New privacy protection legislation is set to go into effect January 2020, to help address the issue of consumer privacy and hold certain ecommerce businesses accountable for the way in which they use, share, and collect consumer personal information and data.
The California Consumer Privacy Act, also known as CCPA, was originally introduced and signed into law June 28, 2018, in an effort to strengthen and enhance privacy rights for consumers residing in California.
During the month of October, California Attorney General Xavier Becerra released proposed regulations under the CCPA.
“Knowledge is power, and in the internet, age knowledge is derived from data. Our personal data is what powers today’s data-driven economy and the wealth it generates. It’s time we had control over the use of our personal data. That includes keeping it private,” said Attorney General Becerra. “We take a historic step forward today to protect Californians’ inalienable right to privacy. Once again, California leads the way putting people first in the Age of the Internet,” he added in a press release issued in October.
The law, which goes into effect January 2020, will impact and apply to certain companies and ecommerce businesses that receive and collect information from California consumers.
The CCPA has been referred to as one of the “strongest data privacy rights in the country” and essentially grants new rights to California consumers and adds an extra layer of security and assurance for Californians.
It also aims to hold businesses responsible for safeguarding their consumer’s personal information. Those who fail to comply will be hit by hefty fines, of course.
In a nutshell, the CCPA gives California consumers the right to know what personal information and data are being accessed, collected, or sold. Here’s a brief overview:
- Businesses must disclose data and sharing practices to consumers
- California consumers also have the right to opt-out of the sale or sharing of personal information.
- California consumers can also request to have their data be deleted businesses, and they have the right to non-discrimination under the CCPA.
- Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
Certain businesses would need to comply to ensure that they are up to speed with current data privacy and consumer protections.
CCPA and the GDPR
Many people have pointed out some of the similarities between CCPA and GDPR, calling the CCPA in many ways, a “GDPR Lite.” The GDPR is the European Union’s General Data Protection Regulation for consumer privacy and data protection for citizens of the European Union.
However, these two pieces of legislation should be treated as their own entities. It’s important to keep in mind that a business that is said to comply with GDPR regulations and is subject to CCPA may have additional obligations under CCPA, according to the California Department of Justice, Office of the Attorney General.
Will your Ecommerce Business be Impacted?
This law is applicable to only certain large-scale businesses that meet the following criteria. Make sure you read through and research the official wording of the law, too:
- reported gross annual revenues of greater than $25 million
- companies that buy, receive or sell personal information of 50,000 or more consumers, households or devices
- companies that derive 50 percent or more of their annual revenues from selling consumers’ personal information.
If you are a business that falls into one of the above categories, you should be aware of some of the penalties for not disclosing information to consumers or failure to comply with CCPA.
Penalties for Non-compliance
The maximum fine for intentional violations or failure to comply to CCPA regulations is $7,500. Other violations that lack intent for failure to comply will result in a $2,500 maximum fine. “Under the CCPA, consumers can collect between $100 and $750 for each event. If the damages are greater than $750, then the consumer may receive even more,” according to Security Boulevard.
It is important to note that for-profit businesses do not need to be based in California to be subject to this law. Businesses that are located in and outside of California, are subject to following the CCPA if they fall under one of the above-mentioned criteria.
When the law is enacted, businesses will essentially be required to disclose any and all personal information it has collected from a consumer such as reasons as to why they collected the information, any information that was sold to a third party, the type of specific information that was collected, the sources from the information collected, and the type of categories of the personal information they’ve collected, according to Rakuten.
Just recently, Google Ads and several other companies released an important update to their email subscribers and consumers regarding the California Consumer Privacy Act, highlighting current regulations in place (GDPR) in Europe as well as data protection terms that have been revised to reflect the new CCPA law effective January 1, 2020.
Some experts say that that the CCPA may actually be concerning and threaten businesses with potential liabilities. It may also blur the line or provide little aid to help businesses with knowing how to comply to the new law and may actually increase liability risks for non-compliant businesses.
Taking Steps to Protect your Ecommerce Business from Penalties
It is important to review the fine print and stay updated on what and how the California Consumer Privacy Act will impact you and your business. If you believe you may be impacted, your business should start taking the necessary steps to follow the provisions of the CCPA before January 2020.
While the final language is still being amended, some of the regulations will still be in place which gives you ample time to prep for CCPA.
You can take the following steps to protect your business as highlighted by Rakuten:
- build a data inventory to see how your business currently obtains or collects personal information from consumers.
- identify third parties that you currently share personal information with to figure out compliance with the new law.
- figure out if your business is prepared during a test run of current processes in place for locating personal information in case a consumer asks for it in the future.
- ensure that customer data is secure, as this is an important part of the regulation.
Even though the California Consumer Privacy Act doesn’t officially go into effect until 2020, it is still important for your ecommerce business to be proactive and read up on the law before the time comes.
Leave a Reply