Calfornia isn’t necessarily know for being a business-friendly state, in large part because it has often been at the forefront of regulation for consumer protection. And it once again finds itself in that position with the California Consumer Privacy Act (CCPA), a bill passed in 2018 and set to be implemented beginning January 1, 2020. While certain regulations may serve as bothersome hurdles for small businesses to clear, consumer protection laws are hard to criticize. As business owners, we all should put our customers security and privacy above profit, which is exactly what CCPA aims to do.
In this instance, California seeks to protect consumers from the widespread data harvesting that has become increasingly pervasive each year. The world’s largest companies have ramped up efforts to collect as much of personal data as possible to better understand consumer behavior and capitalize on it with more targeted advertising and marketing. But it’s only recently that we’ve begun to understand the incredible value of our own data.
Of course, it took years for consumer advocates to be heard. We’re now getting a fuller picture of the extent of personal information that corporations have at their fingertips. And, to many, it’s disconcerting at best. New technology allows companies to exploit our personal data in dangerous new ways. And, as we’ve seen, it’s no longer simply a moral question surrounding our right to privacy and what that entails, but has instead become a larger ethical issue that brings into question the nature of our democracy.
Though the CCPA is in the best interest of consumers, it is new regulation for retailers to adhere by. We’ve put together this guide to help business owners understand why the law was enacted, what it entails, and how it will affect your company.
We covered this a bit in the introduction, but let’s get into a few more details.
The founder and chair of Californians for Consumer Privacy, Alistair MacTaggert, said he was first struck with the idea to fight for data protection during a conversation with a Google engineer. According to MacTaggert, a real estate developer by trade, the engineer outlined the extent of access that the tech giant has to user information. A political novice, MacTaggert was suddenly compelled to do something about it and started an initiative to get new legislation on the 2018 ballot.
MacTaggert lays out the basic principles and goals behind the bill on the CCPA’s homepage:
- Protect consumer rights surrounding the use and sale or consumers’ personal information
- Limit the range of accuracy that companies have of our physical location through GPS tracking
- Take extra measures to protect children’s privacy
- Require more transparency into how data is collected, the algorithms that drive it, and other automated features
- Create an oversight body to enforce the new regulations
- Bring about legal consequences for businesses that have a breach on their consumer databases
At the heart of these new laws is an attempt to return to consumers what is rightfully theirs: personal data. But it’s also about preventing problems of power. This regulation isn’t targeting small businesses that might use personal data to target the right shopper with an ad for a restaurant or new cookware. Rather, it’s meant to prevent the more consequential aspects of data harvesting, including information that can affect our health insurance, ability to receive loans, job search, home choice, or even what political candidates you support.
The CCPA is intended to give choice back to the consumers.
It’s hard to lay out the information contained in the law without getting into the details, so we’re gonna get into the details:
- A consumer has the right to know the categories of personal information that any company has collected about said consumer.
- Consumer can request a disclosure of any sale a company made of personal information. This includes the category of personal information and the identity of the buyer of the data.
- Consumers have the right to deny any business the right to sell their data. This is referred to as the “right to opt out.”
- Businesses that sell consumer data must provide notice to the individual anytime data is sold.
- Any business that is prohibited by a consumer from selling personal information must refrain from ever again doing so unless given express consent by the consumer.
- Businesses are prevented from discriminating against a consumer based on a consumer’s decision to not allow the sale of personal data. Discrimination includes denying products or services, raising prices or rates, or changing the quality of products.
- If a business suffer a security breach that includes consumer data, the business is held entirely liable.
- If it’s determined that the business failed to maintain acceptable security standards that led to data theft, they are subject to legal prosecution.
Many business owners are already familiar with the EU’s General Data Protection Regulation (GDPR). The CCPA is similar in that is provides greater transparency to the entire process, but there are some important distinctions.
- The CCPA covers all personal information, including browser history, purchase history, and other behavioral information, while GDPR only protect consumers’ direct identification information (such as address, phone number, email, etc.)
- GDPR requires compliance from all data controllers or processors, while CCPA only requires it from businesses $50 M in revenue or 100,000+ customers.
- CCPA allows companies to collect consumer data if the shopper signs up or makes a purchase, though gives the consumer a chance to opt-in. The GDRP requires consumers to actively opt-in to data collection, better preventing against unknowing collection.
- Finally, potential fines for non-compliance differ: the CCPA fines businesses per violation at a rate of $2,500 for unintentional instances and $7,500 for intentional instances. Meanwhile, the GDPR fines businesses a flat rate of 4% of annual revenue or 20 million euros.
The two laws are quite similar in intent and scope, but have these important distinctions to consider when comparing them. The biggest difference lies in the default consent. California still defaults to allow data collection, while the EU defaults to consumer protection.
The short answer is, for most of you, not at all! For the time being, this only applies to businesses that physically operate in the state of California. Additionally, businesses must meet one or several of the standards mentioned above:
- Your business operates in California
- Your business earns at least $50 million per year in revenue
- Your business sells data of at least 100,000 people
- Your business earns at least half its revenue from the sale of personal data
These rules don’t apply to most businesses. But if it does, it’s time to start preparing. Enforcement begins July 1, 2020.
It’s likely, however, that similar legislation is passed in other states, or even federally, in the next few years. So with that in mind, it’s important to have a head start so you’re ready to adjust when the time’s right:
- Retailers should know exactly what type of data is covered by the law. Know exactly what personal information means.
- Rewrite your privacy policies to reflect the new law.
- Respond to shoppers who ask to have their personal data deleted.
- Add an opt-out section if your business sells consumer data.
Well, we are yet to determine this. With the law taking effect January 1, 2020 and enforcement beginning July 1, 2020, no one knows exactly the impact it will have on the retail industry.
- Critics of the law suggest that shopper data forms the backbone of modern retail. This law might interrupt existing operations that are currently agreeable to both consumers and retailers. Additionally, the law may stymie further innovation on the technological side of retail operations.
- Additionally, its critics claim the provision that prevents pricing discrimination will hinder loyalty programs and discounts for shoppers who decide to opt in to data collection.
- Lastly, its opponents argue that the law was pushed through too aggressively, leaving little room for discussion.
But again, none of these will apply to smaller retailers. While the law may indeed prevent the rapid evolution of technology-driven retailing, it evens the playing field for small businesses by making data marketing much more difficult for big box retailers.