Beyond preparing for this year’s holiday rush, retailers around the country have started thinking about potential changes to their operations in response to California’s sweeping new consumer privacy law. The California Consumer Privacy Act of 2018 (CCPA), set to take effect in 2020, is one of the most significant pieces of privacy legislation ever passed in the United States. The CCPA creates a suite of new obligations for businesses that collect personal information about consumers, households or devices in California.

Where Did the CCPA Come From?

A real estate investor took an interest in consumer data privacy, reportedly after asking a friend about technology companies’ data practices at a dinner party. He then spearheaded an effort to draft and seek signatures to put a consumer privacy initiative on California’s November 2018 ballot. The California legislature acted in response to the initiative and worked swiftly to pass a privacy law that would result in the withdrawal of the initiative from the ballot. The CCPA moved through the legislature to Governor Jerry Brown’s desk within one week. The original law was signed in June 2018, and Governor Brown approved the first set of amendments on September 23, 2018. As amended, portions of the CCPA will go into effect January 2020 and portions will go into effect on the date that is the earlier of six months after the California Attorney General issues certain regulations under the law or July 1, 2020.  

What Will Happen Next?

Efforts are underway to seek further amendments and clarifications to the CCPA during California’s 2019 legislative session. We also expect regulatory guidance and interpretation from the California Attorney General prior to the law taking effect, as the California Attorney General may issue regulations and provide clarifications in response to inquiries by those affected by the CCPA. At the same time, legislators are considering a federal data privacy law which could preempt or affect application of the CCPA. Against this backdrop, retailers should familiarize themselves with the CCPA’s key provisions and consider some of the potential operational impacts and possible compliance options.

What Should Retailers Do Now?

• Determine if the CCPA applies to you. The CCPA applies to a for-profit company that does business in California, collects consumers’ personal information, and meets one of three threshold criteria: (1) earns annual gross revenue above $25 million; (2) annually buys, sells or, for commercial purposes, receives or shares personal information of at least 50,000 California consumers, households or devices; or (3) derives at least 50% of its annual revenue from selling California consumers’ personal information. The CCPA applies to brick-and-mortar and e-commerce retailers alike.
  
  The definition of “personal information” under the CCPA goes beyond the contact and delivery information retailers collect to accept and ship orders. Personal information is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes more obvious identifiers, such as names, addresses and email addresses, as well as categories of information not typically considered to be personal information in the United States, such as web browsing information, information regarding a consumer’s interaction with advertisements and inferences drawn from other information to create a consumer profile. In addition, the CCPA broadly defines the term “consumer” to include any person who is a California resident. On its face, the definition of consumer is broad enough to include California employees, although it is possible the legislature will narrow the scope by way of an amendment. The broad concepts of personal information and consumers may draw many retailers within the law’s scope.

• Understand the law’s broad mandates. Although we expect further amendments and regulatory guidance to refine portions of the CCPA, the law’s key principles are worth noting. Among other requirements, the CCPA imposes transparency obligations and requires companies to provide robust disclosures about their information practices both (1) before collecting personal information and (2) in response to a verifiable request for information from a California consumer. In addition, businesses will be required to enable and honor certain consumer choices.
  
  Under the CCPA, consumers have a right to know about a company’s data collection practices, such as the types of information collected, the sources and purposes of such collection, and whether and to whom their personal information is sold or disclosed. Upon receipt of a verifiable request, companies must provide consumers access to the specific pieces of information collected, sometimes in a portable format. Consumers also may request a company delete the information it holds about them (though broad exceptions limit this right). Under the CCPA, consumers also enjoy a right to equal service and price, meaning that companies cannot discriminate against those who have exercised their privacy rights, absent certain exceptions. Other rights hinge on whether a company “sells” personal information, another term defined broadly to include receipt or sharing of data for money or other valuable consideration. If a company “sells” personal information within the meaning of the law, consumers may opt-out of such sale. (In contrast, consumers under the age of 16 have an opt-in right and must affirmatively consent to the sale of their personal information.) Retailers that sell personal information also must include a clear link on their websites’ homepage labeled “Do Not Sell My Personal Information” that enables consumers to exercise their rights. It’s not too early to start thinking about how your business may provide these rights to consumers.

• Assess your current privacy practices. Understanding your company’s current information practices is foundational. Consider developing or updating a data map or data inventory that identifies the personal information your business collects and how such information is used, stored, shared, secured, retained and destroyed. An accurate and comprehensive data map will give you a meaningful head start when it’s time to tackle CCPA compliance, including privacy policy updates, user interface adjustments and possible amendments to vendor contracts.
• Stay tuned. Finally, we recommend continuing to follow the discussion and track developments at the state and federal level. You may also want to consider joining efforts to amend or interpret the law.

© 2018 Perkins Coie LLP