California isn’t necessarily known for being a business-friendly state, in large part because it has often been at the forefront of regulation for consumer protection. And it once again finds itself in that position with the California Consumer Privacy Act (CCPA), a bill passed in 2018 and set to be implemented beginning January 1, 2020. While certain regulations may serve as bothersome hurdles for small businesses to clear, consumer protection laws are hard to criticize. As business owners, we all should put our customers security and privacy above profit, which is exactly what the CCPA aims to do.

In this instance, California seeks to protect consumers from the widespread data harvesting that has become increasingly pervasive each year. The world’s largest companies have ramped up efforts to collect as much personal data as possible to better understand consumer behavior and capitalize on it with more targeted advertising and marketing. But it’s only recently that we’ve begun to understand the incredible value of our own data.

Of course, it took years for consumer advocates to be heard. We’re now getting a fuller picture of the extent of personal information that corporations have at their fingertips. And, to many, it’s disconcerting at best. New technology allows companies to exploit our personal data in dangerous new ways. And, as we’ve seen, it’s no longer simply a moral question surrounding our right to privacy and what that entails, but has instead become a larger ethical issue that brings into question the nature of our democracy.

Though the CCPA is in the best interest of consumers, it is new regulation for retailers to adhere by. We’ve put together this guide to help business owners understand why the law was enacted, what it entails, and how it will affect your company.

The California Consumer Privacy Act logo with lock over barcode

What Is the California Consumer Privacy Act?

We covered this a bit in the introduction, but let’s get into a few more details.

The founder and chair of Californians for Consumer Privacy, Alistair MacTaggert, said he was first struck with the idea to fight for data protection during a conversation with a Google engineer. According to MacTaggert, a real estate developer by trade, the engineer outlined the extent of access that the tech giant has to user information. A political novice, MacTaggert was suddenly compelled to do something about it and started an initiative to get new legislation on the 2018 ballot.

Why Was the CCPA Enacted?

Infographic of the goals of the California Consumer Privacy Act

MacTaggert lays out the basic principles and goals behind the bill on the CCPA’s homepage:

  • Protect consumer rights surrounding the use and sale or consumers’ personal information
  • Limit the range of accuracy that companies have of our physical location through GPS tracking
  • Take extra measures to protect children’s privacy
  • Require more transparency into how data is collected, the algorithms that drive it, and other automated features
  • Create an oversight body to enforce the new regulations
  • Bring about legal consequences for businesses that have a breach on their consumer databases

At the heart of these new laws is an attempt to return to consumers what is rightfully theirs: personal data. But it’s also about preventing problems of power. This regulation isn’t targeting small businesses that might use personal data to target the right shopper with an ad for a restaurant or new cookware. Rather, it’s meant to prevent the more consequential aspects of data harvesting, including information that can affect our health insurance, ability to receive loans, job search, home choice, or even what political candidates you support.

The CCPA is intended to give choice back to the consumers.

What Does the CCPA Exactly Do?

Inforgraphic of legal changes from the new CCPA law

It’s hard to lay out the information contained in the law without getting into the details, so we’re gonna get into the details:

  • A consumer has the right to know the categories of personal information that any company has collected about said consumer.
  • Consumers can request a disclosure of personal information or data that a company has sold. This disclosure includes the category of personal information and the identity of the buyer of the data.
  • Consumers have the right to deny any business the right to sell their data. This is referred to as the “right to opt out.”
  • Businesses that sell consumer data must provide notice to the individual anytime data is sold.
  • Any business that is prohibited by a consumer from selling personal information must refrain from ever again doing so unless given express consent by the consumer.
  • Businesses are prevented from discriminating against a consumer based on a consumer’s decision to not allow the sale of personal data. Discrimination includes denying products or services, raising prices or rates, or changing the quality of products.
  • If a business suffers a security breach that includes consumer data, the business is held entirely liable.
  • If it’s determined that the business failed to maintain acceptable security standards that led to data theft, they are subject to legal prosecution.

Have Similar Initiatives Been Tried Elsewhere?

Many business owners are already familiar with the EU’s General Data Protection Regulation (GDPR). The CCPA is similar in that is provides greater transparency to the entire process, but there are some important distinctions:

Inforgraphic with differences between CCPA and GDPR

  • The CCPA covers all personal information, including browser history, purchase history, and other behavioral information, while the GDPR only protects consumers’ direct identification information (address, phone number, email, etc.).
  • The GDPR requires compliance from all data controllers or processors, while the CCPA only requires it from businesses $50 million+ in revenue or 100,000+ customers.
  • The CCPA allows companies to collect consumer data if the shopper signs up or makes a purchase, though gives the consumer a chance to opt-out. The GDRP requires consumers to actively opt-in to data collection, better protecting consumers against unknowing collection.
  • Finally, potential fines for non-compliance differ: the CCPA fines businesses per violation at a rate of $2,500 for unintentional instances and $7,500 for intentional instances. Meanwhile, the GDPR fines businesses at a flat rate of 4% of annual revenue or 20 million euros.

The two laws are quite similar in intent and scope, but have these important distinctions to consider when comparing them. The biggest difference lies in the default consent. California still defaults to allow data collection, while the GDPR defaults to protecting the consumer.

How Will the California Consumer Privacy Act Affect My Business?

The short answer is, for most of you, not at all! For the time being, this only applies to businesses that physically operate in the state of California. Additionally, businesses must meet one or several of the standards mentioned below:

  • Operates in California.
  • Earns at least $50 million per year in revenue.
  • Sells data of at least 100,000 people.
  • Receives at least half its revenue from the sale of personal data.

These rules don’t apply to most businesses. But if it does, it’s time to start preparing. Enforcement begins July 1, 2020.

It’s likely, however, that similar legislation will be passed in other states, or even federally, in the next few years. So with that in mind, it’s important to have a head start so you’re ready to adjust when it becomes necessary:

  • Retailers should know exactly what type of data is covered by the law and know exactly what personal information means.
  • Rewrite your privacy policies to reflect the new law.
  • Respond to shoppers who ask to have their personal data deleted.
  • Add an opt-out section if your business sells consumer data.

Are There Any Downsides to the Law?

Well, we are yet to determine this. With the law taking effect January 1, 2020 and enforcement beginning July 1, 2020, no one knows exactly the impact it will have on the retail industry.

  • Critics of the law suggest that shopper data forms the backbone of modern retail. This law might interrupt existing operations that are currently agreeable to both consumers and retailers. Additionally, the law may stymie further innovation on the technological side of retail operations.
  • Additionally, its critics claim the provision that prevents pricing discrimination will hinder loyalty programs and discounts for shoppers who decide to opt in to data collection.
  • Lastly, its opponents argue that the law was pushed through too aggressively, leaving little room for discussion.

But again, none of these will apply to smaller retailers. While the law may indeed prevent the rapid evolution of technology-driven retailing, it evens the playing field for small businesses by making data marketing much more difficult for big box retailers.

Try Out KORONA

What does the California Consumer Privacy Act do?

The CCPA institutes some big changes for large retail operations. Consumers now have the right to know if a company is selling their data. Consumers can now request disclosure of what category of data was sold and who it was sold to. They also may opt-out of the process if they please. In turn, businesses are banned from discriminating from shoppers who decide to opt-out.

When does the new CCPA go into effect?

The CCPA was passed in 2018 and signed into law in January 2020. It goes into effect in July 2020 and businesses must be prepared to adhere by its regulations by that point.

What businesses are subject to CCPA regulation?

This only affects businesses based in California. Additionally, it must meet one of the following criteria: the business must earn at least $50 million per year in revenue, sell data of at least 100,000 people, or earn at least half its revenue from the sale of personal data.

How must businesses comply with the CCPA?

If your business meets the criteria to be regulated by the CCPA, it's important to be sure that you follow all legal requirements. Start by understanding what type of data is covered by the law. Rewrite all privacy policies to reflect the changes made in the new law. Add an opt-out section to your website and app. And finally, respond to any consumers who have asked that their data be deleted.

Will the California Consumer Privacy Act affect my business?

Likely, no. Only businesses in California that have over $50 million in revenue, sell data of at least 100,000 people, OR receive at least half their revenue from data sales will be subject to the new law. Businesses that don't meet any of these items will face no changes to their business. In fact, it's more likely to be an advantage because the law makes it harder for big box retail to collect and sell data to increase their revenue.

Are other states or countries making data protection laws?

California is the first American state to sign a vast data protection law, though it's likely that others will follow suit in the next few years. Internationally, the EU signed the General Data Protection Regulation (GDPR) that is more strict and far reaching than the CCPA.