SACRAMENTO – The California Consumer Privacy Act (CCPA) took effect at the turn of the year, not just reshaping the landscape of internet privacy but reshaping the future of retail.
The CCPA is intended to enhance privacy rights and consumer protection for the state’s residents, however, its vague yet comprehensive language has left many with more questions than answers.
“Retailers may be roped-in, even if they are based out of state, if they are collecting email addresses or if their websites have cookies collecting information on California consumers,” Luke Wake, senior staff attorney for the NFIB Small Business Association, said in a statement.
“That’s going to be problematic for affected small businesses as they will likely have to retain legal counsel to advise them on how they should proceed," Wake said. "At the end of the day, it’s going to require affected businesses to create new privacy policies, provide new opt-out procedures and to take other necessary steps to avoid legal trouble. And the reality is that many businesses aren’t going to realize they are out of compliance until hit with harsh penalties.”
Wake explained that even unintentional violators could face penalties of $2,500 per violation, which can add up very quickly. Businesses also face the possibility of statutory damages of between $100 to $750 per consumer incident if consumer information is compromised in a data breach.
“One under-appreciated aspect of the CCPA is that it provides that consumers have a right to insist on personal information being deleted,” said Wake. “The trouble is that the CCPA defines consumers in such a vague way that it arguably covers employees as well as patrons. And of course, if employees have a right to insist upon their employer deleting negative reviews and other employee files, that has obvious and deeply concerning implications.”
The CCPA aims to give Californians the right to know what personal information is being collected about them, the right to access that data, the right to know who it’s being sold to, and the right to opt-out of those sales. But despite the naturally agreed upon need for online privacy in the modern world, some experts simply believe that the law is too stringent and is more of a problem to retailers than a solution to consumers.
“California’s new privacy law is just another unnecessary burden on employers doing business in the state,” Jordan Bruneau, communications director for the California Policy Center, said in a statement. “While everyone supports basic privacy protections, this law goes far beyond those to make it more difficult for retailers to target their ads to appropriate demographics. Curtailing the effectiveness of internet ads threatens the revenue streams of many internet platforms on which Californians rely. The exact level of privacy that internet users demand should be left to the market, not imposed by the heavy hand of government.”
As hundreds of businesses and organizations up and down the Golden State pushed until the final weeks of 2019 to amend and clarify, the California Retailers Association (CRA) pushed on behalf of all segments of the retail industry.
“The retail industry is a driving force for California’s economy,” wrote CRA president and CEO Rachel Michelin in a statement addressing the importance of all retailers throughout the state. “One in four jobs in California are in the retail industry. In California alone, over 3.2 million people are employed by retailers, eight times the number of employees in the entertainment industry. The retail industry accounts for $330 billion in California’s gross domestic product each year…California retailers have no higher priority than earning and maintaining the trust and confidence of their customers.”
The Department of Justice estimates that CCPA could affect upward of 400,000 businesses, mostly within the state, but some out of state as well. It also predicts that up to 50 percent of the negatively impacted businesses will be small businesses.
According to a Berkeley Economic Advising and Research report, “The total cost of initial compliance with the CCPA, which constitutes the vast majority of compliance efforts, is approximately $55 billion.”
That figure is equivalent to approximately 1.8 percent of California gross state product in 2018.