Are You Ready? Preparing for CCPA and the New Era of Data Regulations
There’s no understating the impact that small computer in your pocket has made on retail. But governmental bodies are starting to reckon with it.
Starting January 2020, California will enact the California Consumer Privacy Act (CCPA). CCPA follows in the footsteps of the European Union’s General Data Protection Regulation (GDPR) and precedes the Brazilian Data Protection Regulation (LGPD), which will be effective in August 2020. American companies that delayed responding to GDPR will now see these types of regulations closer to home. In addition to California’s CCPA, Alabama, Arizona, Louisiana, Oregon, South Dakota, and Virginia all now have data breach notification laws. Iowa is leading the charge on regulating online services and mobile apps for students, and Colorado and Nebraska are tightening third-party practices.
So, what’s driving the push for greater regulations? Smart devices such as phones and voice assistants have the capability to collect and share information to an extent that's not obvious to consumers, but extremely useful to data-gathering retailers. Prior to these laws, retailers collected consumer preferences, purchase histories and personal information without explicit permission and without disclosing details on how the data is used.
Privacy concerns are heightened when the media shares reports of unauthorized sharing of personal information. And there’s been no shortage of high-profile retail data breaches recently, with brands such as Poshmark, Macy’s and Saks Fifth Avenue falling victim to hackers.
While the details of each regulation may differ, they share the same common goal: offer customers ownership over their data.
What to Expect From Any Regulation
In general, you’ll see the following four components referenced in each regulation:
- Consent: Proof of positive consent is mandatory. Retailers must consider how consent is documented and how the review process will be conducted.
- Transparency: Consumers can request confirmation that their data is being processed and request any data held about them be changed or deleted.
- Accountability: Retailers must show compliance with thorough documentation. In the event of a data breach, the relevant authority must be notified.
- Enforcement: Stakes are high for retailers that pride themselves on reputation. Stiff fines up to 4 percent of a company’s annual revenue could be at risk.
Of course, there's some differentiation from law to law. For example, GDPR requires data breaches to be reported to the relevant authority within 72 hours of discovery, LGPD simply requires notification in a “reasonable time,” and California manages breach notifications in a different law altogether. The key takeaway is that data must be managed in a way that A) makes its use visible and understandable for customers and B) can be accessed quickly.
Preparing for CCPA
Retailers everywhere were not looking forward to the implementation of GDPR. Since the internet enables leveraging personal data to fuel targeted advertising, retailers were concerned by the new burdens and costs that awaited them upon the law’s implementation. In some respects, those that have already worked through GDPR will have an easier time adopting to CCPA, but there are still some hurdles to jump:
- Make opt-out clear. While GDPR makes it clear that retailers must provide data to customers on request, it doesn’t require a company to gain customer consent if it wants to collect and use their data. To comply with CCPA, retailers will need to add links that allow customers to opt out of having their data sold.
- Extend your definition of personal information. GDPR defines personal information as data that can identify the consumer. CCPA defines it as data that can identify the consumer and his/her household, a far broader set of data that retailers will need to keep track of.
- Provide greater accessibility to data. The “right of portability” differs between the two regulations. Both provide an out for retailers: portability only must be done when technically feasible. However, the period of time within which a company must reply to a request is different. GDPR gives data controllers one month to respond; for CCPA, businesses must respond within 45 days. In addition, CCPA allows consumers to request data deletion regardless of reason, while GDPR provides a list of grounds the request must fall under.
The Time is Now
Hopefully, if you fell under GDPR’s jurisdiction, your customer data management is already in line with the guidelines. If so, you’ll only need a few modifications to meet CCPA compliance. However, if you’ve been avoiding a new data management initiative out of fear for the complexity involved in compliance, you’re running far behind. Start building a plan to ensure your customer data is easily accessible across the company. Furthermore, plan your response if/when a data breach occurs. It’s not only about complying with the law, it’s about building and maintaining consumer trust.
Doug Kimball is vice president of global solution strategy at Stibo Systems, a business data management solutions provider.
Related story: The ‘Art and Science’ of GDPR Consent for Retailers