California Consumer Privacy Act Effect On Retail BusinessesSeptember 26, 2018
The California Consumer Privacy Act (CCPA) is the first truly comprehensive state privacy law, and will take effect January 1, 2020. Estimates suggest the CCPA will impact over 500,000 for-profit businesses that conduct business in California. While the CCPA will be enforced by the attorney general, it provides for a number of new rights, including a new private right of action for California residents impacted by data breaches. The CCPA has been compared to the EU’s General Data Protection Regulation (GDPR), which became effective May 25, 2018, because of its breadth and because of the robust rights it provides to California consumers.
The CCPA will apply to a business (1) with annual gross revenues over $25 million; or (2) that buys, receives, sells or shares (for commercial purposes) the personal information of 50,000 or more California residents annually; or (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. Most major retailers will likely meet one of these criteria.
The definitions of “personal information” and “consumer” are also very broad. Specifically, the definition of “personal information” includes any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” and includes IP addresses. The definition of “consumer” includes any natural person who is a California resident, which includes business customers and employees. In addition, the CCPA defines the selling of personal information to include renting, releasing, disclosing, making available, or transferring a consumer’s personal information to a third party for monetary or other valuable consideration.
Retailers are increasingly collecting and using personal data to create a more personalized, seamless, and frictionless experience for consumers and to communicate with the consumer about promotions and incentives that may be of interest to them. Under the new law, businesses that collect such data will be required to provide specific notices to consumers about what data is collected and how it is used, and with whom it is shared, as well as to provide consumers with specific rights relating to their data.
The CCPA provides California residents with the right to know what personal information is being collected about them, to know whether their personal information is sold or disclosed and to whom, and to say “no” to the sale of their information. It also provides these residents with the right to access their personal information. The CCPA imposes a number of obligations on businesses to accomplish these aims:
Businesses will be required to provide notices about their data collection practices, including the categories of personal information collected, the…