Add a bookmark to get started

26 November 20183 minute read

The California Consumer Privacy Act: More than an encore to the EU GDPR

For the past two years, retailers doing business in Europehave been dealing with multiple obligations under the EUGeneral Data Protection Regulation (GDPR).Retailersdoing business in California will soon need to comply withthe California Consumer Privacy Act of 2018 (CCPA),which will, starting in 2020, require retailers to respond torequests from California consumers to describe how theretailer shared consumer personal information over theprevious 12 months and will bring some GDPR-like rightsto consumers in California.

Under CCPA, California residents will have the right toobtain a copy of all their personal information in a readilyusable form, and to have their personal informationdeleted - rights that are very similar to those in GDPR. Butunlike GDPR, under the CCPA retailers that sell or discloseCalifornia residents’ personal information will face novelobligations that present operational challenges, even forthe most robust GDPR-compliance programs.

CCPA is therefore to have a significant impact on retailerswith US$25 million in revenue that do business inCalifornia. For example:

  • The CCPA definition of personal information is broader than GDPR’s definition, including information that identifies, or can reasonably be linked to, not just a California resident or his or her device, but a California household. Businesses will need to map this huge range of information in order to comply with CCPA requirements, including responding to consumer requests about where their data has been sold (or disclosed for any business purpose) over the previous 12 months.
  • The definition of ‘sell’ is also very broad. It includes selling, transferring, making available or otherwise communicating personal information in exchange for anything of value. This definition may reach, for example, brands exchanging consumer information, using data append services, engaging in joint marketing and possibly engaging in some forms of affiliate data sharing. Retailers will need to rework their websites and apps to display a Do Not Sell my Personal Information link, where consumers may exercise their CCPA rights and notably the right to opt out of the sale of their information. Retailers with California residents’ personal information will need to manage those opt-outs and to refrain from asking a California resident to opt back in for 12 months after the opt-out was exercised.
  • Retailers that do not encrypt or redact payment card data or other personal information triggering security breach reporting must defend against potentially massive statutory damage class action liability of US$100 to US$750 per record if they suffer a data breach and are alleged not to have “reasonable security.”

For the moment, the CCPA draft is confusing. It maybe amended next year by the legislature and will beclarified in an Attorney General rulemaking six monthsbefore it takes effect in 2020. But the operationalchallenges of the law are so significant that retailers willneed to begin their compliance efforts before the inkis dry on any CCPA clarifications. Watch this space formore updates.

Print