What Ecommerce Brands Should Know About the California Consumer Privacy Act
Consumer data privacy has been a hot topic in recent years—and for good reason.
We live online.
Whether we’re shopping on our favorite websites, sharing pictures and personal updates with family and friends across social networks, renewing our driver’s licenses online, or making our monthly mortgage payments, nearly everything we do in our lives involves some component of sharing our personal data.
The information we choose to share with ecommerce brands and social sites, for example, can help to create richer and more compelling experiences for us online. These personalized experiences ultimately help companies build more trust with consumers, and, as part of earning our trust, we expect those companies that collect our data to use it only for good.
But sometimes, brands and social sites have either misused or failed to protect our highly sensitive information.
Take the Cambridge Analytica scandal that rocked Facebook in 2018, for example. Or the Marriott data breach of 2018 or the Equifax data breach of 2017. These are just a few high-profile examples that illustrate why consumers are so concerned about the ways in which companies are keeping their personal information private and protected.
Beyond consumer expectations, local and federal governments have stepped in with data privacy and protection laws that businesses must comply with, and the price for failing to do so can be steep—hefty fines and penalties that could put many brands out of business, and, in some cases, unrecoverable damage to a brand’s reputation.
In recent years, ecommerce brands have spent considerable time and effort to comply with the General Data Protection Regulation (GDPR), which took effect in May 2018. Heading into 2020, there’s a new law you need to know about: the California Consumer Privacy Act (CCPA).
I recently spoke with Brian Kerr, vice president of security and trust at Klaviyo. Brian’s been keenly attuned to this new law so I asked him to share his insights on what you need to know about the CCPA and how Klaviyo is helping brands honor the consumer privacy rights covered under it. Read on to learn more.
Katie Tierney [KT]: What is the California Consumer Privacy Act?
Brian Kerr [BK]: The California Consumer Privacy Act (CCPA) is a new consumer privacy law. The state of California is attempting to protect and empower consumers who live in the state by helping them to understand, make decisions, have access to their personal data that businesses save, and see a full list of all the third parties who’ve received their data.
In today’s world, many companies collect someone’s personal information and sell it or misuse it in other ways. Consumers, on the other hand, often have no idea what personal data these companies have about them or how they’re using it.
California is trying to make that process a lot more transparent so under the CCPA, if you’re a California resident, you now have the ability to ask a company, “What information do you maintain about me?” and take control over the use of your data.
The CCPA essentially gives control back to California residents who can exercise their right to either restrict companies from collecting or using their personal data without their permission.
By law, companies that handle the personal information of California residents must inform residents of the company’s privacy practices and allow them to access that information, request that you delete their personal information, or tell you not to share their personal information with third parties.
Under the CCPA, the resale of personal information is also restricted. Individuals must receive notice that their personal information will be resold and have the opportunity to opt-out before it’s sold.
[KT]: Who does this law apply to?
[BK]: The CCPA is a business-to-consumer (B2C) privacy law that applies to organizations that collect personal information about consumers in California, do business in California (for example, using an ecommerce website or application to engage with individuals who live in California), or businesses that meet one of the following thresholds:
- Generate $25 million in annual gross revenues
- Obtain, sell, or share personal information of 50,000 or more California residents, households, or devices annually
- Derive 50 percent or more of your annual revenues from “selling” California residents’ personal information (i.e., sharing or giving access to personal information to third parties for those parties’ own purposes)
I’d strongly advise companies to review the doctrine in detail or speak with a privacy lawyer if you’re uncertain whether or not CCPA applies to your business.
Effective in 2021, the law is expected to expand and apply to business-to-business (B2B) organizations, as well, so B2B organizations have a grace period of one year to prepare how they’re collecting someone’s information—similar to the General Data Protection Regulation (GDPR).
[KT]: What kind of consumer data does the CCPA apply to?
[BK]: The CCPA applies to personally identifiable information.
The law defines personal information very broadly to include information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Personal information can include things like your name, your email address, your IP address, your mailing address, your transaction data, mobile device identifiers, social security number, passport details, and biometric information, for example.
[KT]: What are the most important things ecommerce brands need to know about the CCPA and what are some steps they can take to help ensure they’re compliant with the new law?
[BK]: One of the most important practices for organizations when it comes to anything privacy-related—whether it’s GDPR or CCPA—is to have an inventory of all your systems. Within the GDPR and CCPA, it’s tough to be compliant when you don’t have a full understanding of all the various areas where you store data—that includes internal systems and third-party providers.
When businesses go through a data mapping exercise, many realize the personal data they collect about their customers may not solely be stored within their ecommerce store and Klaviyo, for example. Your data may also move to a CRM tool, a customer service tool, a data lake, and many more tools you use to run your business.
Fully understanding where all your data resides is critical for protecting your business. When one of your customers says, “I want all my data deleted,” you have to know if you need to delete it from five locations, for example, as opposed to just the two where you think it may live.
Understanding where your data lives, how it moves, and the security and privacy safeguards you have in place with any third-party processors you work with is a general best practice to put in place to protect your business.
If the CCPA applies to your business, the first step I’d recommend taking would be to create an inventory of all of the systems in use by your business, including those from third parties, as I mentioned. Document the results so you have a full record of your systems, the nature of the data they collect and store, how the data is collected, where the data is stored, and whether there’s a possible interconnection that moves the data, etc..
For example, you collect consumer information through your ecommerce store and it’s automatically sent to Klaviyo via API. Those are two systems you need to document. Then, continue to identify all of your other systems that either collect or transfer consumer information until you have an exhaustive list.
Once you’ve identified all of the areas where your customers’ personally identifiable information is stored, you can start tackling some of the specific requirements of the CCPA like presenting a privacy notice at or before the point where you collect data, or building out internal workflows to accommodate consumer data access requests – e.g. what kind of data you collect about them (i.e., right of access) or those who ask you to delete their data (i.e., the right to be forgotten).”
Another thing to keep in mind, from both a CCPA and GDPR perspective, is that you need to know how to validate that particular user.
The CCPA requires that a data subject’s identity be validated and has defined response timelines—a consumer must be given a response within 45 days of receiving the request.
Here’s where things get more complex. A business is required to respond to the consumer within 10 days of receiving the request and provide the requestor with information about how the business will process the request.
Say I run a business and Jane Doe, my customer, asks me to delete their information. How do I ensure that Jane Doe is indeed Jane Doe when they ask me to delete their information? There’s a component of how you identify somebody to understand who they truly are.
Klaviyo provides tools that help you respond to a data subject’s request. For example, if an end-user wants to understand all the data you’ve collected, you can pull that information from Klaviyo to meet your customers’ request. Or if a one your customers would like you to delete their information, you can accommodate that request through our platform. That said, this is why having a systems inventory and internal workflows are important.
Say you receive a request to delete Jane Doe’s information. You’ve validated their identity and you’ve deleted all of their user data from your ecommerce platform, but your inventory or workflow didn’t include Klaviyo and Jane’s information remains within that platform. By not having a full inventory of your systems, you’ve missed a location where your customer’s data is stored and, as a result, failed to complete Jane’s request to delete their personal information.
Once you have valid identification, you can then run through the process you’ve built out internally to delete all of the customer’s relevant information, or gather and collect it to provide it to the customer who’s asked for it.
Someone may not want their information to be deleted, but they may ask you something like, “What information are you collecting on me?” Many people may simply want to understand what data you have and what you know about them, and under the CCPA they have that right.
[KT]: How does Klaviyo, specifically, help ecommerce brands comply with this new law?
[BK]: At a very high level, ecommerce brands need to understand that you’re the collector and controller of the data you obtain about your customers.
Klaviyo, on the other hand, is a data processor or service provider. We have no direct relationship with the people who’s data you collect. That relationship lies solely with you.
As a service provider, we process the data that you allow the system to ingest and play a supporting role when it comes to the requirements to meet CCPA.
If one of your customers exercises one of their rights under the CCPA, let’s say the right to be forgotten (i.e., “I want all my information erased), you can go into Klaviyo to delete and erase that customer’s information. Specifically:
- The platform allows you to report on the personal information it maintains about end-users in response to access requests you receive from your customers.
- The platform allows you to delete the personal information it maintains about end-users in response to deletion requests you receive from your customers.
Additionally, ecommerce brands need to clearly understand all the various locations where your customers’ personally identifiable data is stored. It may be in your Shopify store, your Magento store, your BigCommerce store, and so on. If a customer asks you to delete their information, you have to delete it from every place that data may move within your tech stack.
[KT]: What are some of the risks brands face if they fail to comply with this new act?
[BK]: Brands could face fines for failing to comply with the CCPA, which will be enforced by California’s Attorney General. There are civil penalties up to $7,500 per intentional violation and $2,500 for unintentional violations.
The largest potential financial impact brands could face, though, stems from consumers’ ability to sue companies for their failure to comply with the CCPA.
For example, if there’s unauthorized access to unencrypted or non-redacted personal information (i.e., a data breach), that poses a huge problem for a company that collects a consumer’s personal information. With their right to sue comes their right to compensation: consumers can collect between $100 and $750 for each record. Do the math on that and you can clearly see how these fines can add up to hefty penalties most brands either won’t want to or can’t afford to pay.
[KT]: The CCPA took effect on January 1, 2020. What happens if a brand isn’t yet prepared for it? Is it too late for them to become compliant?
[BK]: No, it’s not too late, but it is time to act.
Starting on January 1, 2020, businesses that this law applies to have a six month grace period to make sure they’re compliant.
If you haven’t prepared for this new law yet, start with that data mapping exercise I mentioned to make sure you know exactly where all of your customers’ personally identifiable information lives and how it moves through all the tools you use to run your business. You can assume consumers are going to reach out to you based on this new law, so you want to be prepared. Create a process that you’ll be able to follow and keep it consistent.
This can be challenging depending on the size of your business. Larger brands likely have internal counsel who are on top of the CCPA and all it’s requirements whereas smaller brands likely don’t have that expertise in-house.
If that’s the case for your business, I’d recommend touching base with your legal counsel to make sure you’re in compliance with the mandatory requirements of the CCPA.
We’ve created some content based on FAQs we’ve received from customers and details on how to handle requests you get from your customers as they relate to the CCPA to help you learn more. If you have specific questions about how to handle such requests, you can reach out to your customer success manager or a member of our support team. But to ensure you’re business is fully compliant with CCPA, your best course of action to protect your business is to make sure you consult your own legal counsel since every business will have a unique use case.
The information shared in this article is for informational purposes only and does not constitute legal advice. To ensure your business is compliant with all consumer privacy laws that impact your business and your customers, consult your legal counsel. Learn more about the CCPA.Back to Blog Home