What Retailers Need to Know About the ‘Californication’ of GDPR

The point of the broad-based California Consumer Privacy Act of 2018 (CCPA), signed by California Governor Jerry Brown in June, is to protect consumer data. For retailers wondering if the CCPA will impact their business, time is limited to figure out if and how. If you're a retailer selling products online and already compliant with the General Data Protection Regulation (GDPR), it's likely you’re nearly or entirely compliant with the CCPA.

It's a given that online merchants collect a lot of private customer information, both during browsing and purchasing. CCPA means developing new processes for customers to opt out or even request the deletion of their data. Even allowing customers to query what's stored about them could be a major operational challenge for many brands and retailers. One lawyer determined that, if a website gets just 137 unique visitors a day, in 12 months it will have collected data on 50,000 consumers.

The CCPA covers "consumers" who are defined as a "natural person who is a California resident." Note that the term "consumer" is a bit confusing as the bill covers all people, prospective customers, employees and so on, not just actual customers of brands. Unlike GDPR, the law isn't extraterritorial, so it doesn’t cover California residents when they're out of state. You can refer to the act in full here.

Another no-brainer: personal information should be secured and encrypted. Newer businesses should be using newer technology stacks that handle this for them. Older businesses may have painful technical changes to make to ensure they're treating customer data with the necessary care.

The law says that "personal information" means "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." As you would imagine, there has been intense debate from various lobbies about this law, especially from digital advertisers. The late addition of the word "reasonably" is helpful because it means that some data that strictly speaking is identifiable may not be classified as such.

There are a lot of loose terms that will be up to the Attorney General of California to define in case law. What's known is it does not include information that's public (i.e., lawfully available from federal, state, or local government records).

Does it Affect All Businesses?

It affects any for-profit entity “that does business in the State of California” that has an annual turnover of over $25 million or that buys, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices. Also, it impacts any business that derives 50 percent or more of its annual revenues from selling consumers’ personal information.

What's the Penalty for Noncompliance?

Up to $7,500 for each violation. That means per customer, so it could add up if a brand has a lot of customers. E-commerce merchants can also be sued by their customers if they disclose their data.

For brands using Shopify to sell products, the following are tasks to tackle really soon:

• Do a full data inventory of what data you store and where.
• Eliminate redundant or obsolete data.
• Ensure opt-out and opt-in methods are present for all customers as relevant.
• Define processes for the right to delete data as well as data request reports.
• Create a shareable guide on how data is stored and why, especially when third parties are involved.
• Define and communicate the process for when data breaches occur.

CCPA goes into effect on Jan. 1, 2020. The Attorney General will begin enforcing CCPA six months after it goes into effect. That doesn’t leave much time to get in line, but if you’re already sorted for GDPR, there should be minimal changes involved.

Alex O'Byrne is the co-founder and director of We Make Websites, a Shopify web design, development, integration and optimization agency.