California’s Consumer Privacy Act (CCPA) will go into effect in 1 month. Why is it important and why should direct-to-consumer, consumer packaged goods, and digitally active companies be concerned? Many companies engage in “direct consumer contact”, as they’re able to personalize experiences for their end users. This capability is made possible largely by the collection of consumer data, a tactic that may be drastically impacted once CCPA takes effect.

The CCPA is reminiscent of Europe’s Global Data Production Regulation (GDPR) in many ways and is a major attempt to institute data privacy laws to project the personal information of consumers in California. Based on the results GDPR’s rollout in 2018, it’s projected that most companies will fail to take the preparatory steps towards complete compliance by the law’s invocation date.  This negligence could lead to hefty fines, lawsuits, and irreparable brand damage.

The CCPA will affect the entire eCommerce landscape, which will require companies to understand the ins and outs of the CCPA, what steps need to be taken towards compliance, and how the law will affect not only their business, but e-commerce, now and in the future.

What is the California Consumer Privacy Act?

“The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses…”

California’s Consumer Privacy Act was established to protect consumers’ personal information by limiting unauthorized disclosures of personal information, giving consumers control of their information and the ability to take legal action in case of violation, and reinforcing noncompliance penalties.

To fully comprehend the law, companies must first understand what, by law, personal information consists of. Personal information (PI), as defined by the CCPA is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes information such as a consumer’s name, address, IP address, email address, account name, SSN, driver’s license number, passport number, commercial activity, biometric data, browsing history, professional employment information, and educational information. *Bills AB25, AB874 and AB1355 create stipulations where de-identified or aggregated consumer information from law, most B2B data, and for one year, employee data are exempt from the CCPA’s regulation of personal information collection.

Does CCPA Apply to Your Business?

CCPA applies to all for-profit businesses headquartered inside or outside of California that collect personal information of California residents and fall into the categories below.

Businesses that satisfy ALL the following:

1. For-profit business in the state of California, OR does business in California
2. Collects consumers’ personal information
3. Determines the purposes and means of the processing of consumers’ personal information

AND one of the following:

1. Has annual gross revenues in excess of $25 million
2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices
3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information

When Does CCPA Take Effect?

CCPA will take effect on January 1, 2020. The law will be legally enforced 30 days after its invocation. We’re only a few months away from the law’s effective start date, which means that most companies who have not already begun to prepare are behind in the race for compliance and impact mitigation. Although the law will not take effect until January 1, 2020 there are various steps that must be taken to ensure proper preparatory tasks have been identified and executed.

CCPA Consumer Rights and Compliance Tasks

Right of Disclosure

A business that collects, sells or discloses data for a business purpose about the consumer’s personal information (PI) must disclose to the consumer at or before the point of collection:

• The categories of PI collected
• The sources from which the PI was collected
• The business purpose for collecting the PI
• The categories of third parties with whom the PI was shared or sold

The CCPA will give consumers visibility into the information that a business has been collection from them, which means that companies must update their privacy notices to ensure that consumers are aware of their rights under the CCPA, including how to make disclosure requests, whether PI is sold or disclosed to 3rd parties and the business purpose of their information collection. Employees must be trained to verify consumer disclosure requests, and properly execute such requests.

Right to Access

Consumers have the right to request from a business that collects personal information, what information has been collected on the consumer in a free, seamless manor.

To ensure compliance with the right of access, businesses must have extensive data mapping capabilities to properly unify how the organization collects, stores, sells and protects consumers’ personal information in a way that it can be easily retrieved upon request. Consumer intake vehicles must also be implemented to give consumers ways to exercise their right to request collected personal information (toll-free number, website, email address to contact). Employee readiness must be assessed to determine whether a company needs to train or hire employees who handle personal information to identify and respond to consumer access requests. Finally, verification processes need to be implemented to effectively authenticate a consumer’s access request.

Right to Data Deletion

A consumer has the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. *CCPA Sec 2. 1798.105 carves out stipulations where businesses are exempt from deleting consumers’ personal information.

In preparation of the Right of Deletion Act, businesses should review their company’s privacy policy displayed on their website to include any information needed to inform a consumer on how the deletion process will be carried out. Deletion SOPs outlining the authentication and deletion process should be implemented and followed. Employees must be trained to follow deletion SOPs and ultimately execute deletion requests from consumers.

Right to Opt-out

A consumer can, at any time, request that a business that sells personal information about the consumer to 3rd parties not to sell the consumers’ PI. Note – a company can still collect and sell information on the consumer without them “opting in” if the consumer is over 16 years old. Consumers 13-16 must personally authorize the sale of their PI, and consumers under the age of 13 must have their parent or guardian authorize the sale of their PI.

To manage consumers’ opt-out capability, companies should include website notices with highly-visible links labeled “DO NOT SELL MY INFORMATION” where users can click to opt-out of data collection and sale. Age verification processes should be in place to identify a user’s age once they enter a business’ website. Have the proper forms and consent documents in place to be able to collect data from users under 13 (parent’s consent) or between 13 and 16 (user’s consent). Businesses should implement opt-out SOPs that will legally adhere to the execution of opt out requests (time period, notifications, confirmations, etc.). Finally, Employees should be trained to handle opt-out requests.

Right to Non-Discrimination

A business cannot discriminate against a consumer because the consumer exercises any of the rights provided by the CCPA. However; “A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”A business that offers financial incentives for PI collection, sale or deletion must disclose this information on their website and enroll consumers only if they chose to opt-in to the company’s incentive program.

To comply with the Right to Non-discrimination Act, companies must include website notices that inform consumers if they offer incentives or compensation for the use or sale of their PI to 3^rd parties. Businesses should implement policy documents around pricing to ensure that consumers are not treated differently for exercising their CCPA rights.

Right to Seek Damages in Case of Improper Data Use or Breach

A consumer has the right to take legal action against businesses when their “nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information” Essentially this means that a consumer has the right to sue a business if their information has been used for unauthorized purposes, or has been leaked due to a company’s substandard security management.

Businesses should conduct an analysis of their company’s information security and refine in areas where needed. CCPA will require businesses to protect personal data with “reasonable security” as defined by the Center of Internet Security (CIS).

What Does CCPA Mean for Businesses?

For companies which CCPA applies to, the ability to successfully navigate the CCPA regulated waters is contingent upon how quickly and effectively they can comply with regulations, mitigate potential consumer data collection impacts, and build adaptable, privacy-friendly, consumer data acquisition and management strategies for the future.

Compliance, an Indicator of Brand Trust

It’s critical that companies begin taking steps towards compliance now, as non-compliance fees and penalties range from $750 – $7,500 per infraction, not including court and other associated legal costs. Beyond the regulatory impacts of non-compliance, more detrimental consequences include brand damage, reduced consumer confidence, and diminished employee trust. Brand and employee confidence serve as integral pillars of a company’s success, and mismanagement of consumer data could significantly erode the foundational pillar on which a company stands. Research conducted by ExpressVPN found that “71% of consumers worry about how brands collect and user their personal data…” and “Nine out of 10 Americans worry about online privacy and data security…” CCPA compliance establishes a level of trust with a company’s consumers and employees which will be a preliminary, yet vital step towards building loyalty in a more heavily regulated digital environment.

Opting Out

The CCPA empowers consumers with the ability to easily opt-out and eradicate their personal data collection, which may very likely lead to decreased consumer data use to aid marketing tactics and personalization. To maintain a substantial customer data repository, companies will need to find unique incentivized ways to encourage consumers to give consent to the collection and/or sale of their data.

A survey conducted by Harris Poll revealed that “63 percent of consumers expect personalization as a standard of service and they feel like a brand recognizes them as an individual when they are sent unique special offers”, and “54 percent of consumers are willing to share personal information with companies if it will be used to create a personalized experience, which rises for younger generations like Gen Z (ages 18-23) (72 percent) and Millennials (ages 24-37) (70 percent).”

In a digital environment where consumers are apprehensive about sharing their personal information, and generally distrust companies’ use of their information, but also expect to have personalized digital brand experiences – success is achieved by balancing consumer PI protection, with incentivizing data collection consent for valuable personalization strategies.

“A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.”

Financial incentives for data collection could be a tricky area to pilot during the initial phases of the bill’s enforcement as the value of each consumer’s data is subjective, without a way to juxtapose the benefit/incentives given to the consumer & the value of the consumer’s data. This will be an area that should be explored by all companies who rely heavily on consumer data to influence sales.

A Change in the Right Direction?

With the data-collecting challenges that CCPA will bring, it will be more difficult for 2nd and 3rd party providers to obtain and sell data. This could limit the amount of 2nd and 3rd party data available, which in return is expected to raise costs for these data segments for CPG and direct-to-consumer companies who traditionally rely on non- first party data to target consumers. This shift could bring along positive results for businesses, as companies will be required to acquire consumer data via direct interaction instead of relying on outside sources, ultimately resulting in more accurate, higher quality data. To ensure a consistent flow of consumer data, companies will need to refine their first party data acquisition techniques in a way that consumers will feel comfortable and secure with entering their information on their webpages.

What’s Next?

As CCPA’s invocation approaches, businesses, specifically large CPG and direct-to-consumer companies, should prioritize compliance with the law. Referencing the Compliance Checklist and allocating resources to ensure timely execution of compliance tasks are paramount. Understanding the role that consumer data plays within an organization is critical to assessing CCPA’s impact and will facilitate mitigation initiatives. When developing consumer privacy strategies, consider an iterative, forward-thinking approach as CCPA is anticipated to be just the beginning of a broader rollout of consumer privacy regulations spanning beyond California. The e-commerce landscape could be drastically altered in a few years, and only the companies who take preemptive measures and plan for the future will be ahead of the digital data transformation curve.