Member Exclusive   //   September 12, 2019

Explainer: How California’s Consumer Privacy Act will affect retailers

On January 1, retailers will have a new set of data privacy regulations to grapple with when the California Consumer Privacy Act is scheduled to take effect. While some industry groups were hoping that lawmakers would include some carveouts for retailers before the law went into effect, that’s looking increasingly unlikely. California’s 2019 legislative session scheduled to end on September 13, and none of the desired amendments have been passed.

The law will affect what type of data retailers will be able to collect, who they share it with, as well as how they use that data for marketing and loyalty programs. Read on for an explanation of the CCPA, as it stands.

What is the CCPA?
Inspired by regulations in other parts of the world like GDPR, as well as a wave of data privacy scandals, California lawmakers set out to create a series of regulations to give customers more control over how businesses collect their personal information, and limit what businesses can use that data for. What they came up with was the California Consumer Privacy Act, or CCPA, which was signed into law last year.

Who does it apply to?
The law applies to for-profit companies who meet one of a few criteria. Is your business located in California, or does it sell products over the internet to California residents. Does your business, collect data on California residents?

And, does your business meet one of the following criteria: your annual revenue exceeds $25 million, more than half of your revenue comes from selling user data, or your company has personal information on at least 50,000 consumers? Then get ready to be CCPA compliant come next year.

Given how data-driven the retail industry has become, that means that a DTC brand that have gotten a lot of names and email addresses, but haven’t hit the $25 million in revenue mark, could be affected.

OK, so what do companies that have to comply with the CCPA need to do?
Some of the provisions include: all California residents will have the right to ask companies to provide them with a file of any of the personal information they may have on them; companies will have 45 days to provide customers with that information, unless they can prove the information being requested by the consumer is “unfounded or excessive.” Customers can also request that a company delete any personal information they have on them. Companies that don’t comply could get fined or sued.

Additionally, businesses have to include a “clear and conspicuous” button on their homepage that says “do not sell my personal information” that allows them to tell the business to do just that. It’s also important to note that “sell” here doesn’t just mean give to another company in exchange for money. The law deems “renting, releasing, disclosing, disseminating, making available, transferring” personal data to a third party to be the same as selling it.

Businesses also have to include any data-sharing agreements they have with other vendors in their terms of service, so customers understand who may else may be getting access to their data.

That seems simple enough. Why is this such a big deal for retailers?
Because all modern retailers are in the data collection business — if you sell any product over the internet, you have to collect a customer’s name, email address, home address and credit card information in order to send the product to the consumer. You’re also likely trying to collect information on a customer’s purchasing history, to figure out which products are most popular among specific demographics of customers, and use that information in order to suggest other products a customer might want to buy. And, if you are a company that’s selling a personalized product or service, you’re also likely collecting tons of customer information on their product and size preferences.

But the biggest point of concern is what the CCPA will mean for the future of retail loyalty programs. The law would prohibit companies from “discriminating” against customers who opt out of data collection, “including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.”

“In principle, I don’t think anyone has an objection to that,” said Paul Martino, vice president and senior policy counsel for the National Retail Federation. But, what that means is that loyalty programs could be considered to be a program that discriminates against customers who opt out of data collection programs differently on the basis of price and/or service. Even though customers in theory aren’t being rewarded for handing over their data — they are being rewarded based on how much they spend — they’re still being treated differently than customers who don’t hand over their personal data.

So does this mean that nobody can offer loyalty programs?
As with other types of regulations, many retailers are choosing to take a “wait-and-see approach.” What shape retailers will be able to offer loyalty programs in will depend upon how the first set of lawsuits brought against companies who are alleged to be in violation of the CCPA will shape up.

What’s also adding to the confusion is the fact that the California Attorney General’s office, which will be responsible for enforcing the law, isn’t required to finalize its rules for enforcing the CCPA until next July. So there will be a period of about six months where the law will be in effect, but not totally enforceable.

“We think this is a failure of the California government to lay out a law that is good for both consumers and businesses,” Martino said.

How are retailers preparing for this?
Larger retailers are beefing up their in-house legal teams with data privacy specialists. For smaller startups who don’t have a robust in-house legal team, many of them will likely be turning to outside law firms who specialize in data privacy.

But this isn’t the last time that retailers will likely have to deal with the rollout of a new series of data privacy regulations, so they’re staffing up to deal with this new world order.

Walmart for example announced yesterday that it had hired the former head of compliance at Amazon, Nuala O’Connor, to head up a new position — senior vice president and chief counsel of digital citizenship. O’Connor will advise the company on “issues related to privacy, use of data and data governance, emerging technologies, cybersecurity, and records management,” according to a press release.

Meanwhile, Gap’s associate general counsel for privacy and data security Dan Koslofsky told the Wall Street Journal that the company has been working through how they would respond to various scenarios, and reevaluating certain partnerships. For example, Koslofsky told the Journal that Gap has been reconsidering deals it has with catalog companies to share customer mailing addresses with them.