Ecommerce Guide to the California Consumer Privacy Act (CCPA)

Last year we were all talking about GDPR. This year’s data-apocalypse for store owners is CCPA, the California Consumer Privacy Act. While very similar in covered issues, they are not identical in scope or application. What you do need to know is that CCPA compliance is required by January 1, 2020. Does this impact your company? What should you do to protect your company from a lawsuit?

Does CCPA apply to my online store?

The good news is that CCPA requires both less work on your part than GDPR, and does not require all stores to be compliant. Let’s start by clarifying the basics.

Companies that are required to be compliant are those doing more than $25 million per year in revenue. This is your company. Not just your online sales channel, so if your business is that big, it’s time to review your practices with your data protection person and probably your lawyer.
You must be doing business in California. I hope that was obvious, but just in case it wasn’t…
If your revenues are under $25 mil, you still may need to be compliant if process the personal data of more than 50,000 persons or households, or devices; or
You earn more than half your revenue selling personal information.

How can I make my store CCPA compliant?

You must let site visitors know exactly what information you collect from them. They must know how you use it, and whether or not you share or sell it.
You must offer users the right to delete that data either automatically or upon request. This would included their information that is kept on your service provider servers such as your loyalty program or email providers.
Your visitors must have the right to opt-out of any sale of their information.
You cannot block someone from shopping your store if they have elected to exercise their right to privacy.
You must provide notice to your shoppers before you collect data. For example, this email gathering popup is describing both how they will use the email, and offers up a way for quick removal from the list.

If you receive a request from a consumer to see their data or delete it, you must respond. I recommend that you place a link for this notification within your Privacy Policy.
There should be a “Do Not Sell My Information” opt-in link on your website.
Before you share or delete information you must verify the identity of the person making the request. You can refuse a request if you can’t verify the data in question belongs to the person making the request.
If you sell data you must disclose any financial incentives you receive in exchange for the retention or sale of customer data.
You must keep a record of your requests and your response for 24 months.

Does the California Consumer Privacy Act cover cookies?

The law does appear to apply to web cookies, pixel tags, an IP address, beacons and similar technology that is used to tie on-site or in-app activity to a specific user. Unlike the GDPR, there is no requirement that you post a cookie use notice or permit users to block or opt out in advance of use. However, your cookie use should be explained in your privacy party in detail. You still must comply with requests for information and deletion. If your company must comply, you should undergo a “cookie audit” to fully identify what is collected, by whom, and how that data is used. Make sure that your contracts with third party cookie providers detail how the information is used and prevents the sale of that data.

Clear information on how the law applies to third party cookies used for behavioral tracking and ads has not been given yet. This can dramatically impact your personalization efforts for advertising, email and on-site personalization. At this time we need to wait for further guidance.

If you’d like to check your site for Cookie Compliance, there’s a free tool here.

I don’t meet those criteria. Do I need to do anything?

Need? Probably not. Are there things you should be doing? Absolutely. Both the GDPR and CCPA are all about protecting the private information of citizens. It’s about protecting YOUR information as well. Data hacks and mishandling are frequent occurrences and you absolutely should care about the customer data you collect and how it is used.

It would be wise to implement as many processes as required to keep data safe. This begins by ensuring your store is on an SSL and that your payment processing is managed in a secure fashion.
If you’re using a SAAS shopping cart like BigCommerce or Shopify, the payment gateway integrations are well-secured. If you’re hosting your own site on open source software you need to check with your developer and payment gateway. Oftentimes the payment is not processed within your site, it just looks like it. If the payment is being handled on the processor’s server it is also likely safe. The key here is to make sure.
You collect more data than just credit cards. You collect personal information when you take an order. That data is often shared with other services you use such as your email service provider, loyalty programs, and other services that tie action to customer behavior.
While CCPA does not appear to address “cookies,” your site sets cookies in order to track what is placed in the cart to make a purchase. If you’re using Google Analytics or other software to track actions, these programs are placing cookies as a way of identifying users. The GDPR, which applies in the UK and EU, had additional regulations that deal with cookie collection and use. The GDPR requires affirmative action on the part of site visitors before you can set a cookie. Note the paragraphs that pop up on most sites and say “hey we use cookies and use of this site means you’re cool with it” do not meet GDPR standards. Since we’re talking about the US market, I won’t dig into GDPR further, but note that if you market and regularly sell into affected regions, you probably need to check out your compliance as the fines are steep. I’ve got more information in my article on GDPR.

Revise your privacy policy

Requirement or not, take the enactment of the California Consumer Privacy Act to heart. California may be the first state to pass any data protection laws but they are likely not the last. It will benefit both your business and your customers if you take a good look at exactly the data you collect and revise your privacy policy to accommodate the growing concern people have regarding their privacy and personal information. All the news about these new policies, coupled with a new data breach every other week has consumers increasingly aware that their data is at risk. Anything you do to protect them inspires trust and that’s a competitive advantage that may even help your conversion rates.

Here are some specific recommendations for stores that don’t have to be compliant yet, but who want to reassure their shoppers are protected.

Detail the data you do collect and how it is used.
Tell people which services support your business. For example, who is your web host or SAAS provider, what is your email provider? List any software you use that may collect data and what that data is used for.
If you’re running any Google ads, Google has its own data privacy and cookie message you are required to include in your privacy policy.
I find it helpful to let them know you do not store any payment information on your servers (you don’t – your payment processor does).
Include how someone can reach out to you if they wish to have their data removed from your system.
Date your policy and be sure to include contact information.

There are tools to help you generate a privacy policy. I found one here which isn’t bad, but it didn’t include some of the information I recommended above. Still, it offers a good start and you can add to it. This is a privacy policy I wrote last year you can use as an example.

Be prepared to be asked to remove personal information

Required or not, it is good practice to remove customer information if they ask. You certainly won’t keep a customer by refusing to honor their request. The CCPA requires that businesses be able to provide a record of personal information collected within the last 12 months. Your customers may request to see this information even if they don’t request deletion. Any site visitor, at any time can request that you not sell their information and you cannot discriminate against shoppers who ask you to see, remove, or not sell their information.

If you have any legal concerns, refer the entire issue to an attorney. That may be money well spent, especially if you are near the point where you may need to be compliant with either CCPA or GDPR.