2018 was the year data privacy concerns went mainstream. The media focus on Cambridge Analytica and Facebook brought the importance of data privacy home to the general public. The steady drip of data leaks from prominent companies, including leaks from eCommerce stores targeted by Magecart, cemented the risks in everyone’s minds. Businesses across the world tightened up security and privacy as the GDPR came into effect. And California, the US’s most populous state, home to the largest online economy in the world, passed the California Consumer Protection Act, which has been called California’s GDPR.
When the CCPA comes into effect on January 1, 2020, it will affect eCommerce retailers in California, the US, and the rest of the world, much as the GDPR has affected businesses beyond the EU. Many US retailers, especially midsized retailers, were able to disregard the GDPR because they don’t sell to EU residents. They are, however, unlikely to be able to avoid complying with the CCPA because most sell to the vast and lucrative California market. The CCPA does not require a retailer to have a physical presence in California, only that they do business in California. It is the strictest US data privacy law in history and will require many retailers to overhaul the way they store, process, and monetize data.
Although strict by US standards, the CCPA is not as stringent as the GDPR. It does not require that consumers opt-in to data processing, but does require businesses to provide an opt-out and mechanisms to allow California residents to find out which personal data a business stores and how it is used.
The CCPA also applies to a narrower set of businesses than the GDPR. To be affected, a retailer must conduct business in California and conform to at least one of the following criteria:
- Have a gross revenue of more than $25 million.
- Derive 50% of annual profits from selling personal data.
- Buy, sell, or share for commercial purposes the personal data of 50,000 or more consumers, households, or devices.
These criteria are likely to capture a huge number of midsized retailers and apply to a much larger number of US businesses than the GDPR. Additionally, stricter rules apply to the data of minors. Consent for minors under the age of 13 must be given by their parents. Older children can opt-in themselves, but businesses must provide an age-verification system and track consent for all minors.
The CCPA has harsh penalties, with fines of up to $2,500 for each violation, rising to $7,500 if the violation is deemed to be deliberate. That might not seem like a lot, but fines can accumulate for each violation of an individual’s rights under the CCPA.
What do retailers need to do to prepare? Most importantly, they need to be able to identify and track the personal data they store and who they sell that data to or share it with. For many retailers, this will not be an easy change to make, and with less than a year before the CCPA comes into effect, they should begin preparations immediately.