With every “please accept our cookies” overlay we have to click through, we are reminded of the changes the GDPR has made to the web. Now that 2020 is here, America’s first major attempt at internet privacy regulation is ready to roll out. As is often the case in matters of technology, California is in the vanguard here. The state’s California Consumer Protection Act was signed into law back in 2018, and on January 1 it went into effect. Many ecommerce merchants inside and outside of California are now wondering, what impact will this have on them and what do they need to do to avoid running afoul of the new law?
In theory, if you’re a Texas merchant and you block internet traffic from everyone but other Texans, you could get away with ignoring the CCPA—but as soon as you make your site accessible to web surfers from California, you’re subject to the CCPA’s rules.
While hyperlocal marketing may be trending, we don’t think there are many merchants out there willing to restrict their potential customer base that much. In practice, the CCPA is going to be a nationwide law.
The CCPA was brought to the California State Legislature to provide residents with new digital privacy protections under the law:
Good news for private citizens, to be sure, but a daunting list of accommodations for merchants and web administrators to implement.
Any for-profit organization doing business in California that collects personal data belonging to its users or customers must comply with the CCPA, provided they meet at least one of these additional conditions:
Smaller merchants, breathe a sigh of relief. You’re safe from the CCPA—for now. Just make sure you have a clear understanding of what the CCPA considers “personal data,” or you might be meeting that first condition without even realizing it.
There are a number of things that merchants who meet the above criteria must do in order to comply with the CCPA. One of the most significant requirements is that they must provide a “Do Not Sell My Personal Information” link on their website’s home page that will allow customers to opt out of allowing their data to be sold to other parties. Once a customer has opted out, the company must wait twelve months before they can ask them to opt back in.
To satisfy the customer’s right to view and delete their data, a method for requesting access must be provided. At the minimum, this must be a toll-free telephone number.
Companies must also put a process in place to obtain consent to share personal data belonging to minors. For children under 13 years of age, a parent or guardian must provide the consent; anyone between the ages of 13 and 16 can provide affirmative consent themselves.
So far, it’s hard to say what, exactly, will happen to merchants who fail to comply with CCPA regulations. The most direct penalties are the fines spelled out in the law: $7,500 for each intentional violation and $2,500 for each unintentional violation.
Who enforces these penalties?
The California Attorney General. Does the California Attorney General have the time and resources to go after CCPA violators in Michigan or Nova Scotia? Probably not, but eventually some serial violator will find out just how much disregard for the CCPA it takes to stir the Attorney General into action. We would advise merchants to abide by the law regardless.
Individuals whose CCPA rights have been violated have the right to bring suit to collect statutory damages, but the “cure provision” of the CCPA requires them to give notice to the company first, and if the company corrects the violation the individual is prohibited from taking further legal action related to that violation. The specific remedies for the various possible violations are as yet undetermined.
While the enforcement mechanisms of the CCPA remain somewhat vague, people who worry about the exposure and commodification of their private data have reason to cheer the CCPA, which to date is the most wide-ranging consumer data protection law to apply to American businesses. While the Silicon Valley tech giants were opposed to the law and some thought they might succeed in defanging it through the legislative amendment process, the CCPA seems to have reached its launch date relatively intact.
One last question we can’t forget: what impact, if any, will this have on chargebacks? While the law does not focus on payment data, the protections it requires businesses to put in place will help safeguard personal data, which has the potential to reduce identity theft. This should help cut down on true fraud and account takeover cyberattacks and the chargebacks that result from them. That’s one aspect of the law we can definitely appreciate.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com