BLOG

CCPA Compliance for E-Commerce

Published: Nov 20, 2019

The California Consumer Privacy Act arrives in January 2020 – here’s a brief guide to compliance for e-commerce companies

For e-commerce companies, CCPA compliance should be high on your radar for 2020. Like the General Data Protection Regulation (better known as GDPR) in Europe, it stands to make a huge difference to how you communicate with your customers. This article sets out the basics around what the new Act means and how to prepare your business for it.

Disclaimer: this post doesn’t constitute legal advice – seek professional legal counsel to ensure that your activities are compliant!

What Is CCPA?

The Governor of California signed Assembly Bill 375 on 28 June 2018. The California Consumer Privacy Act, also known as CCPA, will take effect on 01 January 2020.

CCPA focuses on data protection rights for consumers – however, it does not only apply to businesses physically located in California. CCPA protects the right of Californian consumers, regardless of state borders. So regardless of where your business is based, if you have customers in California you need to consider the impact of the new rules.

Retailers and CCPA: key implications and requirements

What does CCPA compliance for e-commerce really mean? Here are the basics of what the Act outlines:

Determining If CCPA Applies To You

CCPA applies to businesses that meet certain criteria. This includes:

For the most part, this means that small businesses are currently exempt from having to deal with CCPA compliance. While this may change in the future, larger companies are presently the only businesses that need to prepare for the CCPA staging date.

CCPA vs GDPR

CCPA is very similar to the General Data Protection Regulation (GDPR) passed by the European Union in 2018. The good news is that companies that are considered GDPR compliant will not need to change much in order to meet with CCPA compliance requirements.

CCPA is slightly more stringent thanks to its broader definition of personal information. However, there are many options out there to help a company implement compliance requirements before the January 2020 timeframe.

Consequences for non-compliance

The Attorney General and California court system are prepared to execute several different consequences for non-compliant businesses.

Fines add up quickly. Often, if a violation is present with one consumer, it is present with others.

To estimate potential financial damages, you could multiply the number of your California consumers by $7,500. For example: if you have 25 California customers. Those 25 customers multiplied by $7,500 means you could face up to $187,500 in fines based off the discovery of a single consumer’s violation.

These penalties can seem scary – so what do you need to do in order to avoid them?

Key steps for preparing for CCPA compliance

Here are the key steps for retailers preparing for CCPA compliance.

Audit data collection and management processes

A thorough evaluation of how your company collects and manages personal information is essential.

Deep-diving into where you store your consumer data and how you use it is essential to preventing intentional and unintentional violations from costing your business thousands in fines.

You should also examine the data you collect from third-party sites; third-party vendors should provide a CCPA Compliance Certificate on request to ensure data you receive will not result in damages to your company in a lawsuit.

Plan for consumer requests

Under the CCPA, you have up to 45 days to respond to personal information data requests from California consumers. You need to have a plan in place to quickly tackle these requests. This may include hiring personnel to address these matters efficiently and within the requirements of the law. Data extraction tools, response formatting, and a thorough understanding of the law will also be required.

Prepare for future regulations

Many experts believe the GDPR and CCPA are just the beginning of the data rights battle. California is simply the first state to take consumer data rights seriously enough to enact legislation. Future regulations are highly likely as more states become further involved with the data rights of consumers.

Bracing for impact

It’s hard to know exactly what to expect when CCPA hits – but there are some predictions that we can make based on GDPR.

First of all, you’re likely to see your email database take a hit. Here’s how much of their addressable databases marketers lost when GDPR came into force in 2018:

Read more here

However, there’s a silver lining here. Recovery from these losses was actually pretty quick. One year after the regulations came in, databases had successfully recovered to 93% of their pre-GDPR levels.

How did it happen so fast? Here’s another lesson we can take for CCPA compliance. The below were the top strategies used by businesses to recoup their databases – a greet steer for those looking to 2020:

January 1st will mark a new watershed for privacy regulations in the US – any preparation you do now will pay dividends in the short-term, and prepare you well for the evolutions in data privacy yet to come.