This article was originally published in Total Retail on January 14, 2021.
California’s Proposition 24, which expands the state’s consumer privacy law, was passed by voters on Nov. 3, 2020. Starting January 2023, the new law, called the California Consumer Privacy Rights Act (“CCPRA”) will take effect and allow consumers more control over how businesses collect and use their personal information.
Today, advancements in technology allow retailers and other businesses to collect, store and process increasingly vast amounts of consumer information, which can be used to develop data-driven strategies that encourage consumers to engage with, purchase from, and remain loyal to a retailer. The use and collection of such information has limits, however, including those addressed by the CCPRA.
A brief overview of consumer rights and retailer obligations under the CCPRA
Under the CCPRA, as well as California’s current privacy law, the California Consumer Privacy Act of 2018 (“CCPA”), consumers have the right to know who is collecting their personal information and that of their children, what information is being collected, how and why the information is being collected and used, and to whom it is disclosed. Both laws also give consumers the right to prevent the sale of their personal information and the right to request a copy of their information. The CCPRA, however, expands consumer data protection rights by, among other things, giving consumers the right to correct and delete their personal information, as well as the right to control whether certain points of their personal information can be shared.
The obligations imposed by the CCPRA on certain entities that do business in California include informing consumers about the categories of information collected, the purposes for which it is collected, and whether the information is sold or shared; disclosing the length of time a business intends to retain such information; and implementing reasonable security measures to protect consumer information. Additionally, businesses that collect consumers’ personal information and sell it to, or share it with, a third party must enter into contracts with such third parties that, among other things, obligate the third party to comply with applicable CCPRA provisions.
Thus, the CCPRA appears to make it clear that consumers “own” their data and businesses are merely the stewards of such data. Broadly, this means that businesses must operate with trust and transparency, make proactive investments in data security, ensure organizational alignment around privacy policies, and engage competent privacy counsel.
Proactive steps that retailers can take prepare for compliance with the CCPRA
Complying with the CCPRA may likely take some effort; being proactive will make a difference. For retailers that operate online, being proactive can include taking practical steps like reviewing current online data privacy policies to identify the changes that will be necessary for compliance; ensuring that online privacy policies are prominently and conspicuously accessible on the retailer’s homepage; and exploring easily accessible tools, such as pop-up “opt-out” buttons that allow online consumers to restrict the use of their personal information.
Retailers that do not operate online or operate both online and offline can explore clear and conspicuous ways to give consumers advance notice regarding the categories of personal information they collect, the purposes for which the data is collected, and whether such information is shared or sold. Such retailers can also explore clear and conspicuous ways to advise consumers of their rights and how to exercise them. And all retailers can review their existing third-party contracts to identify changes that will be necessary to comply with CCPRA and/or prepare new third-party contracts where none currently exist.
This information does not, and is not intended to, constitute legal advice; instead, all information, and content, are for general informational purposes only.