Member Exclusive   //   October 4, 2019

‘Flatfooted’: Retailers are scrambling to prepare for CCPA

A big change is coming for retailers that sell in California — and there’s a mad dash to make sure they’re ahead of it.

California’s Consumer Privacy Act is set to take effect on January 1, 2020. These regulations piggyback off of other sweeping privacy legislations — like Europe’s GDPR — and essentially aim to give consumers greater control over the data they share with businesses.

While the law is intended for any company that collects digital data, retail is one industry that will certainly be impacted. Any retailer with an online business collects and brokers user data, and will likely have to retool their entire data management program — not only in terms of how they store user information, but also in implementing new protocol to ensure that customers consent to providing their data and can easily opt out. As a result, there’s been a mad dash for businesses to figure out the best ways to become compliant.

Recent data shows that many businesses are still lagging, and likely won’t have adequate programs in place by the end of this year. A survey from consent solutions provider PossibleNow said that 45% of US businesses are working to become CCPA compliant but won’t be ready by January 1, and 11% said they had no plans to make any changes.

“Most people are still on their journey to compliance,” said eMarketer principal analyst Lauren Fisher. “We don’t talk to a lot of people who claim to be completely 100% there.”

According to Robert Tate, vp of sales at PossibleNow, the problem has been top of mind for most businesses since the CCPA legislation passed last year, but a crisis is still on the horizon. Much of this has to do with an experience gap. “There is a big maturity curve out there for different companies,” he said. The ones that have a clear leg up are doing business internationally and had to make changes to be GDPR compliant. “If they had to deal with GDPR before,” he said, “it’s more likely that they’ve had a year and a half of lead time.”

That’s not the case for everyone. “You might be surprised by how many big U.S.-based brands that operate primarily in the U.S. are unprepared,” he said. They’re being caught “flatfooted,” he went on; many, he said have admitted that they probably won’t have full solutions in place until July 1, 2020 — when California will begin enforcing the new law.

The big reason this is such an upheaval for retailers is because compliance isn’t brought about with a turnkey solution. “It’s a lot more than throwing up a privacy policy and saying you’re good to go,” said Fisher. It requires significant financial investment — and likely a new philosophy when it comes to data management.

While a number of software providers — for example, Preclusio — have surfaced since GDPR was created claiming to offer tech-enabled services to make compliance easier, that’s only one piece of the puzzle. “The reality is,” said Tate, “before you get to technology there are these levels of governance and operations that have to be addressed first.” Retailers will have to figure out how to make an organization-wide workflow that correctly handles and disposes of third-party data. They also have to ensure all partners they work with are in compliance as well. This requires legal expertise that ensure data collection is being done in a compliant way, as well as data architecture that can be deployed throughout an entire system.

For retail brands, deployment is especially pertinent. Many companies build online experiences intended to be as frictionless as possible. Now they will have to ask “how do we work consumer privacy rights management into those experiences?” said Tate.

Legacy retailers face another big issue: organizational siloing. As older businesses increasingly build digital programs, these new teams aren’t necessarily in conversation with others. “Companies that have silos are going to have challenges,” said Fisher.

The next year is going to be an uphill battle — for retailers, as well as any other data-heavy companies. Explained Fisher, many businesses working to get GDPR compliant felt a huge business strain, “because that is what they spent their year doing… just treading water.”

Still, the need to modernize customer data programs is mounting. Other states are following California’s lead — most recently, Nevada. With CCPA putting a fire under companies, they best get to it if they want to avoid steep regulatory fines.

Privacy is no longer a niche issue, explained Tate; more legislation is on the horizon. “This is prolific,” he said, “there will be more.”