After two stressful years for EU retailers, who have had to adapt their routines to GDPR rules, it’s time for the US retail market to tremble. The California Consumer Privacy Act (CCPA) has become the first data privacy act in the US. This law might not be the last one this year, though. Other states and the federal government plan to support legislative initiatives for the protection of personal data of consumers.
So how will the situation unfold?
How will leading US retailers respond to the shift in data protection requirements?
And how will technology influence data security in retail in 2020?
Read on to find out.
CCPA explained: Does it differ from GDPR?
Who is affected by the CCPA?
The CCPA applies to businesses for which one or more of the following are true:
- Gross annual revenue is over $25 million
- The business buys, receives, or sells personal data of 50,000 or more consumers, households, or devices
- The business receives 50% or more of their annual revenue from selling consumers’ personal information
How the CCPA expands consumers’ rights
Under the CCPA, consumers have the right to:
- know what personal data is collected, used, shared, or sold
- delete personal information that businesses possess
- opt out of the sale of their personal information
- not be discriminated against based on price or services when exercising their privacy rights under the CCPA
The last point is what makes retailers panic the most and change their approaches to data collection.
What should businesses do to comply with the CCPA?
To comply with the CCPA, businesses have to:
- provide notice to consumers when collecting or before collecting personal data
- respond within a specific time frame to requests by consumers to opt out of the sale of their data, know how their data is used, and delete their data
- place a “Do Not Sell My Info” link on their website or mobile app for submitting requests to opt out of the sale and usage of their data
- verify the identity of consumers who make requests to know how their data is used and to delete their data, whether or not the consumer maintains a password-protected account with the business
- disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information, explain how they calculate the value of the personal information, and explain how the incentive is permitted under the CCPA
- maintain records of requests and responses for 24 months in order to demonstrate compliance
How does the CCPA differ from the GDPR?
Although both the GDPR and CCPA offer protections for private data, they have different scopes, business obligations, and requirements.
For example, the CCPA allows customers to sue businesses, while the GDPR gives such rights only to regulators. Plus, the CCPA has a more detailed description of what personally identifiable information is, what specific requests consumers can make regarding their data, and how those requests should be processed. The act also provides the right for a consumer to request their history of personal data collection, transfer, and sharing for the last twelve months. The GDPR doesn’t require such details — only access to data itself.
Also, the GDPR has requirements that are not included in the CCPA, like the right to correct errors in personal data.
The main takeaway here from the technical perspective is that if your company is compliant with GDPR, you already meet part of the CCPA requirements. However, you’ll still have to meet a bunch of CCPA-specific requirements.
When does the CCPA go into effect?
The CCPA went into effect on January 1, 2020. However, it will only start being enforced on July 1, 2020.
Pushback from industry groups and associations
From the moment the CCPA was signed on June 28, 2018, by California Governor Jerry Brown, industry groups such as the National Retail Federation (NRF), the California Retailers Association (CRA), and the Association of National Advertisers (ANA) were actively commenting, asking for clarifications, and expressing concerns regarding several requirements and uncertainties of the CCPA.
Probably the most debated point has been the “right to non-discrimination in terms of price or service when a consumer exercises a privacy right under CCPA,” as this could potentially be interpreted in a way that would prohibit all perks customers get from loyalty programs.
On March 8, 2019, the CRA and NRF submitted joint comments on the CCPA. Their letter emphasized that retailers gather data about consumers primarily to better serve them, while companies in other industries collect data about consumers to monetize it.
Retailers know that establishing long-term relationships with their customers requires more than just providing merchandise at a price they can afford. It requires maintaining consumers’ trust. We look forward to engaging with the attorney general and the California legislature to ensure that this law and its regulations strike the proper balance.
Virtually all retail customers are willing to yield some personal data in exchange for more personalized service or tangible benefits.
The closer it comes to the date when the CCPA goes into full effect, the more concerns are being raised.
On December 6, 2019, the CRA explicitly stated in a letter to California Attorney General Xavier Becerra that retailers need more time to adopt to the CCPA and that “the regulations should not be effective until at least January 1, 2021.”[Text Wrapping Break][Text Wrapping Break]In this letter, the CRA provided a range of arguments to protect loyalty programs. The letter also highlighted that the law has some weaknesses in terms of feasibility, e.g. with regard to unique brick-and-mortar challenges related to requirements to notify of data collection.
On January 29, 2020, the largest advertising associations released a joint letter to Attorney General Becerra urging him to delay his office’s enforcement of the CCPA:
Given the extraordinary complexity of the law and the wide range of open issues to be clarified from the draft guidance, there will not be sufficient time for many businesses to effectively implement the final regulations prior to the anticipated enforcement date of July 1, 2020. Without final regulatory requirements, business will be unable to make operational changes to their systems, further delaying finalization of their compliance programs. In order to avoid consumer and business confusion with respect to the new rules, we request that you further delay the enforcement of the law to begin six months from the date the CCPA regulations become final.
The pressure from industry organizations on the attorney general’s office is rising day after day, and it is possible that we will see the enforcement date moved back from July 1, 2020.
How retailers are addressing the CCPA
Very few US and even California-based retailers have put enough effort into becoming CCPA-ready despite having almost 1.5 years to do so. This is first of all due to a lot of discussions around the law and a lot of comments and uncertainties that could have an impact on the final requirements
We’ve collected data from several surveys conducted among different businesses (not only retailers). These surveys were conducted by different organizations on slightly different audiences, but we’ve aggregated the answers in one table for comparison.
As we can see, only half of businesses planned to be prepared by January 1, 2020, and this indicator is quite similar across surveys and across time. Considering that plans are not always successfully fulfilled, we can assume that more than half of businesses were not prepared for the CCPA on January 1. One reason why the level of readiness is so low is that businesses are waiting for further clarifications or considering turning to cybersecurity advisory services and retail Software-as-a-Service development.
Current statements from big retail players
In their recent article Do Not Sell My Info’: U.S. retailers rush to comply with California privacy law, Reuters provided a set of insights from top retailers — Amazon, Target, Walmart, and Home Depot. So how will they react on the changes?
Home Depot claims they already have “a deliberate approach to customer data and privacy”, and even with the introduced requirements, the CCPA doesn’t affect their policy that much. However, the retailer will add signs and QR codes in its Californian stores, so that customers could check out info on the new law.
Walmart supports the initiative of giving customers control of their information. Though, the corporation works through some not so clear law statements that relate to loyalty programs, for example.
Target already has the do-not-sell-my-data button and provides the ability to opt out of sharing private information on their site. All the US shoppers and California residents will get access to information outlined under the new law.
Amazon, in its turn, announces that they’re not the kind of company that sells customers’ personal information, so they won’t even put the do-not-sell-my-data button on their website. The retailer will only revise their privacy notice and stick to the final regulations to “understand what signage may be required to inform customers how to find the privacy notice” at its stores.
Also, Reuters mentioned that top retailers are increasing investments in developing solutions to implement requests to delete personal data. At the same time, when it comes to the impact from the CCPA on retailers’ loyalty programs we mentioned above, the situation is slightly different. Both Home Depot and Target, for example, claim they won’t amend their loyalty programs at the moment.
Technical aspects of CCPA compliance
Let’s imagine an ideal tool that covers all CCPA requirements. To make CCPA compliance feasible from the technical perspective, businesses should introduce a personal data tracking feature that can track all instances of all pieces of consumers’ personal data. You need to make sure you’re able to show consumers, upon request, where all their personal data is stored, what was done with it in the past twelve months (sharing, selling, opting out, opting in), and how it’s going to be deleted (if requested).
This tool should track the status of data (opt in, opt out) and notify all third-party buyers or recipients of personal data about its status. It should also consider the status of data while approving transactions such as sharing or selling. This is quite a challenging task when we’re talking about corporate databases, storage systems, clouds, backups, etc. But it becomes even more challenging when businesses are working with personal data in tools such as Microsoft Office or G Suite.
Additionally, a compliance tool must track all varieties of data and operations. And of course, it must ensure the safety of personal data at every step. We recommend splitting up these features and starting by reviewing and adjusting your security protocols and data encryption policies.
Additionally, this tool should be able to:
- identify customers/requestors, including those who do not have accounts
- explain how the value of personal data is calculated (to show that the benefits for those who have shared their personal data are equivalent to the value of that data)
- maintain request records for 24 months
- provide customers with written notifications of all kinds of operations with their data
- collect written confirmations from customers to use their personal data
Those businesses who have aggregated personal data or have in some other way processed it anonymously should be able to work with the processed data when source personal data has been deleted.
That’s not even the complete set of requirements for an ideal tool. Fully complying with the CCPA is quite a complex technical task. We recommend implementing compliance measures part by part in response to further CCPA clarifications and practical cases.
Everything we’ve mentioned above is about pure digital data collection and operations. Adopting CCPA requirements in brick-and-mortar environments, when you’re collecting personal data via IoT or AI technologies, is going to be even more complex.
What to expect in 2020
The complexity of complying with CCPA requirements and pressure from industry associations tells us it’s quite possible that retailers will keep following the wait-and-see approach in 2020. A majority of retailers already have started and will, most likely, keep slowly implementing simpler and clearer parts of the CCPA while observing possible amendments and clarifications to the law. Obviously, the approach of businesses will highly depend on how and against whom the law will be enforced in practice.
A customer data privacy protection law is unlikely in the US at the federal level in the next two to three years, but it’s quite possible in the next five years and beyond. Retailers operating throughout the US are implementing functionality to comply with the CCPA. Therefore a federal law, when it appears, will likely be quite similar to the CCPA for purely pragmatic reasons.
An October 29, 2019 survey by PwC conducted among CIOs of companies with at least $1 billion in revenue (published on the NRF website) shows that
- 43% of companies will spend over $10 million getting ready for the CCPA
- more than 33% of companies plan to fulfill CCPA requests from residents of any state, not just residents of California
- almost 50% of respondents plan to automatically process bulk CCPA requests
What we can expect without doubt is that the CCPA will significantly improve the understanding of cybersecurity and culture of data use in the US, similar to what the GDPR has done in the EU, as shown by a 2019 IDG UK survey.
Contact us to get expert guidance and ramp up your retail business to meet ever-evolving data privacy requirements.