Privacy has become a top concern among consumers, lawmakers, businesses and regulators, but the road to protecting consumer rights can be tricky to navigate. The driving force behind much of the discussion is California’s Consumer Privacy Act (CCPA), which took effect January 1, 2020.
“There’s really been a lot of activity lately at the state level on privacy about what and how information should be protected,” said Paige Anderson, NACS director of government relations. “California has the most comprehensive legislative law that we’ve seen. For better or worse, what happens in California spreads to other states.”
Alan Thiemann, general counsel for the nonprofit technology organization Conexxus, agreed. “California is the default state law,” he said. “While there are some similarities to the European Union’s General Data Protection Regulation (GDPR), one major difference is that CCPA is primarily an ‘opt-out’ law while the GDPR is an ‘opt-in’ law.”
What is CCPA?
CCPA provides broader rights to consumers and stricter compliance requirements for businesses than any other existing state or federal privacy law. “It’s intended to provide a transparent way for consumers to know what’s being collected and how it’s being used,” Thiemann said. “Those businesses already complying with GDPR will probably find complying with CCPA less of an adjustment than companies that are not GDPR compliant.”
CCPA obligates businesses to secure consumers’ personal information, notify them of data breaches and develop compliance programs to manage consumer rights. The law only applies to for-profit businesses, regardless of their location. For businesses collecting personal information from California residents, the threshold for coverage includes having annual revenue of more than $25 million; selling (sharing) the personal information of 50,000 or more consumers, households or devices; or deriving more than 50% of annual revenue from selling consumers’ personal information.
“There’s a debate going on as to what the $25 million in revenue refers to, whether it is just in California or anywhere,” Thiemann said. “Companies should keep in mind that arriving at the number of customers includes affiliates, subsidiaries or parent companies if you’re under one brand.”
He also pointed out that whether a business is covered is determined by how many records it collects. “A single transaction could be a credit-card payment, social media interaction, etc., so retailers could end up with way more than 50,000 individual records of personal information. If you collect and use a large number of California records of any kind, you should attempt to comply with this law to be on the safe side,” he said.
How the Law Protects Consumers
The CCPA aims to protect consumers by keeping their personal information private. Public domain information is partly exempt, but anything that’s identifiable to a person, such as name, address, social security number, email address, postal address and financial or health information, must be kept private. “There’s a little bit of flexibility, such as sharing anonymous information, for example,” Thiemann said.
Under CCPA, consumers have three basic rights:
- The right to know how their information is being used or collected.
- The right to request that the company or business delete that information.
- The right for consumers to opt-out to keep their data private; a “do not sell my data” requirement.
“This is the hallmark of CCPA—the right to opt-out,” said Thiemann. Businesses must have an easy way for consumers to register, such as through an app or website, that they do not want their personal information sold or shared with another entity. He pointed out that while toll-free numbers allow consumers to make a request or verify themselves, they are not a good way for brick-and-mortar retailers to handle these rights because of data entry errors. He urged retailers to use a request form wherever possible.
If you collect and use a large number of California records of any kind, you should attempt to comply with this law to be on the safe side.
“Merchants should double check that the ‘do not sell’ button works on their website and app,” Thiemann said. “They should also make sure the sales and marketing team—and anyone else who has access to consumer data—knows how to check those opt-out requests are being followed.”
The California law also requires businesses to ensure any third-party vendors collecting information on their behalf comply with the opt-out and consumer protections. “You really need to go through all of your third-party contracts to make sure everyone’s aware of the requirements and are prepared to follow those mandates,” Thiemann said. To protect your company, he recommended requiring vendors to be in compliance or indemnify the covered business for violations.
“Retailers should also remember that sell doesn’t mean sell,” Thiemann said. “Sell means share or disclose. If you’re controlling how you collect and use consumer data, you’re on the hook for making sure it’s being used, stored and serviced properly.”
Merchant Steps to Compliance
Retailers must comply with a host of new requirements related to collection, use and sharing of customer personal data. These are the five things a merchant needs to do to comply with CCPA:
- Conduct a data flow analysis to identify where all personal information resides.
- Update disclosures in privacy notices and policies.
- Establish procedures for receiving and responding to customer rights requests and train staff who will handle customer requests.
- Observe restrictions on data monetization practices.Review and revise contracts with vendors who handle the personal information of customers for the retailer.
“Retailers need to decide what personal information they need and if they can minimize the data collected,” Thiemann said. “You also need to make sure your privacy policies and notices are transparent and easy to read and understand.”
Since many retailers use consumer data to predict trends and buying habits, Thiemann recommended stripping out individual identifiers to avoid running into potential pitfalls with the new law. He also noted that during 2020, companies need to have a simple employee privacy notice even though employee/job applicant personal information is not covered for a year—and watch what happens in the California Legislature for 2021 and beyond. For business contacts, follow a practice of not selling personal data collected while conducting business-to-business transactions to completely eliminate such information from being deemed personal information under the CCPA.
Types of Consumer Data Revealed Daily
Source: Deliotte
Legislative Landscape
Will other states or the federal government follow California’s lead and enact similar privacy laws? “In Washington, there is big momentum to pass something this year,” Anderson said. “New York, Massachusetts, Maryland, Rhode Island, Texas and Mississippi are considering similar legislation. We anticipate at least a dozen states will discuss or pass privacy legislation this year.”
Retailers need to decide what personal information they need and if they can minimize the data collected.
With more state laws, the push to have a federal privacy law will intensify. “Having a checkerboard of different privacy laws across the United States will become problematic for companies that operate nationally or even just in a few states,” Anderson noted. “Thus the appeal of a federal privacy law to simplify compliance.”
However, with 2020 a presidential and congressional election year, “passing such complex legislation in this climate is highly unlikely,” Anderson said. She predicted that a congressional bill will come up in 2021, after more states have enacted their own privacy laws.
To help develop a uniform and fair framework for privacy, NACS joined with other retail groups, including the National Retail Federation, to form the Main Street Privacy Coalition last year. In November, the group sent a letter to Congress, urging it to pass a federal privacy standard that would give consumers transparency about data collection and usage. “By developing a data privacy law that does not pick regulatory winners and losers, Congress can ensure that Americans’ privacy will be protected by federal law regardless of which business is collecting, transmitting, storing or otherwise processing their personal information,” the groups wrote.
Overall, no matter how big or small a company, having a plan for addressing privacy concerns is key to staying in business in the 21st century. “It’s not something that retailers can ignore, given how much data is collected from consumers online, through apps, etc.,” Thiemann said. “Every merchant should take a hard look at how they use, store and collect consumer data.” The pressure is on retailers to understand privacy restrictions on a state-by-state basis or risk high penalties due to noncompliance.
For a deeper dive into the topic, view the Conexxus “Privacy Policy: What Happened in California & What Is Happening in Congress” webinar and download a PDF of the presentation at www.conexxus.org/webinars.