The starting date for the California Consumer Privacy Act (CCPA) is looming over retailers’ heads. Whether or not you think your business may be affected by it, there’s a good chance it might. Waiting until after the holiday season to comply with the act can lead to massive fines, the loss of customers, and even the nightmare of class action lawyers.
The coming holiday season is one of the busiest times of the year for retailers, but professionals in the industry say it’s not worth it to wait until after January 1st to comply with the CCPA. First things first: reading the actual act can be quite cumbersome. That’s why we’ve broken it down into different sections so retailers know the important takeaways. We hope to enlighten retailers on whether or not you are responsible for complying with the act, and different steps to take to make sure you don’t get fined. Ultimately, be sure to confer with your legal council for firm advice, as things remain unclear on the law’s impact.
What Is The CCPA?
The California Consumer privacy Act was created to protect the privacy and data of consumers. The CCPA initiative requires businesses to tell consumers what data they are collecting and gives consumers the right to say no to the sale of their personal information. It will also allow consumers to sue companies if their personal data is breached. According to Robert Cattanach, a partner at international law firm Dorsey & Whitney, the CCPA mandates three things:
- What you have to say. Disclose to consumers the personal information you collect, use or share.
- What you have to do. Respond, within 45 days, to consumer requests regarding their information and include a prominent, one-click option on your website, “do not sell my information.”
- What you cannot do. Have a data breach, which under CCPA’s private enforcement provisions will attract an army of class action lawyers and be very difficult to prove your innocence.
The CCPA Isn’t Just For The Big Guys
The CCPA applies to any company that has a gross annual revenue of at least $25 million, is a data broker or other business that buys, sells or shares personal data of 50,000 or more consumers, households or devices, or who gets the majority of their annual revenue from selling consumers’ personal data.
“Now that the California legislative session is over, companies have a much better idea of what to expect when the California Consumer Privacy Act goes into effect January 1st, 2020,” Robert Cattanach told Independent Retailer. “The time for procrastination is over and it’s not just big tech that should be concerned.
“As with the EU’s General Data Protection Regulation (GDPR), there is a concern that regulators will feel compelled to make an example of a medium-sized company just to demonstrate that the law cannot be ignored. All it takes is one disgruntled customer or employee to put your company in the crosshairs. Fortunately, there are some basic proactive steps medium-sized companies can take, starting now, to avoid becoming the poster child for CCPA enforcement.”
Retailers Don’t Need To Be Located in CA To Have To Comply With The CCPA
“California by itself is the 5th largest economy in the world, so if a retailer does business in California or collects data from California residents, they need to comply,” Eric Tejeda, Marketing Director at PossibleNOW, told Independent Retailer. “Ignoring the California statues and marketplace regulations is unlikely to be an option. There’s good news however – the CCPA is largely in line with GDPR, so if the retailer’s business is already GDPR compliant, they’re probably in good shape for CCPA.”
A retailer who does business nationwide needs to be proactive with their data privacy practices, and CCPA compliance is a great place to start. The fact that this act is being put in place just goes to show that consumers are concerned about their privacy and what happens with the data they share, so in order to keep your customers happy, the CCPA is a good thing to practice.
56% Of U.S. Businesses Won’t Be Prepared for the CCPA Come January
PossibleNOW — an enterprise consent, privacy, and preference management solutions provider, recently released their results from a survey which found that 56% of U.S. businesses polled reported they do not expect to be fully prepared to meet CCPA requirements by the January 1, 2020, date of enforcement.
Target Marketing reported that businesses who aren’t complying with the CCPA may have their reasons. The biggest reason for not complying is cost, which is basically the equivalent of the price of a full-time employee. Other reasons include waiting to see how the law will be enforced, not thinking their business is big enough to be subject to the law, or they simply didn’t understand the law.
What Are The Consequences For Not Complying With CCPA?
The costs for non-compliance with the CCPA are huge. According to the act, “Penalties for non-compliance are $2,500 per record for each unintentional violation and $7,500 per record for each intentional violation. So a company that doesn’t honor or mismanages 1,000 consumer privacy requests could face a fine ranging from $2,500,000 to $7,500,000.” After looking at those numbers, the cost of a full-time employee certainly feels reasonable now.
What Businesses Can Do To Prepare
To make sure you don’t get fined ridiculous amounts, Eric offers some tips on how retailers can prepare themselves by January 1st. “Retailers can and should prepare for CCPA in a number of ways,” Eric said. “Initially, retailers should perform a data audit and mapping exercise, to determine what consumer data they collect and where it is stored. Having this knowledge is vital for responding to data privacy requests.”
Next, retailers should create a workflow for responding to consumer requests. Determine which employee is responsible for responding to the request and the tasks that must be performed.
Retailers must provide two or more ways for consumers to make a data privacy request. At minimum, this must include a toll free number and access via the website. It’s vital to have a method of tracking and documenting these requests, ideally in an automated system. These requests should be routed to the appointed staff throughout the organization to ensure that they deliver the required information within 45 days of receiving a verifiable consumer request.
The later a retailer waits to comply, the more difficult it will be. As the deadline approaches, resources become more scarce and implementation becomes more costly. A proactive retailer can rest easy complying now, rather than waiting until the last minute to scramble for compliance before January 2020. To view the California Attorney General’s information on CCPA and to read the bill in its entirety, visit www.oag.ca.gov/privacy/ccpa.