Consumers exercising rights receive equal service and pricing

Why it matters

CCPA § 1798.125 prohibits penalizing consumers for exercising their privacy rights — denying them features, charging higher prices, or degrading service quality because they opted out of data sharing. Feature flags keyed on a ccpa_opt_out field are the most common code-level violation: they were probably added to "personalize" something, but any degradation in service for opted-out users is discriminatory under the statute. Financial incentive programs — loyalty points or discounts in exchange for data — are permitted under § 1798.125(b) but require explicit disclosure of the data's estimated monetary value and a separate affirmative opt-in, which virtually no AI-built implementation includes.

Remediation

Audit every feature flag, pricing condition, and tier check for references to opt-out or privacy preference fields. Remove any coupling between service level and CCPA opt-out status.

// WRONG — gates premium features on data-sharing consent
function canAccessPremiumFeatures(user: User): boolean {
  return user.plan === 'premium' && !user.ccpaOptOut // violates § 1798.125
}

// CORRECT — subscription status only
function canAccessPremiumFeatures(user: User): boolean {
  return user.plan === 'premium'
}

If you operate a loyalty or referral program that offers benefits in exchange for data sharing, add a Financial Incentive Programs section to your privacy policy disclosing the estimated monetary value of consumer data and implement an explicit opt-in checkbox — not enrollment on signup. See src/app/privacy/page.tsx.

Detection

ID: ccpa-readiness.consumer-rights.non-discrimination
Severity: low
What to look for: Inspect the application's business logic for any code that treats consumers differently based on whether they have exercised a CCPA right. Common violations: pricing tiers or feature access gated on "opted in to data sharing," lower-quality service for opted-out users, account restrictions applied after a deletion request is submitted. Also check whether financial incentive programs (loyalty programs, discounts in exchange for data) are disclosed with the value of the consumer's data — these are permitted under CCPA but require specific disclosures and opt-in consent. Check the privacy policy and any terms for language that penalizes consumers for exercising privacy rights. Count all instances found and enumerate each.
Pass criteria: No code or policy penalizes consumers for exercising CCPA rights. If a financial incentive program exists (e.g., discount in exchange for allowing data sharing), it is disclosed with the reasonable monetary value of the consumer's data and requires explicit opt-in consent. At least 1 implementation must be confirmed.
Fail criteria: Features or pricing change based on opt-out status in ways that discriminate against the consumer for exercising their rights. Financial incentive programs exist without the required disclosure of data value and opt-in.
Skip (N/A) when: Application has no pricing tiers, no financial incentive programs, and no feature gating based on data sharing preferences.
Detail on fail: Example: "Premium features locked behind 'allow data sharing' toggle — this constitutes discriminatory treatment for exercising opt-out rights." or "Loyalty rewards program offers discounts but does not disclose the monetary value of consumer data or require separate opt-in.".

Remediation: Review all feature flags, pricing conditions, and reward program disclosures:

// PROBLEMATIC — do not gate features on data sharing opt-out
// function canAccessPremiumFeatures(user: User): boolean {
//   return user.plan === 'premium' && !user.ccpaOptOut  // WRONG
// }

// CORRECT — CCPA opt-out status must not affect service level
function canAccessPremiumFeatures(user: User): boolean {
  return user.plan === 'premium' // Only gate on subscription, not privacy choices
}

// Financial incentive program disclosure (if applicable):
// Privacy policy must include:
// "We offer [discount/reward] to consumers who allow us to use their personal information
// for [purpose]. The estimated value of your personal information to our business is
// approximately $[X] per year, calculated by [methodology]. You may opt into this program
// at [URL]. This program does not affect the quality of service you receive if you choose
// not to participate."

Why it matters

Remediation

Audit every feature flag, pricing condition, and tier check for references to opt-out or privacy preference fields. Remove any coupling between service level and CCPA opt-out status.

// WRONG — gates premium features on data-sharing consent
function canAccessPremiumFeatures(user: User): boolean {
  return user.plan === 'premium' && !user.ccpaOptOut // violates § 1798.125
}

// CORRECT — subscription status only
function canAccessPremiumFeatures(user: User): boolean {
  return user.plan === 'premium'
}

Detection

ID: ccpa-readiness.consumer-rights.non-discrimination
Severity: low
What to look for: Inspect the application's business logic for any code that treats consumers differently based on whether they have exercised a CCPA right. Common violations: pricing tiers or feature access gated on "opted in to data sharing," lower-quality service for opted-out users, account restrictions applied after a deletion request is submitted. Also check whether financial incentive programs (loyalty programs, discounts in exchange for data) are disclosed with the value of the consumer's data — these are permitted under CCPA but require specific disclosures and opt-in consent. Check the privacy policy and any terms for language that penalizes consumers for exercising privacy rights. Count all instances found and enumerate each.
Pass criteria: No code or policy penalizes consumers for exercising CCPA rights. If a financial incentive program exists (e.g., discount in exchange for allowing data sharing), it is disclosed with the reasonable monetary value of the consumer's data and requires explicit opt-in consent. At least 1 implementation must be confirmed.
Fail criteria: Features or pricing change based on opt-out status in ways that discriminate against the consumer for exercising their rights. Financial incentive programs exist without the required disclosure of data value and opt-in.
Skip (N/A) when: Application has no pricing tiers, no financial incentive programs, and no feature gating based on data sharing preferences.
Detail on fail: Example: "Premium features locked behind 'allow data sharing' toggle — this constitutes discriminatory treatment for exercising opt-out rights." or "Loyalty rewards program offers discounts but does not disclose the monetary value of consumer data or require separate opt-in.".

Remediation: Review all feature flags, pricing conditions, and reward program disclosures:

// PROBLEMATIC — do not gate features on data sharing opt-out
// function canAccessPremiumFeatures(user: User): boolean {
//   return user.plan === 'premium' && !user.ccpaOptOut  // WRONG
// }

// CORRECT — CCPA opt-out status must not affect service level
function canAccessPremiumFeatures(user: User): boolean {
  return user.plan === 'premium' // Only gate on subscription, not privacy choices
}

// Financial incentive program disclosure (if applicable):
// Privacy policy must include:
// "We offer [discount/reward] to consumers who allow us to use their personal information
// for [purpose]. The estimated value of your personal information to our business is
// approximately $[X] per year, calculated by [methodology]. You may opt into this program
// at [URL]. This program does not affect the quality of service you receive if you choose
// not to participate."

Consumers exercising rights receive equal service and pricing

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Consumers exercising rights receive equal service and pricing

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History