California’s new Consumer Privacy Act, a law very similar to Europe’s GDPR, is coming next year, and if you sell anything in California, it may affect you. Before we go into the details, please note that we are not attorneys or accountants and nothing here should be construed as legal or financial advice. That said, we can glean a few things from the law that might affect your online business. The law is based on four essential principles:
- Informing visitors of the data you collect
- Giving visitors the ability to be “forgotten”, e.g. removed from your records
- Allowing visitors to opt out of having their personal data sold to third parties
- Ensuring that customers who opt out of data collection get the same price for good and services as customers who opt in
Of the four, the first two will be the most common requirement for distributors in this industry. You may have already seen the overlays and popups informing you of data collection policies on sites you visit; this has become a common practice since many US businesses sell to E.U. customers. This can be added easily to any storeBlox CS company store or site.
The second requirement is twofold: First, you have to give a user a contact email or other method to communicate with you that they want any personal data you have about them deleted and forgotten. Second, you have to actually do the deletion, which might sound easier than it is. Most companies keep customer information on multiple systems, e.g. not just the website but also internal order processing, accounting or CRM systems. You have to get rid of the personal data everywhere.
The right to be forgotten also stipulates that you quickly “quarantine” a customer’s personal information as soon as they request removal, presumably to protect the data while you work to delete it, which might take longer. This may be tricky for those companies that have customer data on disparate systems, so we suggest you do a full technology audit so you understand which systems need to be touched when a customer requests that they be forgotten.
Like GDPR, CCPA compliance can be interpreted in a variety of ways as there are very few specific technological rules or requirements. We don’t feel that most companies in this industry will need to worry about selling personal data to third parties or charging a different price for opt-in vs opt-out, so those shouldn’t be a problem for you.
While CCPA doesn’t have a lot of specifics about technological requirements, it’s worth noting that if your online store takes credit cards and you have passed a PCI compliance test, then you are likely most of the way to making “best efforts” to secure user information. The payment card industry has been ahead of the curve on securing personal data for many years, because breaches of cardholder data can mean thousands of fraudulent transactions.
Also like GDPR, we think CCPA compliance will be a malleable thing as the law goes into effect. That doesn’t mean you should slack on getting your data policies in order, but you should be prepared for some of this to change over time. We’ll keep you up to date as the law approaches at the beginning of 2020. And as always, if you have any questions or need to implement any of the above, just give us a shout and we’ll get you taken care of.