The California Consumer Privacy Act (CCPA), adopted last summer, brings to California residents GDPR-like privacy rights, such as rights of access, information and deletion, and institutes statutory damage class actions for most data security breaches.
CCPA has been amended once and is likely to undergo further amendments this summer. The California Attorney General has begun a rulemaking process that is expected to be finished by the end of 2019. The CCPA data breach class actions will take effect in January 2020, and its privacy provisions will take effect six months after the AG rules are issued, but no later than July 2020.
The retail industry is not alone in facing significant challenges from CCPA, but there are particular features of the CCPA that affect the retail industry in unique ways. CCPA has implications for the way retailers – which often obtain data across multiple channels -- share their data across brands, conduct loyalty programs, invest in physical and virtual security and guard against class action lawsuits. Given the magnitude of the new CCPA requirements, retailers need to prepare and invest in compliance efforts now.
Expanded definition of personal information
Under the CCPA, retailers must consider carefully if they need to modify their personal information collection practices, knowing that nearly all information they collect from consumers both in the physical and online environments will be subject to CCPA.
CCPA "Personal Information" is defined very broadly and includes information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer…" Specific examples of personal information of import to retailers are IP addresses, " consuming histories or tendencies," audio, electronic or visual information, "olfactory" information, and "[i]nferences drawn from any of the information identified in this subdivision to create a profile about a consumer," including the consumer's preferences, predisposition and behavior.
"Personal Information" thus echoes GDPR's personal data definition – but CCPA goes even farther, covering information that "relates to, describes, [or] is capable of being associated with, or could reasonably be linked… with a particular household." This could be the case where the same IP address or delivery address is linked to multiple online accounts, creating difficulty responding to individual rights requests from one member of a household but not others.
Information sharing with affiliates and "sale" of personal information
Retailers that own multiple brands will now have to treat personal information collected by one brand affiliate and shared with a differently branded affiliate in exchange for anything of value in the same manner they would treat information collected and sold to an unrelated third party. The same is true for all franchise arrangements.
This is due to two CCPA definitions that are unique. First, CCPA applies to any "business" that meets threshold requirements (collecting California resident data minimum revenues, etc.), and the definition of "business" includes parent companies and direct subsidiaries, but only to the extent that they share common branding (defined as a shared name, service mark or trademark). Second, the statute considers a sale to include "releasing, disclosing, disseminating, making available, transferring…a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
Thus, a brand that collects consumer personal information and transfers it in exchange for anything of value to an affiliate operating under a different brand is considered to have sold that information. And any "business" under CCPA must make available prominent "Do Not Sell My Personal Information" links to allow California residents to opt out of the "sale" of their personal information at any time, for a period of at least 12 months – during which the resident should not be asked to opt back into "sales."
CCPA also prohibits re-sale of personal information unless the consumer has received explicit notice, and is provided an opportunity to exercise his or her opt-out right, thus requiring significant controls over sourced data that is "sold."
Keeping track of data reaching the company through many channels
Unlike recent state privacy laws that regulate online data only, the CCPA regulates both data collected in stores and online. This has a disproportionate effect on brick and mortar retailers that receive data through physical stores, online and from data furnishers. Physical stores and online operations may be quite different from one another, with physical stores often maintaining personal data paper records, which are much more difficult to manipulate in order to comply with the CCPA rights.
Loyalty program issues
CCPA prohibits, among other activities, denying, offering a different level of quality, or suggesting a consumer would receive a different level of quality, of goods or services when an consumer exercises any rights under the CCPA.
The CCPA exceptions to this prohibition are very confusing and difficult to apply, because the statute considers only the subjective value provided to the consumer by the consumer's data. It does not consider the relationship between the discount or higher quality of service and the value that the consumer's data provides to the business. Because the value provided to the consumer by that consumer's own data is very difficult to measure, retailers are expressing significant concerns about the viability of loyalty or rewards programs.
Moreover, the exceptions are seemingly redundant, but with differing standards. For example, a business may charge a different price or offer a different level of quality or service when that difference is "reasonably related" to the value provided to the consumer by the consumer's own data. However, the subsequent section states that a business may also offer financial incentives or offer different prices, rates, levels or quality of goods and services as compensation for the collection of personal information, but only when that activity is "directly related" to the value provided.
This language is confusing and raises questions about whether it is intended to restrict loyalty programs. It has prompted an effort by retailers to amend this language in order clearly to exempt loyalty programs and service discounts in exchange for use of a consumer's personal data.
Many retailers source or share information from third parties regarding potential fraudsters, in both online and physical environments, to enhance the security of their stores and transactions. The CCPA has a partial but not a complete fraud exemption. Practically speaking, this means that a thief could opt out of the sale of his or her information for fraud screening and could also obtain personal information a retailer possesses about him or her, including information that the retailer use for fraud prevention purposes. Another potential issue arises in the context of an online anti-fraud tool. It is common for providers of anti-fraud technology to pool data from multiple retail customers to create profiles of suspected fraudsters. If customers' sharing of personal information about retail customers with the provider constitutes a "sale," then consumers can opt out of that sale – even when the consumer is a fraudster.
All this creates a security risk for retailers and a loophole that could allow criminals to gather, aggregate and compare information on retailers' security practices. However, it is possible that 2019 CCPA amendments will include a fraud exemption that closes these loopholes
Data breach class action risk
CCPA's greatest threat to retailers likely will arise from its security breach provision, because, as of January 1, 2020, there will be statutory damage class action enforcement risk in California for most data breaches that trigger a breach notice obligation under California law, without any requirement to prove harm. (See our alert, CCPA: risk of class actions makes early preparation imperative Retailers have been a significant target of hackers seeking payment card data, and some of the largest data breaches on record have involved retailers.
There are several ways to mitigate this class action risk.
First, avoid having a notifiable data breach in the first place by encrypting or redacting breach notice personal data according to an accepted industry standard and safeguard the encryption keys appropriately. What is more, the breach provisions apply only to personal information that is not either redacted or encrypted.
Second, the business has 30 days to cure the alleged wrongdoing before a consumer (or class of consumers) can proceed with a civil action. "Curing" a data breach is an issue that has not been interpreted in US case law, but recovering the personal data, where possible to do so, would most likely constitute a cure.
Third, enforceable agreements with consumer-friendly opt-out arbitration clauses will likely be upheld through the Federal Arbitration Act and achieve quick dismissal of this and other consumer class actions. However, presenting appropriate notice to obtain an enforceable class action waiver is often more complicated in the brick and mortar store context.