The latest piece of legislation that has eCommerce merchants scrambling to stay above the law is the CCPA (California Consumer Privacy Act). If you’re in the eCommerce space, you’ve certainly heard of it. But many have lagged in doing their homework or taking action, so we’re offering a no-nonsense primer on the matter.
I’m going to give you enough information to not feel clueless when this comes up in conversation and, more importantly, know if this bill affects you and if you have some work to do.
If you prefer legalese, you can drink from the source here.
The CCPA is a privacy law that defines the rights of California consumers to know and control what personal information is being used by companies.
Magento summarized these rights as the following:
At the time of writing this, CCPA applies to businesses that meet one or more of the following criteria:
Businesses located anywhere are responsible to meet these requirements for their California consumers.
If you prefer pictures, BigCommerce has a helpful guide.
(source: BigCommerce – Intro to CCPA)
Merchants and vendors suffering from GDPR PTSD might be wondering what the difference is between CCPA and GDPR. They’re both consumer privacy laws, but they define things a bit differently and have a number of conditions that make them a bit harder to compare directly. Don’t assume that you’re in the clear just because you’re in compliance with GDPR.
BigCommerce explains the difference in more depth here.
This law is in effect already, as of Jan 1, 2020. If the state of California believes you’re in violation of the CCPA, you may receive a notice of noncompliance. You have 30 days to comply, and if things aren’t resolved, you could receive a fine of up to $7,500 per record. That can add up fast.
By this time, leading eCommerce platforms have all published CCPA compliance documentation for merchants to follow. Additionally, you’ll want to work with any third-party service providers and tools that access your customer information to ensure they’ve provided the tools needed to remain compliant.
If GDPR wasn’t enough of a sign, CCPA clearly shows where things are headed for consumer rights when it comes to data. We’ll see this trend continue in more places than Europe and California.
Compliance with consumer protection laws will continue to be a focus for merchants, platforms, and technology providers. Expect regulations to expand to more places and begin to affect smaller merchants as well.