BLOG

CCPA Compliance for E-Commerce

Published: Nov 20, 2019

The California Consumer Privacy Act arrives in January 2020 – here’s a brief guide to compliance for e-commerce companies

For e-commerce companies, CCPA compliance should be high on your radar for 2020. Like the General Data Protection Regulation (better known as GDPR) in Europe, it stands to make a huge difference to how you communicate with your customers. This article sets out the basics around what the new Act means and how to prepare your business for it.

Disclaimer: this post doesn’t constitute legal advice – seek professional legal counsel to ensure that your activities are compliant!

What Is CCPA?

The Governor of California signed Assembly Bill 375 on 28 June 2018. The California Consumer Privacy Act, also known as CCPA, will take effect on 01 January 2020.

CCPA focuses on data protection rights for consumers – however, it does not only apply to businesses physically located in California. CCPA protects the right of Californian consumers, regardless of state borders. So regardless of where your business is based, if you have customers in California you need to consider the impact of the new rules.

Retailers and CCPA: key implications and requirements

What does CCPA compliance for e-commerce really mean? Here are the basics of what the Act outlines:

• When a California resident requests what personal data is being stored by an applicable business, the company will have up to 45 days to respond. The response must include a full record in order to be considered compliant with CCPA.
• A California consumer will be able to opt out of sharing or storing their personal data with a business that provides the data to any third party.
• A California consumer has the right to know what data was purchased, whom it was shared with, and which business it was purchased from.
• Any California resident can request that any of their stored personal information be deleted.
• For California residents under 16 years old, businesses are required to provide an “opt-in” function.
• For California residents under 13 years old, a parent or guardian must consent.
• California consumers cannot be penalized by a business for exercising their rights in accordance with the CCPA.
• Businesses are required to offer California consumers easy-to-see opt-out options, such as a “Do Not Sell My Information” button, on their website.

Determining If CCPA Applies To You

CCPA applies to businesses that meet certain criteria. This includes:

• Any business that sells to California residents and generates more than $25 million in revenue each year
• Any company that receives or shares the personal information of more than 50,000 Californians
• Any company that derives at least half (50%) of its yearly revenue through the sale of the personal information of California residents

For the most part, this means that small businesses are currently exempt from having to deal with CCPA compliance. While this may change in the future, larger companies are presently the only businesses that need to prepare for the CCPA staging date.

CCPA vs GDPR

CCPA is very similar to the General Data Protection Regulation (GDPR) passed by the European Union in 2018. The good news is that companies that are considered GDPR compliant will not need to change much in order to meet with CCPA compliance requirements.

CCPA is slightly more stringent thanks to its broader definition of personal information. However, there are many options out there to help a company implement compliance requirements before the January 2020 timeframe.

Consequences for non-compliance

The Attorney General and California court system are prepared to execute several different consequences for non-compliant businesses.

• Unintentional violations can result in fines up to $2,500 each.
• Intentional violations will each warrant a $7,500 fine.
• Fines are assessed per person or account.

Fines add up quickly. Often, if a violation is present with one consumer, it is present with others.

To estimate potential financial damages, you could multiply the number of your California consumers by $7,500. For example: if you have 25 California customers. Those 25 customers multiplied by $7,500 means you could face up to $187,500 in fines based off the discovery of a single consumer’s violation.

These penalties can seem scary – so what do you need to do in order to avoid them?

Key steps for preparing for CCPA compliance

Here are the key steps for retailers preparing for CCPA compliance.

Audit data collection and management processes

A thorough evaluation of how your company collects and manages personal information is essential.

Deep-diving into where you store your consumer data and how you use it is essential to preventing intentional and unintentional violations from costing your business thousands in fines.

You should also examine the data you collect from third-party sites; third-party vendors should provide a CCPA Compliance Certificate on request to ensure data you receive will not result in damages to your company in a lawsuit.

Plan for consumer requests

Under the CCPA, you have up to 45 days to respond to personal information data requests from California consumers. You need to have a plan in place to quickly tackle these requests. This may include hiring personnel to address these matters efficiently and within the requirements of the law. Data extraction tools, response formatting, and a thorough understanding of the law will also be required.

Prepare for future regulations

Many experts believe the GDPR and CCPA are just the beginning of the data rights battle. California is simply the first state to take consumer data rights seriously enough to enact legislation. Future regulations are highly likely as more states become further involved with the data rights of consumers.

Bracing for impact

It’s hard to know exactly what to expect when CCPA hits – but there are some predictions that we can make based on GDPR.

First of all, you’re likely to see your email database take a hit. Here’s how much of their addressable databases marketers lost when GDPR came into force in 2018:

However, there’s a silver lining here. Recovery from these losses was actually pretty quick. One year after the regulations came in, databases had successfully recovered to 93% of their pre-GDPR levels.

How did it happen so fast? Here’s another lesson we can take for CCPA compliance. The below were the top strategies used by businesses to recoup their databases – a greet steer for those looking to 2020:

January 1st will mark a new watershed for privacy regulations in the US – any preparation you do now will pay dividends in the short-term, and prepare you well for the evolutions in data privacy yet to come.