On the heels of shifting consumer preferences, global policy changes and a steady flow of cyber-attacks, the state of California has put into motion the most comprehensive consumer data protection to date. The California Consumer Privacy Act (CCPA), which goes into effect January 1, 2020, has wide-ranging impacts stretching far beyond the state’s borders.
From new preventative measures retailers must make, to increased safeguards for consumer data, these new policies will fundamentally change the retail sector. But what does this all mean for merchants and consumers alike? And how can they best prepare ahead of the new year?
What is the CCPA?
The California Consumer Privacy Act is a new law designed to protect the rights of consumers within the state of California. Similar to Europe’s recent General Data Protection Regulation (GDPR), the CCPA will modify how organizations approach user data and shift how this information is collected, shared and used. (1)
This bill will require retailers to adopt fresh policies that increase security protections, privacy policies and more transparency on consumer rights. According to the CPPA, some of these rights include:
- Knowledge of all data that has been collected on consumers and the reason it has been acquired.
- Refusing the sale of their information.
- Requesting the deletion of their data.
- Knowing which third parties have acquired their data.
- Pursuing legal action should a data breach occur.
This opens up many risks to merchants collecting data on their consumers and charts a clear path for those shoppers to receive compensation for any negligence of their data. In fact, per the CCPA, businesses are liable for fines of a minimum of $100 per consumer for each breach. (2)
Impacts on the Retail Industry
For retailers, the CPPA could have even broader effects. It could mean the end for many loyalty programs offering incentives and promotions in exchange for data. As well, the new law could make in-store returns without a receipt a thing of the past, due to the deletion and encryption of shopper information. Furthermore, the impacts of the CCPA reach beyond what many may think.
Apart from California-based retailers, any merchants who conduct business with California consumers in any capacity will need to be CCPA compliant. Already impacting a significant portion of U.S. merchants and retailers, the bill could be the framework for similar policies enacted by other states, and eventually a national law on data protection. Thus, it is best to become aware and compliant now, rather than waiting too late in the game. (3)
What Merchants Need to Know
According to a recent survey by PossibleNOW, only 8% of businesses are prepared for the implications involving CCPA. Many companies are either unaware of the requirements or lack the funds and resources to become compliant. (4) This absence of awareness and education can be an issue for companies across the nation, particularly when they could soon begin receiving fines unknowingly.
As well, it is crucial that all merchants are aware of exactly where their personally identifiable information (PII) is and have a roadmap for how to handle any data requests or deletions. PII is any data that can be used to identify a specific individual, which now has a larger impact with the arrival of the CCPA. Moving forward, merchants cannot afford any lack of preparation or awareness when it comes to this type of information.
While all merchants should prepare themselves for the future of data compliance policy, the CCPA only applies to for-profit companies that meet at least one of the following criteria: (5)
- Annual gross revenue is above $25 million;
- Sells more than 50,000 consumer records per year;
- Derives 50% or more of its annual revenues from selling consumer data.
While there is a lot of uncertainty around this new legislation, the ramifications for retailers not in compliance are clear. Whether your company is impacted by the CCPA or not, it is only a matter of time before another piece of legislation is passed that does. Retailers should look to get up to speed now before it is too late. This means taking a deeper look into their IT security infrastructures and consumer data procedures.