Changing Consumer Privacy Laws: What You Need to Know

After several years of high-profile data breaches and growing use (and abuse) of personal information by a variety of public and private organizations, 2018 was the year that consumers began to say, “No more.”

On May 25, 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) to immediately give residents in European countries unprecedented control over the use and ownership of their own personal data.

Instituted to thwart the misuse of data by large digital entities like Facebook and Google, the penalties put into place by the EU for organizations found in violation of any of these consumer rights were intentionally severe—up to 4 percent of annual revenue. In 2019, British Airways was forced to pay $230 million for one breach of 500,000 records; Google and Facebook are facing potential fines up to $5 billion.

The impact of GDPR in the U.S.

Here in the States, the impact of GDPR was relatively uneventful, since it only protected European consumers. To be on the safe side, U.S. companies with the potential to sell to customers in the EU instituted a flurry of new Privacy Policies and End User Licensing Agreements for consumers to acknowledge.

In the spring and summer of 2018, web users may have also noticed a barrage of new pop ups that appeared in their browsing sessions, expressly allowing websites to place cookies on their computers and devices, to adhere to GDPR guidelines.

Although GDPR only protects European consumers, the American public and state legislators were asking for similar rights and protections in the U.S. So on June 28, 2018—barely a month after GDPR went into place—the California Consumer Privacy Act (CCPA) was signed into law, with protections due to be implemented starting January 1, 2020.

Consumer rights under the CCPA

The CCPA extends many of the same protections in the GDPR to residents of California, including:

1) The right to request a copy of every piece of data an organization might have about you. Companies have 45 days to comply. In the case of one 10-year Facebook user, this amounted to 277 megabytes (MB) of data!

2) The right to “be forgotten,” forcing an organization to erase any trace of their personal data

3) The right to opt out of companies storing or sharing their personal information with other organizations

4) For organizations that purchase third-party information, consumers have the right to know what information was purchased, who they bought it from and who else it might have been shared with.

What businesses are affected by CCPA?

Although the CCPA is a state law, it has national implications due to the criteria of the companies that will be required to comply with it. This includes:

1) Any for-profit business that:

• Sells to any California resident

• Generates more than $25 million in annual revenue

2) Any organization that receives or shares the personal information of more than 50,000 California residents on an annual basis

3) Any organization that derives at least half of its annual revenue from the sale of the personal information of California’s residents.

Although the first criteria listed above means any business that sells over the web might need to comply with CCPA regulations, the revenue thresholds involved means most independent retailers are unaffected—for the time being.

Even before the CCPA went into effect, the California legislature passed six amendments in September 2019 that modified the original act in subtle but important ways. These amendments relating to business-to-business (B2B) companies, the definition of personal information and whether job applicant information is included.

These changes have no impact on smaller independent retailers that might sell to California residents in person or over the web, but they do underscore three important messages:

1) The age of consumer privacy and protection has begun.

2) Laws and regulations will continue to evolve rapidly.

3) Independent retailers aren’t affected today—but there is no guarantee that will continue to be the case.

What independent retailers should do today to prepare

If you are a Retailer Web Services (RWS) customer already, there’s no need to do a thing; RWS has your back! RWS retains the services of legal professionals to continually review the latest privacy and consumer protection laws.

These attorneys work directly with our development teams to ensure your RWS-based digital marketing activities remain compliant with any and all state and federal laws—no action required on your part.

If you’re maintaining your own website with an in-house team or a third-party agency or development house, here are 10 questions you’ll want to ask them (or your marketing team or agency) to ensure you’re prepared for whatever twists and turns consumer privacy laws take in the near future:

1) Where do we keep our consumer data?

2) How do we store it?

3) Who has access to it, internally and externally?

4) If it’s in the cloud, who is the cloud partner?

5) Is it backed up?

6) Is it encrypted?

7) Have we purchased any third-party lists for our own marketing efforts?

8) Where did we buy them?

9) How do we use them today?

10) What are we doing to be ready for the new era of consumer data protection?

The CCPA may have just gone into effect on January 1, but it’s just the first round of what will be an ongoing battle between consumers and the businesses who want to extract value and profit from personal information.

While the main combatants are the state governments and the digital giants of the American economy for now, there’s no question the environment for all business owners can—and will—evolve rapidly in the months and years ahead as the situation evolves. And RWS will be there to help our customers comply.