consumerâs accountâ clarifies that where an account arrangement exists, the business shall respond via the existing account in order
to avoid creating additional hindrances for the consumer who wants to access their personal information. Where a business regularly communicates via multiple, alternative channels with a consumer, including snail mail, email, phone, website and mobile site, the business would not create a âhindranceâ in which it selects any of these channels. Where a business only communicates via phone or snail mail with a consumer who does not have internet access, delivering responses via snail mail could be viewed as an undue hindrance, and the term account could not be interpreted as meaning âonline accountâ in such a scenario.
A wider reading of the California code supports a broad definition
Reading the CCPA as one component of the broader framework of California statutes âspecifically, the California Civil Code and the California Business & Professions Code âalso supports a broad definition of account.
Other California statutes use account in different contexts with different meanings, especially when it comes to financial protection laws (e.g., deposit accounts, security accounts, escrow accounts). For instance, âconsumerâs accountâ is used in California Civil Code Section 1799.202 in the context of accounts with financial institutions, and in California Business & Professions Code Section 17538 in the context of accounts with prepaid calling card companies.
Likewise, âonline accountâ is used by lawmakers in laws dealing with privacy and data security. For example, California Civil Code Section 1798.81.5(a) of the California Customers Records Act states: âIt is the intent of the Legislature to ensure that personal information about California residents is protected and to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.â Section 1798.81.5(a)(2) defines the terms âownâ and âlicenseâ to include âpersonal information that a business retains as part of the businessâ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.â In that same section, âpersonal informationâ is defined to include: âaccount number ⌠password that would permit access to an individualâs financial accountâ and âa username or email address in combination with a password or security question and answer that would permit access to an online account.â Section 1798.82 also uses âonline accountâ when describing business obligations in the case of a data breach of an online account.
During the Assembly Committe on Judiciary hearing on the CCPA, lawmakers stated that the bill sought to modernize and strengthen consumersâ rights under the CCRA and cited several definitions of the CCRA, including those mentioned above. Like the CCPA, the CCRA does not define the term âaccount.â Instead, the CCRA expressly calls out the type of account, whether it is financial or online. The fact that âonlineâ or âpassword-protectedâ was not used adjunct to âaccountâ in Section 1798.130 of the CCPA, as lawmakers have done in the past, reinforces the position that âaccountâ does not only entail online accounts and should be interpreted to have a broad definition that refers to an existing consumer-business relationship.
The legislature intended access âwithout hindrance,â which requires a broad definition
One theme echoed throughout the CCPA is that delivery must be made âwithout
hindranceâ to the consumer. In that respect, businesses must deliver data to a consumer who has established a formal account with the business (e.g., as an airline passenger, banking customer, phone subscriber or service provider) within the course of dealing and terms established for such accounts. Businesses should respond to an account holderâs inquiry without demanding additional, burdensome authentication, at least to the extent the account holder requests data that businesses previously collected and made available within the framework of an account arrangement. In other words, businesses cannot treat the account holder as a complete stranger when it comes to data access requests. This does not mean, however, that businesses must present the data on a particular app or webpage associated with the account (even though that may often be a mutually convenient method). Businesses are free to deliver data in response to data access requests via email, regular mail or a website or mobile app, depending on how they usually communicate with their customers and other business partners.
Conclusion
Based on everyday language, as well as contextual and purpose considerations, businesses should deliver information in response to data access requests within the established communication channels of accounts with consumers. This can mean the narrowly defined account segment of a web or mobile site, or also phone,fax, SMS, postal mail, ATMs and other communication channels, depending on the businessâs practices and an existing broadly âdefined consumer-business relationship account.