California: Proportionality under the CCPA – a new or well-established principle?
Two years into compliance with the California Consumer Privacy Act of 2018 ('CCPA'), the expiration of Assembly Bill 25 An act to amend Sections 1798.130 and 1798.145 of the Civil Code, relating to consumer privacy ('AB 25') ushers in new challenges. As businesses grapple with their new compliance obligations under the California Privacy Rights Act of 2020 ('CPRA') and the expiration of AB 25, proportionality is becoming an important consideration. However, what is the test for proportionality? One possible framework comes from the 2015 amendments to the Federal Rules of Civil Procedure ('FRCP'). Scott J. Hyman and Genevieve Walser-Jolly, from Severson & Werson, compare the CCPA to the FRCP and examine the utility of that existing test.
What has changed?
AB 25 reduced the compliance obligations for businesses related to commercial (B2B) and employee data. Those limitations expired on 31 December 2022. In turn, the CPRA amended the CCPA and provided additional consumer rights such as the right to correct inaccurate personal information and the right to limit the use of sensitive personal information. The majority of CPRA obligations came into effect from 1 January 2023, therefore, as of 1 January 2023, new pools of data subjects are now entitled to the full set of consumer rights under the CCPA. In preparation, businesses are considering the outside limits of compliance for covered data. For example, a B2B contact makes a request to know specific pieces of personal information. To conduct an adequate search for responsive information, is the business obligated to review every vendor agreement stored in non-searchable PDFs? What about emails across the business? Similarly, if an employee makes a request to know, is the business obligated to search for, review, and produce all emails the employee sent or received during their employment? These examples equate to, and in some instances exceed, an e-discovery search, which is not only costly but time intensive, often requiring the retention of an outside vendor.
Defining 'disproportionate effort'
'Disproportionate effort' within the context of a business responding to a consumer request means the time and/or resources expended by the business to respond to the individualised request significantly outweighs the benefit provided to the consumer by responding to the request1.
For example: "responding to a consumer request to know may require disproportionate effort when the personal information which is the subject of the request is not in a searchable or readily-accessible format, is maintained only for legal or compliance purposes, is not sold or used for any commercial purpose, and would not impact the consumer in any material manner. In contrast, the benefit to the consumer of responding to a request to correct inaccurate information that the business uses and/or sells may be high because it could have a material impact on the consumer, such as the denial of services or opportunities. Accordingly, in order for the business to claim 'disproportionate effort,' the business would have to demonstrate that the time and/or resources needed to correct the information would be significantly higher than that material impact on the consumer. A business that has failed to put in place adequate processes and procedures to comply with consumer requests in accordance with the CCPA and these regulations cannot claim that responding to a consumer's request requires disproportionate effort."2
'Disproportionate effort' under the CCPA and the FRCP
The CCPA thus defines the term 'disproportionate effort' not by an established legal doctrine3 but by example. Nevertheless, the so-called proportionality rule is firmly established in the FRCP, namely, that the non-privileged information sought (in litigation discovery) must be relevant to any party's claim or defense and proportional to the needs of the case considering the importance of the issues at stake in the action, the amount in controversy, the parties' relative access to relevant information, the parties' resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit4. When viewed through that prism, a few potentially assistive guidelines emerge.
First, although the CCPA requires a party to have policies and procedures in place, a case-by-case analysis is required – and a company's policies and procedures should state as such. Second, the importance or weight attributed to each disproportionality factor should also depend on the facts and circumstances of each case. Third, both the CCPA and FRCP Rule 26 focus on the burden/benefit analysis as the primary inquiry. However, a company should not ignore the other factors, as their importance relative to the burden/benefit analysis can change depending on the request. Lastly, a company's procedures and application to a particular request must be updated and evaluated over time. Company growth or contraction, either organically or by acquisition, can affect the scope of a company's obligations.
Conducting a thorough analysis serves both internal documentation needs and aids external compliance obligations. A business that limits its consumer response based on proportionality must provide the consumer with a detailed explanation that includes enough facts to give a consumer a meaningful understanding as to why the business cannot comply with the request. The business shall not simply state that it is impossible or would require disproportionate effort5.
At a minimum, businesses should use their annual CCPA check-ups as an opportunity to assess the utility and application of policies and procedures regarding proportionality. Based on that review and business changes – including size, resources, data collection, and retention practices - the business can implement appropriate revisions.
1. 11 Cal Code Regs §7001(i), see: https://cppa.ca.gov/meetings/materials/20220608_item3.pdf
3. 'Disproportionate effort', as such, is a legal principle found only in the doctrine of easements. E.g. Wheeldon v. Elk Feed Grounds House, Ltd. Liab. Co., 2021 WY 71, ¶ 14, 488 P.3d 916, 920 (Wy. S.Ct. 2021) ("If land can be used without an easement, but cannot be used without disproportionate effort and expense, an easement may still be implied in favor of either the conveyor or the conveyee on the basis of necessity").
4. Fed. R. Civ. P. 26(b)(1).
5. 11 Cal Code Regs §7023(f)(2); see also 11 Cal Code Regs §§7022(b)(3), 7024(h).