Skip to main content

What California’s New Consumer Data Privacy Law Will Mean for Retailers

California will ring in the new year with its toughest data privacy law yet.

As the state’s tech giants and businesses of all kinds brace for the implementation of the California Consumer Privacy Act (CCPA) on Jan. 1, many are still scrambling to make sure they’re compliant with the legislation’s complicated guidelines.

At its heart, the CCPA is designed to give consumers more control over their data, which websites have been accumulating (largely unchecked) for more than a decade. While the CCPA technically only applies to the Golden State, the legislation is expected to set the standard nationally in the absence of a federal law.

Consumers across the country have been met with full inboxes over the past few weeks. Brands, retailers and online marketplaces, as well as social media and tech platforms, have been diligently working to inform their customer bases about changes to their privacy policies and terms of service, often underscoring their commitment to transparency and the responsible stewardship of customer data.

While companies will still be able to collect information based on search and purchase history, emails and photos, consumers may now inquire about what kind of data has been gathered and request that it be deleted. They can also demand that their information not be sold to third parties (though the new law doesn’t grant them any particular legal recourse should they find out their wishes have been ignored).

If a company suffers a data breach that puts consumers’ information at risk, they will have the backing of the state government if their information is stolen. Consumers will be able to sue companies that are negligent in their duties to protect sensitive information.

While the mandate affects businesses statewide across all categories, its formation was precipitated by the actions of the Silicon Valley behemoths that expanded data sciences to their current and seemingly limitless applications.

Related Stories

The CCPA will not affect small startups as much as established businesses and large corporations. To fall under the law’s purview, a company must earn more than $25 million in gross revenue, collect data on more than 50,000 people, or make more than 50 percent of its revenue from the sale of customer data.

Businesses that handle the personal information of more than four million consumers will be subject to additional obligations, the State of California Department of Justice website said.

In a memo responding to the law’s contents on Dec. 6, International Center for Law and Economics analysts estimated that the bottom-line cost to companies looking to meet the qualifications would be “staggering,” amounting to about $55 billion in upfront costs and $16.5 billion in additional costs over the next decade.

In October, a Consumer Data Privacy study from Deloitte revealed that most U.S. retailers (75 percent) believe the new regulations have the potential to significantly or moderately impact their businesses, but less than one quarter (22 percent) have taken proactive steps toward integrating their data privacy plans with their other strategy planning tools.

Retailers nursing anxieties about the law’s implications may be entitled to a small sigh of relief, though.

In a statement to California’s KQED News, a subsidiary of NPR, California Attorney General Xavier Becerra explained that the office’s budget is limited, and they are likely to pursue only three enforcement actions each year. While he declined to name the companies he had in mind, he told the outlet, “The bigger the company, the bigger the problem.”

“The bigger the universe that has data that is used in certain ways, that could lead to that violation, the bigger the case will be,” he added.

Becerra said information pertaining to health would be considered particularly sensitive, as would individuals’ Social Security numbers.

And his office is prepared to be especially bullish when it comes to data privacy for children, Becerra said, explaining, “The last thing you want is for any company to think that we’re going to be soft on letting you misuse kids’ personal information.”

The Attorney General’s office won’t begin enforcing the law until July 1, 2020, though it will go into effect on Wednesday.