Merchants were expected to begin complying with the California Consumer Privacy Act (CCPA) in January, but enforcement of the law only began this week on July 1, 2020.
CCPA gives Californians the right to opt out of the sale of their personal information. Similar to European Union’s General Data Protection Regulation (GDPR), which went into official enforcement in 2018, residents of the state can also ask to have their data deleted and to know what information about them has been collected. The requirements apply to for-profit businesses that have annual revenues of more than $25 million, possess the personal information of 50,000 or more consumers, households, or devices; or earn more than half of their annual revenue from selling consumers' personal information.
The law will apply to every online retailer that sells to California consumers, as most merchants collect a consumer’s name, location, IP address and identifiers that track their web and app use on internet-connected devices. Business face steep fines if they don’t comply, including a civil penalty of up to $7,500 per record for each intentional violation, and $2,500 per record for each unintentional violation.
A survey conducted last year from personalization data vendor PossibleNOW of 1,500 businesses found only eight percent of merchants felt ready to comply with the law at the time.
CardNotPresent recently published guidelines and suggestions for getting things in order to comply with CCPA.
Ameesh Divatia, co-founder and CEO of Baffle, a data protection solutions provider, spoke to CNP about where he thinks merchants are with understanding the law now, and what they need to be doing to ensure compliance now that the law is enforced.
CNP: A survey conducted in 2019 found only eight percent of merchants felt prepared to comply. Now that the law is officially going to be enforced, has compliance risen? Is there still a lot of work to be done?
Ameesh Divatia: There has been a significant amount of work done as evidenced by the numerous notices that we, as consumers, have been provided with on websites as well as by mail. Having said that, since enforcement starts on July 1, there is a fair amount of confusion among smaller merchants regarding how the regulatory authorities will assign ‘value’ to sensitive data. The subsequent clarifications from the Attorney General have helped but this remains a work in progress until we see enforcement action.
Where so much information is asked of customers in exchange for discounts, etc., and to process payments, how can merchants now pivot to preserve information in compliance with this law going forward?
Divatia: The first step is to identify what will be considered sensitive data per CCPA regulations and choose a data transformation technique such as masking, tokenization or encryption. Next, it is important to assign a purpose to data collection (e.g., marketing, customer service, accounting). Finally, adopt security procedures that meet the “reasonable” standards as suggested by CCPA.
What new techniques and tools will allow for data minimization with minimal impact to the business?
Divatia: Necessity is the mother of invention and that is very evident in this area. Businesses need to collect their customers’ information and, more importantly, they need to process it to generate even more business. New techniques that allow this to happen without revealing the underlying sensitive data are commercially available now and easily deployable in cloud as well as on-premise environments.
For merchants still struggling with questions about compliance with CCPA, what would you recommend as next steps?
Divatia: Merchants should audit how their customers’ data is collected and where it is stored. Using the step-by-step approach outlined above, they can take control of the security of that data and analyze it using new techniques that preserve privacy. And now, with more people shopping online, it is important for merchants to keep in mind that security and consumers’ privacy is paramount to their business, as well as a competitive differentiator.