The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns
by guest blogger Lourdes M. Turrecha, Privacy Tech & Law Fellow at Santa Clara Law
[Eric’s Note: I am working on a mondo blog post about the AG’s final CCPA regulations. In the interim, I’m sharing this post from Lourdes Turrecha, our new Privacy Law Fellow, about the regulations’ price discrimination provisions.]
The CA Attorney General recently published the final text of the CCPA proposed regulations (the AG still calls them “Proposed Regs,” though it has completed its work on them). While the CCPA prohibits businesses from discriminating based on a consumer’s exercise of a CCPA right, it does allow businesses to provide a financial incentive or differential pricing that is reasonably related to consumer data value. To offer such a financial incentive or differential pricing, a business must be able to provide a good-faith data valuation calculation. The Proposed Regs provide guidance on how to do these data valuation calculations (DVC).
Summary of DVC Provisions
The Proposed Regulations’ DVC provisions cover seven factors that businesses can take into consideration in calculating the value of data. These are illustrative considerations to help businesses embark in this relatively novel endeavor of valuing data. In addition to the seven factors, the DVC provisions include a catchall provision for other methods not accounted for in the Proposed Regs.
The Proposed Regs’ final text provides the following methods for calculating the value of personal data:
- Marginal value to the business of the data sale, collection, or deletion;
- Average value to the business of the data sale, collection, or deletion;
- The aggregate value to the business of the data sale, collection, or deletion of divided by the total number of consumers;
- Revenue generated by the business from the data sale, collection, or retention;
- Expenses related to the data sale, collection, or retention;
- Expenses related to the offer, provision, or imposition of any financial incentive or price or service difference;
- Profit generated by the business from data sale, collection, or retention; and
- Other practical and reasonably reliable method of calculation used in good faith.
The Good and the Bad
The DVC provisions raise a host of problems and implications. But let’s start with the positives first: the provisions provide businesses built-in flexibility on which factors they can use, and a catchall provision for other practical and reasonably reliable valuation methods not already accounted for. This flexibility is important right now given the field of data valuation is nascent, and we’d want to be able to adjust our methods accordingly as new research and better methods develop and surface.
Now off to the problematic issues. First, the flexibility on which factors to use and the ability to use other factors are double-edged swords that could also lead to inaccurate or prejudicial valuation calculations. Businesses could choose the methods that would provide them the greatest differential pricing or financial incentive amount they could offer.
On the specific methods themselves:
- The marginal and average valuations to the business of the data sale, collection, or deletion pose several challenges. First, it’s not clear whether businesses have been tracking this information to date, or whether they even have the capability to do so. Second, many businesses covered by the CCPA are small and medium businesses that currently do not have the capability to track this. Third, it’s not clear how marginal valuations are derived for data collection and deletion. In the context of a data sale, businesses can derive the marginal value based on the amount that data adds to a transaction. For example, in a sponsorship agreement, if the addition of user data in the transaction increases the sponsorship fee from $5,000 to $10,000, then the marginal value of the data is clearly $5,000. But how do we calculate marginal value for data collection and deletions? For both, it looks like businesses will have to rely on related expenses (discussed below). Granted, marginal and average valuations calculations are not the only factors businesses can consider.
- The aggregate value divided by total number of consumers calculation method ignores that data value is contextual. For example, in the context of buying power, billionaire Mark Zuckerberg’s data would understandably be valued differently from my or your data. If using this method, businesses should recognize that the aggregate average poses a limitation, be clear about the context for which they’re valuing data, and correct or adjust as needed, when the context changes.
- Next, expenses hardly demonstrate the entire valuation equation, so they shouldn’t be used on their own. Again, we recognize that this is not a deal-breaker given there are other factors businesses can consider. Future versions of the Proposed Regs should clarify that these shouldn’t be used on their own, especially where other factors like revenue (discussed next) could be part of the calculation.
- Similarly, revenue only represents one side of the valuation equation. Moreover, revenue-based calculations will require transparency on business’ end and the ability to tie revenue directly to the data sale, collection, and retention. With regards to transparency, the Proposed Regs do not go into what sort of documentation is required. Instead, the standard is a “good-faith estimate” and requires only a simple “description of the methods used to calculate the value of the consumer’s data.” The ability to tie revenue to a transaction is easier done in a data sale, and more challenging in the data collection and retention scenarios. Future versions of the Proposed Regs should clarify that revenue shouldn’t be used on its own, where other factors like expenses (discussed above) could be taken into account.
- Profit provides a better calculation (accounting for both revenue and expenses). But like revenue-based calculations, profit-based calculations will require businesses to be transparent, or at least provide a good-faith estimate coupled by a description of the method they used in deriving their profit-based calculation. Although not explicitly required, businesses should prepare back-end accounting to support their calculation and demonstrate their “good-faith” estimate.
It remains to be seen whether the DVC provisions in the Proposed Regs would serve the purpose of enabling businesses to provide differential pricing or financial incentives based on data value. If they fail to do so, they would call into question the argument that many online services have made for years regarding the amount they would charge for their “free” services if they weren’t able to monetize their users’ data. But if the Proposed Regs’ DVC provisions succeed in providing a viable model for data valuation calculations, they could fuel individual data monetization platforms.
This Proposed Regs (and the CCPA text, for that matter) also ignore the argument that personal data has negligible value at the individual vs. the aggregate levels. Although they ignore the argument, they indirectly address it by providing for calculations based on average value, and another one based on aggregate value divided by total number of consumers.
The DVC provisions do not provide any additional clarification to Goldman’s earlier concern relating to geography-based differential pricing. Differential pricing based solely on geography or location data is not automatically pricing based on personal data because location data only becomes personal data when it relates to a person (or in the CCPA’s case, a consumer). Moreover, under the CCPA itself, differential pricing based on location is not prohibited unless it’s in response to a consumer’s exercise of their CCPA rights. That said, the CCPA and Proposed Regs imply that there could certainly be contexts where a business can justify differential pricing based on consumers’ location data where such location matters, such as where the data fetches the business a certain amount of revenue or profit. For example, if Facebook were to start charging their users for use of their platform, they might be able to justify differential pricing based on geography or location using revenue–or, better yet, profit-based calculations. Facebook previously reported annual revenue per US user is about $130, but the global average goes down to $25.
The DVC’s catchall provision bears repeating, because its flexibility allows businesses to take into account developments in data valuation calculations, such as Berkeley’s proposal based on game theory, which is still nascent but deserves attention. (The proposal includes many essential considerations for data valuation, but currently requires exponential time to compute.)
All things considered, the DVC provisions provide an incomplete account of factors to consider in calculating data value, but provides enough flexibility not to be restrictive for when important developments arise. Businesses should keep apprised of developments in data valuation calculations.
Prior CCPA Posts
* My Third Set of Comments to the CA DOJ on the CCPA Regulations
* Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
* Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
* Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
* Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
* A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
* Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)