Site icon Digital Commerce 360

What every retailer needs to know about California’s privacy law

What every retailer needs to know about California’s privacy law

On June 28, 2018, California’s governor, Jerry Brown, signed Assembly Bill 375, also known as the California Consumer Privacy Act (CCPA).

The law, which will take effect on Jan. 1, 2020, is similar to the European Union’s General Data Protection Regulation (GDPR), which has required companies such as Alphabet Inc., Facebook Inc., Netflix Inc., Amazon.com Inc., Twitter Inc. to comply or face multimillion dollar fines for non-compliance. Despite businesses’ growing awareness of the consequences of non-compliance with regulations such as CCPA and GDPR, only 14% of respondents to a recent survey by TrustArc were CCPA-compliant.

Estimates suggest the law will affect more than 500,000 businesses in America alone and many more around the world that sell to consumers who live in California. Retailers need to pay heed to the law given that non-compliance could lead to hefty fines.

What businesses does the CCPA apply to?

The CCPA is applicable to any business that meets any of the following criteria:

While small business owners can breathe a sigh of relief, larger enterprises need to prepare or potentially face significant fines.

What is the purpose of the CCPA?

The CCPA is focused on consumers’ data protection rights. The law will give a California resident who buys goods or services from any business around the world that matches the CCPA’s criteria the right to opt out of any of his personal information from being stored by that company. Businesses must also be transparent with the kinds of data they collect from customers, which includes, but is not limited to:

CCPA’s key implications

Under the CCPA, businesses are required to provide an easy-to-access and easy-to-see “Do Not Sell My Personal Information” option so consumers can opt out from having their personal information shared with other third parties.

California’s attorney general, Xavier Becerra, will enforce CCPA. He will be able to sue or join class-action suits against any business that breaches consumers’ rights.

What are the implications of not complying with the CCPA?

If a company breaches any of the above listed requirements, they will be considered non-compliant.

Businesses can expect fines of $2,500 per unintentional violation and $7,500 per intentional violation. Fines are levied on a “per person/account” basis. That means that if one Californian finds out a business is not compliant, he can report it. It would be reasonable to assume that if a business isn’t compliant for one California consumer, it likely is not compliant for all of them.

If a business owner wants to know how much it is potentially liable for not complying to the CCPA, it can multiply the number of California-based customers it has by $7,500. That can quickly add up; even if it only has 50 Californian customers, it could face a $375,000 fine. If  it has 1,000 or 10,000 customers in California this could easily put a lot of companies out of business.

California consumers can sue over data breaches 

The legislation also establishes the consumers’ right to take private action against erring covered businesses. This means that any California resident whose personal information was accessed illegally, stolen, or disclosed as a result of substandard security measures can file a civil suit. So in addition to paying fines CCPA requires businesses to pay out to their customers if data breaches occur if the stolen data was not encrypted or redacted.

Statutory damages for such civil cases have a minimum of $100 and a ceiling of $750 per consumer per incident plus any other declaratory, injunctive, and other relief the court deems proper.

Businesses must encrypt/redact all of their customers’ personal information to avoid this payout.

Steps to CCPA Readiness 

So what steps can a business to ensure they meet the CCPA requirements? The first step I recommend is to thoroughly audit your data collection, storage and management processes.  Do a deep dive to determine all touch points where you collect, store and use your customer data. Consider the following questions:

Plan for customer data requests

Do you have an action plan in place for how to respond when someone from California requests their data?

Remember, if you don’t respond within 45 day they can take action against you.

Future proofing for data regulations

The GDPR and the CCPA are just the start of a long list of data regulations coming into effect. This increased regulatory compliance could potentially begin to suffocate companies. Having an internal Data Protection Officer (DPO) whose job it is to ensure their business is compliant with all the various data protection laws around the world that come into play will probably become common place in the future. But having technical solutions in place that automatically ensure your data is compliant for GDPR, the CCPA or any future new laws that come into play is one of the easiest ways to stay compliant.

While bringing in an appropriate technical solution may mean an additional cost, the cost of staying compliant will probably cost a lot less than non-compliance. Accordingly, 72% of American companies expect to invest in technology to specifically comply with the CCPA. The right technology platform gets rid of a lot of the stress involved with managing the potentially dozens of different data regulations that different states and countries around the world now have in the works.

Instead of investing in legal fees, I recommend seeking out CIAM technology as a cost-effective way to comply with the CCPA. With CIAM technology, businesses can customize registration and login pages to include necessary disclosure statements and request customer consent. It can streamline customer data from multiple web and mobile platforms into one single profile so businesses can easily provide customer’s personal information upon request. CIAM solutions can also encrypt customer data and provide world-class data protection. CCPA is a legal problem that can be solved with technology.

About the author 

Rakesh Soni is the CEO of LoginRadius, a provider of cloud-based digital identity tools

Favorite
Exit mobile version