The California Consumer Privacy Act: What Does it Mean for Merchants?

On January 1, 2020, the California Consumer Privacy Act (CCPA) will come into effect. In this article, we’re going to give you a crash course on what the CCPA is, what it means for your business and what you have to do to comply with the new data privacy regulations. 

What is CCPA? 

California Assembly Bill (AB) 375, also referred to as the California Consumer Privacy Act of 2018, was signed into law by Governor Jerry Brown and is scheduled to be effective as of January 1, 2020. The official goal of the CCPA is to “further Californians’ right to privacy by giving consumers an effective way to control their personal information.” The CCPA outlines five new rights available to Californians. 

• The right of Californians to know what personal information is being collected by businesses.
• The right of Californians to know whether their personal information is being sold and, if so, to whom. 
• The right of Californians to opt-out of the sale of their personal information.
• The right of Californians to have access to or request that their personal information be deleted. 
• The right of Californians to equal service and rights even if they decide to apply their privacy rights. 

*For more information, visit Legislative Digest, Section 2(i)

How Does CCPA Compare to GDPR? 

You may be thinking that this sounds a lot like the European Union’s General Data Protection Regulation (GDPR), but while there are certainly similarities, there are differences that you need to be aware of. 

Similarly to GDPR, the CCPA encourages transparency and requires organizations to report data breaches to consumers. 

The biggest difference between the GDPR and CCPA is the opt-in/opt-out consent requirement. While the GDPR requires opt-in consent, the CCPA requires an opt-out. As a result, the foreseeable impact on company databases isn’t as big as it was with GDPR. 

* This data is subject to change and the CCPA’s framework may change. Please consult the IAB for updates. 

Does the CCPA apply to your business? 

You may be wondering how the CCPA will impact your business, especially if you aren’t physically located in the state of California. Here are a few things you should consider: 

The CCPA applies to companies that “do business” in California (and their “service providers”) who meet one or more of these minimum thresholds:

• Your annual gross revenue exceeds 25 million dollars ($25,000,000). 
• Your company “collects” or “sells” the personal information of 50,000 or more consumers, households or devices. 
  • Collect: “…Actively or passively buying, renting, gathering, obtaining, receiving, observing or any accessing of a customer’s personal information.”
  • Sell: “…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information for monetary or other valuable consideration.*”
• Your company gets 50% or more of its annual revenue from selling consumers’ personal information. 

*What does valuable consideration mean? If your business exchanges end-user personal information for a business benefit, then you are likely “selling” personal information. 

What does the CCPA require of your business? 

The CCPA essentially wants companies to be transparent with consumers about their data collection practices. While the specifics of the CCPA are subject to change in the future, there are a few key best practices to keep in mind in deciding how your business uses consumers’ personal information: 

• Have a clear understanding of what constitutes a customer’s “personal information” within the context of your business. 
• Update your privacy policies to include descriptions of your data collection practices as well as a summary of your customers’ rights under the CCPA. 
• You must respond to any customer request to have their data disclosed or deleted within the allotted time frame. 
• For businesses that sell or otherwise disclose personal information for a “business practice”: 
  • Your privacy policy must disclose that fact.
  • Your privacy policy needs to also contain an explicit “opt-out” page where a consumer can choose that their data not be sold.

What does the CCPA consider “personal information?” 

The CCPA’s definition of personal information is pretty vast. The CCPA states that “Personal information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. 

What do you have to do to ensure CCPA compliance? 

Let’s consider the things you should do to spot how your business collects and uses customer information. This will help you see where you should focus your efforts to be CCPA compliant come January 1, 2020. 

Map your data information flow

Start by mapping out how your business collects customer data, the applications and processes used to collect that data and how it moves from one application to another. Remember, the CCPA defines personal data not just as information that can be reasonably linked to an individual person, but also as info that can be linked to a specific household or device.

The goal of this exercise is to identify which parts of your business collect personal data on California citizens and what you’re using it for. This will help you update your privacy policy and see if you need to implement any  CCPA compliance measures.  

Ensure your customers’ personal data security

The CCPA addresses the issue of data security by giving the California Attorney General the power to fine a company in the event of a data breach, however these fines only apply if your business fails to protect customers’ personal data by means like data encryption or redaction.

Encrypt your data wherever possible and, more importantly, make sure you have the ability to find any sensitive data you collect no matter where it’s stored. 

Store your records of consent

Make sure that you’re maintaining a record of consent for every California child that has given you permission to sell their data. In the case of minors under the age of 13, have a record of consent from a parent or legal guardian on file. 

Moreover, you need to keep records of opt-out requests made by adults. Under the CCPA, you should not invite someone to opt back in for a period of 12 months after they’ve opted out. Consequently, your opt-out record needs to include the date that the request was made. 

This ensures that you have evidence that your business is CCPA compliant. 

Update your website 

Update your privacy policy and outline specifically what personal data you collect, why you collect it and how you process it. 

Your website should also include clear details on how consumers can make a right-to-access request, providing at minimum a toll-free number they can call. Your privacy policy should also include an explanation of how you verify the identity of the person submitting a request. 

Finally, don’t forget to have a Do Not Sell My Personal Information link on your site wherever it applies. 

*You need to ask customers for their age before you sell their personal information and get consent if they are aged 16 and under.

How to treat a customer’s request to have their data exported or deleted in Lightspeed

If a customer submits a request to either review their personal information in your system or have it deleted, you can do so in a few quick steps. 

To export and delete a customer’s data in Lightspeed Retail, we suggest referring to below articles from our Help Center. While they’re written in the context of GDPR, the same steps apply for CCPA. 

1. How to export a customer’s data
2. How to delete a customer’s data

If you’re an omnichannel retailer using both Lightspeed eCom and Lightspeed Retail (that is, operating both an online and a brick-and-mortar store), we suggest following the steps in this Help Center article to export and delete a customer’s personal information. 

At Lightspeed, we make complying with data privacy acts and being transparent with your customers, whether it’s for GDPR, the CCPA or other privacy acts as they emerge, a simple process. 

If you need more assistance facilitating any requests around the CCPA, we invite you to submit a ticket in our Help Center and have one of our qualified Support Specialists reach out. 

Responsible and transparent data usage is important for everyone

Lightspeed’s main focus is that all of our products are designed to comply with data privacy laws, whether that’s GDPR, the CCPA, or other jurisdictions that will surely adopt similar policies to protect consumers. 

We take the protection of our customers’ data and privacy seriously and consider these laws an essential development that will ultimately make commerce better and more transparent for everyone. 

Now that you know more about the CCPA and what it means for your business, you can take the necessary measures to protect your customers’ data and give them agency as to how it is used.