CCPA Compliance Operation: Delivering Data Access via Accounts

The GDPR is less specific and avoids definitional ambiguity

For comparison, the EU General Data Protection Regulation provides in Article 15(3): “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.” There is no mention of account in the data access context, but there is a focus on user choice and convenience for data subjects.

The plain language meaning of account supports a broad definition

The CCPA does not provide a formal definition of account. In everyday language, “account” means a formal business arrangement that involves regular transactions, payments, payment terms and offset arrangements. Many consumers maintain accounts with banks, credit card companies, utility companies, fitness studios, airline loyalty program operators, retail club card providers and other businesses. A consumer who is in collections will have an “account” with the collection agency, but that does not mean that the account is accessible online.

In recent years, more and more businesses enable consumers to access accounts online through websites and mobile apps, but in many cases, consumers access accounts at ATMs, in stores, via the phone or other communication channels, and they receive account statements and other materials on paper via postal mail. In many use cases, there are significant limitations due to screen size, connection bandwidth, or data input and output mechanisms to allow for a user to effectively request or receive information within the product or service.

Therefore, based on the literal meaning of the term “account,” businesses are not required under the CCPA to deliver personal information requested by a California resident via an account segment on a website or mobile app but merely to communicate via one of its routine communication methods established in the account relationship.

Use of the term within the CCPA supports a broad definition over a narrow definition

The CCPA provides multiple detailed definitions for terms found in the statute in Section 1798.140, but it does not include a definition for account. Canons of statutory construction dictate that account must be understood in its ordinary, everyday meaning, unless the context indicates that it bears a technical sense (borrowing former Justice Antonin Scalia’s and Professor Bryan Garner’s influential description of the ordinary meaning canon of statutory construction in “Reading Law: The Interpretation of Legal Texts”). Historically, account has not meant “webpage or mobile app segment,” and the context within the CCPA supports a broader, common language understanding of the term. The term “account” appears 13 times in the CCPA — nine times as a noun or adjective and four times as a verb:

Use of the word as a noun or as a descriptor attached to a noun has compliance implications for businesses. A narrow definition of account merely refers to a consumer created profile, whereas a broad definition of account refers to a general consumer business relationship.

The CCPA requires that a business “[d]isclose and deliver the required information to a consumer [after] receiving a verifiable consumer request from the consumer” (§ 1798.130(a)(2), describing operational capabilities necessary to comply with various consumer rights sections of the CCPA). The delivery of information “shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account … , or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business” (Id.).

The above phrase is the first appearance of “account” in the CCPA and serves a gateway function: If a consumer “maintains an account,” the consumer does not have access to a choice in how a request is delivered. Without an account, a consumer may choose how a business delivers a response to a consumer request. For a business, the existence of a consumer account lowers the potential administrative burden represented by a consumer request because the business, not the consumer, has the choice in how the response is delivered: If an account refers narrowly to a consumer-facing profile within a business’s systems, then a business may only insist upon delivery of a request through that type of profile if a consumer has proactively created an online profile. If, instead, an account refers more broadly to a consumer-business relationship, then the business may exercise more control over how it responds to a consumer request, and the control is independent of any action taken by a consumer.

For example, consider a situation in which a consumer ordered a product online from a business and checked out as a “guest” but included an email address to receive the order confirmation, rather than choosing to create an online account with the business when prompted during the checkout process. In this situation, a consumer may have an “account” with a business — an existing relationship and even a digital representation of that relationship in the form of a transaction number — but the consumer does not have a narrow definition of account in the form of a consumer created profile. When the consumer later submits a verifiable consumer request to the business, does the consumer have the choice to receive the response from the business “by mail or electronically,” or can the business leverage the existing broad-definition account — a pre-existing consumer-business relationship — that produced a communication channel from the previous transaction, the email address, and make the choice unilaterally to deliver the response to the email address? The meaning of account determines the answer.

Subsequent uses of the word “account” in the CCPA show similar ambiguity:

“A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information” (§ 1798.135(a)(1), prohibiting a business from requiring that a consumer create an account to exercise the consumer’s right to opt out of the sale of personal information to third parties). “Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider” (§ 1798.140(d)(5), offering examples of a “business purpose”). “Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers” (§ 1798.140(o)(1)(A), offering examples of identifiers under the definition of “personal information”).

Subsection 1798.185(a)(7), directing the attorney general to conduct rulemaking, appears to offer some clarification for “account,” but a question about the application of the subsection to other sections of the CCPA leaves open ambiguity:

“Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account [(used as a verb here and irrelevant to this discussion)] available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.”

Here, the CCPA references a specific type of account, a “password-protected account maintained by the consumer,” which implies a narrow definition of the term. This level of specificity, however, does not appear anywhere else in the statute, so it indicates that less-specific references are intended as a broader concept, including online and offline communication channels. The distinct uses of the term within the statute suggests that its definition is different in different contexts (see the presumption of consistent usage canon of statutory construction, which presumes that a word or phrase has a consistent meaning throughout the text, unless a material variation in usage suggests a variation in meaning), and most frequently the context dictates a broad-definition for account. The subsection explicitly references Sections 1798.110, .115, and .130 — a consumer’s right to request the disclosure of personal information collected, a consumer’s right to request the disclosure of personal information sold to a third party or disclosed for a business purpose, and general compliance requirements placed on a business, respectively — and by reference via Section 1798.130, Sections 1798.100, .105, and .125 — the right to request access to personal information collected, the right to request deletion of personal information collected, and a prohibition on discrimination, respectively. Consequently, the rulemaking subsection references every consumer right found in the CCPA except for a consumer’s right to opt out of the sale of personal information to a third party, Section 1798.120.

Moreover, the provisions of the CCPA should be interpreted in a way that renders them compatible, not contradictory, to each other (see the harmonious-reading canon). The CCPA does not only apply to companies that operate websites, mobile sites or other online offerings. “Business” is defined to include brick-and-mortar companies. Therefore, in the legislative context, account cannot be interpreted to mean only “account segment of a web or mobile site” because it would practically exempt offline operators from CCPA requirements contrary to the statutory scope (see the whole-text canon).

Additionally, Section 1798.130(a)(1) states that a business is required to make available “two or more designated methods for submitting requests, including at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.” Subsection 1798.130(a)(1) clarifies that requests pursuant to Sections 1798.110 and 1798.115 can be made through “designated methods for submitting requests,” which includes “a mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.” If consumers can submit requests via mail or phone within their account arrangement, businesses should be able to respond within the same catalogue of options.

Moreover, the largely parallel wording in Subsections 1798.100(d) and 1798.130(a) supports a broader and common-language understanding of account. The legislative context shows a focus on “without hindrance,” which appears in both subsections, as opposed to “through the consumer’s account,” which only appears in Subsection 1798.130(a). Subsection 1798.130(a) is more comprehensive and supports an understanding of both subsections to mean that “through the consumer’s account” is intended to clarify the meaning of “without hindrance.” This, in turn, means that the function of the requirement “through the consumer’s account” clarifies that where an account arrangement exists, the business shall respond via the existing account in order
to avoid creating additional hindrances for the consumer who wants to access their personal information. Where a business regularly communicates via multiple, alternative channels with a consumer, including snail mail, email, phone, website and mobile site, the business would not create a “hindrance” in which it selects any of these channels. Where a business only communicates via phone or snail mail with a consumer who does not have internet access, delivering responses via snail mail could be viewed as an undue hindrance, and the term account could not be interpreted as meaning “online account” in such a scenario.

A wider reading of the California code supports a broad definition

Reading the CCPA as one component of the broader framework of California statutes —specifically, the California Civil Code and the California Business & Professions Code —also supports a broad definition of account.

Other California statutes use account in different contexts with different meanings, especially when it comes to financial protection laws (e.g., deposit accounts, security accounts, escrow accounts). For instance, “consumer’s account” is used in California Civil Code Section 1799.202 in the context of accounts with financial institutions, and in California Business & Professions Code Section 17538 in the context of accounts with prepaid calling card companies.

Likewise, “online account” is used by lawmakers in laws dealing with privacy and data security. For example, California Civil Code Section 1798.81.5(a) of the California Customers Records Act states: “It is the intent of the Legislature to ensure that personal information about California residents is protected and to encourage businesses that own, license, or maintain personal information about Californians to provide reasonable security for that information.” Section 1798.81.5(a)(2) defines the terms “own” and “license” to include “personal information that a business retains as part of the business’ internal customer account or for the purpose of using that information in transactions with the person to whom the information relates.” In that same section, “personal information” is defined to include: “account number … password that would permit access to an individual’s financial account” and “a username or email address in combination with a password or security question and answer that would permit access to an online account.” Section 1798.82 also uses “online account” when describing business obligations in the case of a data breach of an online account.