Skip to main content

Most Retailers Unprepared for California Consumer Privacy Act, Deloitte Finds

While personalization has proven instrumental for retailers looking to court new consumers, those shoppers are increasingly pushing back against the methods being used to glean insight into their lives.

A 2019 Consumer Data Privacy study released Wednesday by Deloitte revealed that nearly half (47 percent) of American consumers feel they have little to no control over their personal information. Analysts surveyed 2,000 U.S. consumers and 201 retail executives for the report, which highlights consumers’ fears about data breaches and their desire for more control over how their information is used and shared.

Retailers reported using consumer data almost exclusively to augment the customer experience, noting that their top three objectives for collecting personal information include increasing operational efficiencies (53 percent), improving product selection (52 percent) and enhancing in-store services or experiences (49 percent).

And while the majority (71 percent) of consumers are willing to share that data if it means having access to better pricing, special discounts or exclusive offers, more than half (55 percent) believe that brands and retailers are sharing their data with third parties, or selling it. More than two-thirds of consumers believe their information is being used to fuel targeted marketing.

Even if brands are able to deliver a more tailored and satisfying shopping experience through the use of consumer data, the mistrust that shoppers are feeling could prove damaging. The vast majority (86 percent) of surveyed shoppers believe that they should be able to opt out of the sale of their personal information.

Related Stories

While data privacy laws have largely failed to rein in retail up to this point, analysts cautioned that “consumer privacy is at an inflection point in retail, with significant business, financial, and regulatory reasons for retailers to act now.”

The E.U.’s General Data Protection Regulation (GDPR) was signed into law in 2018, giving consumers an unprecedented level of control over their own information and forcing businesses to adhere to strict privacy provisions.

Now, similar regulations may finally be taking hold in the U.S.—though the country still lacks a unified federal mandate. That means that states have largely been responsible for crafting their own laws, which has the potential to create a confusing “patchwork of legislation” that is difficult to enforce.

As of the report’s release, nearly half of all U.S. states are in the process of developing data privacy legislation. Three states—California, Maine and Nevada—have already enacted laws.

The California Consumer Privacy Act (CCPA), set to go into effect Jan. 1, 2020, is the most advanced and far-reaching initiative. Much like the GDPR, the CCPA’s penalties for noncompliance penalties are hefty. “A relatively small privacy incident involving only 5 percent of California consumers could cost a retailer as much as $5–$10 billion in civil penalties and statutory damages, or 50 percent to 150 percent of revenue for a retailer with $10 billion in annual revenue,” analysts explained.

The report’s findings showed that most U.S. retailers (75 percent) believe that new regulations have the potential to significantly or moderately impact their businesses, but less than a quarter (22 percent) have taken proactive steps toward integrating their data privacy plans with their other strategy planning tools.

More than half (62 percent) of retailers use over 50 information management systems in their daily business operations, including programs to manage email, point-of-sale systems, spreadsheets and more. Spreading consumer data out over a breadth of platforms increases consumer data vulnerabilities, analysts said.

“With increased scrutiny on consumer and data privacy, there is a call to action to define a new standard that works for consumers and retailers. Future leaders in data privacy should adopt guiding principles that align across the entire organization as an essential part of their strategy, culture and operations,” Rob Goldberg, Deloitte’s cyber risk leader for retail, wholesale and distribution, said.

Of the retailers surveyed, Deloitte characterizes just less than one third (32 percent) as “leaders” in terms of enacting proactive measures to preserve consumer privacy. Those who meet that standard are focused on building trust, and have integrated their privacy efforts into overall corporate strategy.

“Adopters,” or organizations that are working to increase focus on privacy at varying levels, make up 41 percent of the retailers surveyed. More than one quarter (27 percent) of retailers were branded as “laggards,” as they admitted to not having made consumer privacy a priority at all.