California Privacy Act – What Retailers Should Know

Is your brand ready for one of the toughest privacy laws in the US – the California Privacy Act? If not, you’re not alone. Nearly 86 percent of respondents being surveyed stated they aren’t prepared.
In this post, we’re going to cover what the CCPA is and how retailers, in particular, are going to be affected.

What is the California Consumer Privacy Act?

The California Consumer Privacy Act (CCPA) is a bill that enhances privacy rights and consumer protection for residents of California, US.
It was passed on June 28th, 2018 but it will not go into effect until January 2020. Its privacy provisions will take effect six months after the AG rules are issued, but no later than July 2020.
The Act intends to provide the residents of California the right to:

• Know what data is being collected about them
• Knowing whether that data was sold or disclosed to third-party
• Reject the sale of personal data
• Access their data
• Equal service and price

The Act applies to any business, including any for-profit entity that collects personal data of consumers, which does business in California, and that satisfies at least one of the following thresholds:

• If the business reached more than $25 million in annual gross revenue
• If the business holds the personal information of more than 50,000 consumers, devices, or households
• Half of its revenue comes from selling consumers’ personal information

The sanctions that can be imposed include:

• Companies, associations and other entities can be authorized to exercise opt-out rights on behalf of California residents
• If a company becomes a victim of data theft, it might have to pay statutory damages between $100 to $750 per California resident and incident, or actual damages, whichever is greater.
• A fine up to $7,500 for each intentional violation and $2,500 for each unintentional violation

This privacy act brings California residents GDPR-like privacy rights which is a data protection regulation of the EU (European Union) and EEA (European Economic Area).
The US is heading in this direction, so retailers can benefit greatly by making their business more GDPR friendly.

Why It Matters and How It Affects the Retail Industry

The retail industry is not alone in facing significant challenges that come with the adoption of the California Privacy Act. However, certain features of the CCPA affect the retail industry in unique ways.
CCPA has implications for the way retailers obtain data across multiple channels, how they share their data across brands, conduct loyalty programs, invest in security, etc. Considering the span of all the new CCPA requirements, retailers need to prepare and invest in compliance efforts now.

Expansive Definition of Personal Information

What retailers need to carefully consider is whether they need to modify their information collection practices, knowing that almost all the information they collect from consumers in physical and online stores will be subject to CCPA.
CCPA defines personal information as information that identifies, relates to, describes, and is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Such as a:

• real name,
• alias,
• postal address,
• unique personal identifier,
• online identifier Internet Protocol address,
• email address,
• account name,
• social security number,
• driver’s license number,
• passport number, or other similar identifiers.

The whole Assembly Bill can be found here.
The CCPA goes even farther than GDPR’s data definition since it also covers information that “relates to, describes, [or] is capable of being associated with, or could reasonably be linked… with a particular household.”
This would typically occur if there is a case of the same IP address or delivery address being linked to multiple online accounts. That would lead to a lot of troubles responding to individual rights requests from one member of a household but not others.
For all these reasons, retailers will need a more sophisticated understanding of data along with stronger partnerships with suppliers, vendors, and third-parties.

Information Sharing With Affiliates

When it comes to affiliate programs, retailers that own multiple brands will be required to treat personal information collected by one brand affiliate and shared with a differently branded affiliate in exchange for anything of value, in the same manner, they would treat information that was collected and sold to a third-party business.
This also applies for franchise contracts.
That is because two of the CCPA definitions are quite unique.
The first one is – CCPA applies to any entity that meets threshold requirements and the definition of a business that includes parent companies and direct subsidiaries, but only to the extent that they share common branding.
And second – the bill considers a sale to include ‘releasing, disclosing, making available, transferring a consumer’s personal information from business to business for monetary or other consideration of value.’
In short – brands that collect data and transfer it to an affiliate in exchange for anything of value are considered to have sold that information.
Retailers will need to make distinctive “Do Not Sell My Personal Information” links to allow California residents to opt-out of the sale of their data at any moment, for a period of at least 12 months.

Issues With Loyalty Program

The Privacy Act also prohibits denying and offering a different level of quality or suggesting that a consumer would receive a different level of quality of goods when a consumer exercises any type of right under the CCPA.
Also, specific terminology around loyalty programs is confusing and open to different interpretations. That raises a lot of concerns whether loyalty programs will be restricted when the CCPA comes into force.

The Requirement to Implement Appropriate Security Practices

The CCPA doesn’t have a complete fraud exemption. What this means is that a potential thief could opt-out of the sale of his/her information that a retailer possesses, including the information that retailer has for anti-fraud purposes.
Retailers could mitigate the risk by encrypting personal data according to an accepted industry standard. Safeguarding the encryption keys are another extremely important step.
In case of any wrongdoing, businesses will have 30 days to fix the issue before a consumer can take legal action.

Conclusion

Since full implementation will take place in 2020, there will likely be several amendments that change current provisions and requirements. It’s quite important for all retailers to stay up-to-date regarding all new data regulations.
Contact us and let our team of experts help you prepare for all the changes that the CCPA will bring in the near future.