Updated: Apr 11, 2020
Californian Law Makers have passed California Consumer Privacy Act (CCPA) which has become the first data privacy act in the US. The passed CCPA only reflects upon the worldwide trends in Consumer Data Protection, Federal and state governments are know more cautious about personal data of consumers and planning to introduce legislative initiatives. We will see more such initiatives in near future. The million dollar question is how the situation is going to unfold and how US retailers should respond to the data protection requirements. This article will discuss two major issues:
What should be the response of US retailers to new Data Protection Requirements?
How technology will influence data security?
What come under CCPA
The CCPA is applicable on following businesses which satisfy one of the following conditions
Gross Annual Revenue is more than or equal to $25 million.
The business buys, receives, or sells personal data of 50,000 or more consumers, households, or devices
The business receives 50% or more of their annual revenue from selling consumers’ personal information
Consumers Rights redefined and expanded in CCPA
Consumer’s rights are redefined and expanded under CCPA:
Right to know what personal data of consumer is collected, used, shared, or sold
Right to delete personal information which is shared with businesses even after consent is given taken.
Opting out of selling consumer’s personal information
Privacy rights of the consumers are same for all consumers irrespective of the price and nature of services.
The last point is what makes retailers panic the most and change their approaches to data collection.
How retail businesses can comply with CCPA?
To comply with the CCPA, businesses have to:
Developing mechanisms to inform consumers before collecting there personal information and data to collect consumers.
Setting a specific time frame to respond to the requests of consumers to opt out of sale to personal data.
Setting a specific time frame to respond to the requests of consumers to inform consumers on how their personal data is used and giving them option to delete data if they opt for so.
Providing options to consumers when they are sharing information or personal data where they can say no to sell their personal information and personal data i.e. a link “Do Not Sell My Info” on website or mobile app.
Identifying and verifying consumers who have made requests to know how their data is used and to delete their data in case they have requested so. It will be independent of whether they have maintained a password protected account or not.
Informing consumers about the financial incentives that organization can offer in exchange of retention or sale of their personal information, Organizations must also explain the methods to calculate monetary value of their personal information when shared with others and also explain them how CCPA permit incentivizing sharing personal information of consumers.
A maximum time period of 24 months to maintain records and respond to the consumers requests to maintain, delete or not to sell their personal data as per law.
Difference in CCPA and other Data Protect Acts?
CCPA differs from other Data Protection Act in term of scopes, business obligations, and requirements. While the prime purpose of all laws is to protect consumer’s data, the introduction of technology in collection of data has also complicated the definition, classification in law and interlinking of various operations inside and outside the organization i.e. third party buyers and sellers of consumer’s data has changed the scope of law. The increasing trading in consumer’s data has increased the business obligations and requirements.
The trading off between rights of consumers for their personal data and commercial benefits of the organizations obsessing consumer’s data has favored redefining the relationship among the consumers and organizations. i.e. whereas in CCPA allows customers to sue businesses, while the other acts give such rights only to regulators. Following are additional points in CCPA which were not in other Acts:
CCPA has a more detailed description of what personally identifiable information is,
CCPA has defined what specific requests consumers can make regarding their data, and how those requests should be processed.
CCPA has also set a time limit to processing of such requests.
The act also provides the right for a consumer to request their history of personal data collection, transfer, and sharing for the last twelve months.
The CCPA went into effect on January 1, 2020. However, it will only start being enforced on July 1, 2020.
How retailers are addressing the CCPA
It must be pointed out here that whether US based in general or California based retailers are putting enough efforts to be CCPA ready. A time of one and half years is already elapsed. As mentioned earlier as Act is still not considered as comprehensive and is unable to explain the applicability of Act in many situations. The law is still under discussion widely.
We’ve collected data from several surveys conducted among different businesses (not only retailers). These surveys were conducted by different organizations on slightly As we can see, only half of businesses planned to be prepared by January 1, 2020, and this indicator is quite similar across surveys and across time. Considering that plans are not always successfully fulfilled, we can assume that more than half of businesses were not prepared for the CCPA on January 1. One reason why the level of readiness is so low is that businesses are waiting for further clarifications.
What Big Retailers says about CCPA
In recent article Do Not Sell My Info’: U.S. retailers rush to comply with California privacy law, Reuters has provided insights about the reaction of from top retailers i.e. Amazon, Target, Walmart, and Home Depot on CCPA.
Home Depot claims they already have “a deliberate approach to customer data and privacy”, and even with the introduced requirements, the CCPA doesn’t affect their policy that much. However, the retailer will add signs and QR codes in its Californian stores, so that customers could check out info on the new law. Walmart supports the initiative of giving customers control of their information. Target already has the do-not-sell-my-data button and provides the option to opt out of sharing private information on their site. Amazon has already declared that they don’t sell customers’ personal information, so they won’t even put the do-not-sell-my-data button on their website. As per Reuters, Top Retailers are working hard to provide option of deleting personal data to their consumers. Home Depot and Target both have claimed to continue with loyalty programs without any change.
Technical aspects of CCPA compliance
An ideal tool that covers all CCPA requirements must have the following features :
Ability to track all instances of all pieces of consumers’ personal data
Ability to show where consumer’s personal data is stored (if requested)
Ability to show what is done with it in past twelve months (sharing, selling, opting out, and opting in).
Ability to delete data (If requested).
Ability to notify third party buyers or recipients of consumer data users the status of data (opt in, opt out).
Ability to consider the status of data while approving transactions such as sharing or selling.
Ability to track different sources of data and operations performed over it.
Ability to insure safety of data.
Ability to identify customers who requested including those who do not have accounts.
Explain how the value of personal data is calculated (to show that the benefits for those who have shared their personal data are equivalent to the value of that data).
Maintain request records for 24 months.
Provide customers with written notifications of all kinds of operations with their data
Collect written confirmations from customers to use their personal data.
That’s not even the complete set of requirements for an ideal tool. Besides that tool must also have additional features which will be revealed only once the whole system is put to testing and be implemented. It is better if we implement CCPA compliance in a phased manner as still many of the terms and guidelines are defined in vague manner. We should also keep in mind the cost involved in implementing such solutions.
CCPA compliance is quite a challenging task when we’re talking about corporate databases, storage systems, clouds, backups, etc. But it becomes even more challenging when businesses are working with personal data in tools such as Microsoft Office or G Suite. These features should be split and should be started with reviewing and adjusting your security protocols and data encryption policies. It must also be kept in mind that personal data about consumers collected through IOT or AI will be more complex.
Those businesses that have aggregated personal data or have in some other way processed it anonymously should be able to work with the processed data when source personal data has been deleted.
Seeing the complexity of complying with CCPA requirements and pressure from industry associations, Present situation guide retailers to wait and watch in 2020. The initiative about the preparedness for CCPA compliance should be directed towards the implementation of clearer part of CCPA. Seeing the pressure the law is very much likely to be amended and possibly will be discussed in court also if forced to be implemented in present form. Though a majority of retailers have started implementing law but the process is very slow.
At Federal level Data Privacy Protection Law is distant for at least next few years. It is also safe to assume that when brought at federal level such law will be quite similar to CCPA.
As per a survey conducted by PWC on companies with at least $1 billion in revenue shows that:
Nearly half of respondents will invest hugely to be CCPA compliant.
One third of organizations are planning to fulfill CCPA requests for all consumers irrespective of whether he is from California or not.
Approximately half of the respondents are planning to automate processing bulk of CCPA requests.