The latest piece of legislation that has eCommerce merchants scrambling to stay above the law is the CCPA (California Consumer Privacy Act). If you’re in the eCommerce space, you’ve certainly heard of it. But many have lagged in doing their homework or taking action, so we’re offering a no-nonsense primer on the matter.
I’m going to give you enough information to not feel clueless when this comes up in conversation and, more importantly, know if this bill affects you and if you have some work to do.
This isn’t a comprehensive guide. If you want one of those, Magento and BigCommerce both wrote good ones.
If you prefer legalese, you can drink from the source here.
What is CCPA?
The CCPA is a privacy law that defines the rights of California consumers to know and control what personal information is being used by companies.
Magento summarized these rights as the following:
- Right to know the categories of personal information about them that is collected, used, shared, or sold in the past 12 months.
- Right to delete certain types of personal information that is held by a business and/or their service provider(s).
- Right to opt out of the sale of their personal information.
- Right to non-discrimination in terms of price or service for having exercised a privacy right under CCPA.
Who does CCPA apply to?
At the time of writing this, CCPA applies to businesses that meet one or more of the following criteria:
- Annual gross revenue of more than 25 million
- Buy, sell, or receive the personal information of 50,000+ consumers, households, or devices.
- Derive 50% or more of their annual revenue from the sale of consumer personal information.
Businesses located anywhere are responsible to meet these requirements for their California consumers.
If you prefer pictures, BigCommerce has a helpful guide.
(source: BigCommerce – Intro to CCPA)
Am I covered if I’m GDPR-compliant?
Merchants and vendors suffering from GDPR PTSD might be wondering what the difference is between CCPA and GDPR. They’re both consumer privacy laws, but they define things a bit differently and have a number of conditions that make them a bit harder to compare directly. Don’t assume that you’re in the clear just because you’re in compliance with GDPR.
BigCommerce explains the difference in more depth here.
My business needs to be CCPA-compliant. What now?
This law is in effect already, as of Jan 1, 2020. If the state of California believes you’re in violation of the CCPA, you may receive a notice of noncompliance. You have 30 days to comply, and if things aren’t resolved, you could receive a fine of up to $7,500 per record. That can add up fast.
By this time, leading eCommerce platforms have all published CCPA compliance documentation for merchants to follow. Additionally, you’ll want to work with any third-party service providers and tools that access your customer information to ensure they’ve provided the tools needed to remain compliant.
What does CCPA say about the future of eCommerce?
If GDPR wasn’t enough of a sign, CCPA clearly shows where things are headed for consumer rights when it comes to data. We’ll see this trend continue in more places than Europe and California.
Compliance with consumer protection laws will continue to be a focus for merchants, platforms, and technology providers. Expect regulations to expand to more places and begin to affect smaller merchants as well.