Unpacked: How retailers can keep up with CPRA and other data privacy laws
Online retailers may face new privacy regulations next year, with more states following in the footsteps of California by implementing data privacy rules.
But first, companies have to contend with the mountains of data collected from shoppers and determine what changes need to be made to avoid any penalties.
The California Consumer Protection Act of 2018 became the nation’s first state-level data privacy law that requires online companies to give consumers in the state more rights over their data. Next year, it will receive an update with the California Privacy Rights Act kicking in on January 1. And companies that do business in Virginia, Colorado, Connecticut and Utah will also have to abide by data privacy laws going into effect in those states.
For retailers, such laws are of vital interest because they impact how brands may collect and store personal information like addresses, payment information and purchase history.
Not abiding could mean big penalties: In August, California Attorney General Rob Bonta fined Sephora $1.2 million for allegedly failing to inform consumers that it was selling their personal data. The brand was using a third-party company that tracked data about the customer — such as location, cart items and hardware. But Bonta said the company didn’t tell customers that it was collecting the data or allowing them to opt out.
Privacy experts anticipate that new state-level laws will continue rolling in. Chiara Portner, a privacy attorney with Hopkins Carley based in the Bay Area, said the laws trigger a renewed importance on making sure privacy policies are compliant.
Here’s a breakdown of what’s ahead for data privacy laws and how companies can prepare.
What is CCPA and CPRA?
CCPA requires companies that do business in California to allow residents in the state to opt out of the sale of their personal information. Consumers can also request what information a company has about them, how it is used and for the information to be deleted. Additionally, companies have to include notifications of the laws on its site.
Logistically, the law means that retailers may have to put new features on e-commerce websites to alert California consumers about the law, and also update privacy policies.
CPRA, which goes into effect January 1, amends CCPA. It places new thresholds for what companies fall under the law, including: business that do $25 million in annual gross revenue in the prior calendar year, as well as those that are buying, selling or sharing data of 100,000 California consumers or those that derive 50% or more of its revenue from selling or sharing personal data.
CPRA also created the California Privacy Protection Agency to help enforce the data privacy law, and made a few other changes to the existing law – including requiring companies to make sure their employee data is compliant with CPRA.
Where else are these laws cropping up?
Martin Tully, a privacy lawyer and partner with Redgrave LLP, said there’s a renewed interest in reviewing privacy policies because of CPRA and other state laws. The Virginia Consumer Data Protection Act, signed into law in March 2021, goes into effect on January 1.
Similar to CCPA, it will allow consumers to access their personal data from companies, or opt out of having their data sold. Unlike CCPA, it’s not based on revenue figures; the law will apply to companies that control or process personal data of at least 100,000 Virginia consumers, or control data of at least 25,000 Virginia consumers and make at least 50% of their gross revenue from the sale of data. Ultimately the attorney general will be charged with enforcement.
Other data privacy laws go into effect in Colorado and Connecticut in July 2023. Utah’s Consumer Privacy Act will go into effect on December 31, 2023.
“One of the things that we’re doing right now is trying to remind clients if they haven’t already acted that they don’t have much time left,” Tully said.
How can brands ensure compliance?
For many retailers, outsourcing data privacy help may be the surest way to ensure compliance. Ronak Shah, founder and CEO of protein company Obvi, said his brand used an app-based widget and hired legal counsel to review its site and make recommendations for what needed to be included in order to comply with CCPA.
He said data privacy may not be a top priority for most companies. “It’s one of those things that’s like, ‘I’ll get it done later.’ That’s always been the stigma around this.”
Obvi paid around $1,000 for the review. But compliance also came with a revenue hit: California conversions dropped by about 25% — down from 5% of customers to under 4% — after the pop-ups about CCPA were put into play on the site.
Still, he said it’s worth it to be compliant with the law rather than risk unforeseen costs in the long run.
“It’s like insurance,” he said. “You can get away without having it, but the one time you find you don’t have it and you get caught, it can be a very big price to pay.”
How do companies know if the laws apply to them?
Scott Giordano, vp of corporate privacy and general counsel at Spirion, a data security and privacy software firm, said implementing data privacy laws can be overwhelming for retailers because of the broad list of requirements.
But it’s important that a retailer — no matter where it is based — look at various state laws, Giordano said. That’s because the laws apply to companies based on where its customers are, not where it is headquartered.
“Hypothetically, if I’m in Ohio, but I have customers in California, and otherwise meet the criteria for doing business there, I have to respect that law.And that goes true for any state,” Giordano said.
What’s a data inventory and why does it matter?
Redgrave LLP’s Tully said ensuring compliance begins with looking at what data is being collected, why and where it’s held. He said this is particularly important for retailers that may have loyalty programs or rewards programs.
“What you don’t know can and will hurt you,” he said.
Giordano also said beginning with a data inventory — also known as data mapping — is a crucial start to the process. That means getting a comprehensive look at all of the data held by the company, including what data is being collected, by what sources, where it’s stored, and who has access.
“The first step is to have a very crisp understanding of what qualifies as personal data or personal information, and where it’s located in your enterprise,” he said.
He said companies frequently come across data they didn’t know they had saved, or that was stored in somewhere they didn’t expect.
“Whenever you do a data inventory, you’re going to find its like cleaning out your attic — with stuff you thought you had thrown away that you really didn’t, and stuff you didn’t know you had,” he said.
Why do third-party relationships matter?
Tully said companies also have to be aware of what third-party contractors and service providers who handle personal data may be doing on a company’s behalf. That can be a massive undertaking for national or global companies that may have hundreds or even thousands of contractors.
“It absolutely is a bigger challenge for bigger companies who have more service providers,” Tully said.
For an e-commerce client, Tully said, that might mean examining the data protocols of third-party marketplaces where its products are sold.
“If you don’t actively monitor them and audit them, you may not be in a position to take the defense, should there be an issue down the road where, say, a service provider is breached,” Tully said.
Portner from Hopkins Carley said it’s important for companies to understand the scope of the laws. For example, they may not just apply to data that the retailer is directly collecting but the data used in their ad tech as well. In the case of Sephora, it had third-party advertising and analytics software installed on its site that could collect and store data about its customers, in exchange for Sephora receiving those advertising and analytics services, according to the OAG complaint. Under the law, those transactions counted as a sale of data, triggering the need for disclosure of the data collection and an opt-out.
“The biggest hurdle is getting companies to understand they actually do need to provide some choices to the users especially in terms of cookies and analytics in the ad tech space in particular,” she said.
What are some ways brands can improve data privacy practices?
Tully said companies that want to improve data privacy practices should ensure that they’re using simple language to explain the rules to customers, and ensure that policies are factually correct. He also advised companies to review data privacy rules any time there’s a new site update or third-party tool because that could affect data capture or storage.
“It’s a question of doing that data mapping exercise, and then doing it periodically. And particularly anytime there’s some new tool or function that’s introduced into your website, or your e-commerce platform, or even your workflows within an organization,” Tully said.
Portner from Hopkins Carley warned against companies using a cookie-cutter privacy contract or copying one from another brand, as its data uses might be different.
She also said companies should ensure they’re not taking in more data than necessary for business purposes. Not only are there privacy laws to contend with, but it’s good cybersecurity practice to not hold too much data in case of a potential breach, she said.
“For all these laws there’s always the principle of minimization, of not having more data than you need to have,” she said. “That also limits the companies’ risk.”
Shah from Obvi said he’s heard from other retailers that might be putting off a data privacy review. But from his perspective, it’s worth it to take the time to understand a site’s specific needs.
“For me, the largest takeaway has been don’t rely on just some tool or app to get the job done because there’s no one size fits all model here,” he said. “We use landing pages, we use external pages, we use so many different things. Each store is built so uniquely and is so different.”