For nearly the past two decades, retailers have invested in new information technology systems and data initiatives to use information to improve the customer experience. While customer data has proven valuable for both consumers and retailers, legislators in many states now believe businesses must do more to protect that information and ensure privacy rights.
A wave of new state laws could help improve consumer data privacy and security, but they also present new compliance challenges for retailers.
A new dawn for data regulations
The General Data Protection Regulation went into effect in 2018 in the European Union and instituted new requirements for how retailers selling in Europe must handle data. Following its cue, many U.S. states began eyeing new privacy regulations.
In 2018, California passed the California Consumer Privacy Act, which was amended in November 2020 by voters approving the California Privacy Rights Act. The CPRA goes into effect in 2023 and expands the original law in numerous ways, most notably by tripling the number of California privacy regulations, expanding the right for private citizens to sue businesses for violations, and creating the first agency in any state devoted entirely to privacy law enforcement.
Other states are following suit with similar data privacy laws. In March 2021, Virginia Gov. Ralph Northam signed into law the Consumer Data Protection Act, which takes effect in January 2023. More than a dozen other states have their own data privacy legislation in the works.
For NRF members who wish to address state privacy bills and build support for federal privacy legislation, contact Paul Martino, NRF’s vice president and senior policy counsel.
“We’re watching a number of states whose laws are all relatively similar,” says Kristen Mathews, partner in the global privacy and data security group at the law firm of Morrison Foerster. “They all address data privacy and how businesses inform consumers about how they collect, share, and use information.”
The laws also give consumers the right to make requests of some businesses that use their data. Other businesses, like banks, are exempt from the law.
For example, consumers have the right to learn more about consumer-facing businesses’ data handling practices and to request copies of the personal information that the business has maintained. They can also demand that information be deleted.
In addition, these laws typically enable consumers to opt out of the use of data for advertising and from the sale of their data to third parties.
Additional compliance requirements
While consumers welcome efforts to protect consumer privacy and secure data, these laws will create new compliance burdens for many retailers, Mathews says. For retailers that operate with disparate, siloed IT systems, it might not always be easy to find all of a consumer’s information, correct it or delete it.
“The principles embodied by [DelBene’s] legislation are critical to ensuring the enactment of a balanced federal privacy law that benefits consumers and businesses alike.”David French, NRF
“Some of this can be automated, but some of it, in the end, will require human intervention for many businesses,” she says. “Retailers will have to honor the requests from customers, and it won’t always be easy to find all of the information.”
Adding further complexity is the variance between state laws. For example, the laws in Nevada and Maine are more limited in scope than those in California. And Virginia’s law only applies to consumer-facing companies that process data of at least 100,000 residents, or 25,000 residents if the company generates more than half of its revenues by the sale of personal data.
Retailers have long sought uniform national standards for data privacy laws that apply to all businesses that handle their data. In April 2019, Rep. Suzan DelBene, D-Wash., introduced the Information Transparency and Personal Data Control Act, a bill that takes a more balanced approach, says David French, NRF’s senior vice president for government relations.
The bill gives consumers control over the use of their sensitive personal information while also offering businesses a uniform framework for collecting, processing and disclosing data. It would provide consumers with a way to opt out while also enabling retailers to offer the products and services consumers have come to expect.
“The principles embodied by this legislation are critical to ensuring the enactment of a balanced federal privacy law that benefits consumers and businesses alike,” French says. “By standardizing comprehensive privacy rules, the Act protects consumer data no matter where a consumer lives or which business handles the data.”
The impacts on retailers
In addition to complying with data privacy requirements, some of these acts also introduce new cybersecurity requirements. The CCPA specifically addresses cybersecurity in some areas, including by providing consumers with the right to sue businesses that violate California’s existing data security law, which creates an affirmative duty on the part of the business to use reasonable measures to protect consumers’ data.
The Virginia Consumer Data Protection Act goes even further and requires companies to protect all data that is in their possession. It mandates businesses use “reasonable” administrative, technical and physical data security practices to safeguard the confidentiality, integrity and accessibility of personal data.
However, Virginia differs from California by not providing private parties with the right to sue over these data security practices, leaving enforcement exclusively to the state’s attorney general.
The Virginia law also requires Main Street companies to perform data protection assessments of their own practices to determine whether they are taking reasonable measures to protect data privacy.
“This duty is triggered if the business engages in targeted online advertising, if they process sensitive personal information, use online automated profiling of people or anything that poses a heightened risk to consumers,” Mathews says.
While many industries seek uniform federal legislation, Mathews is unsure if that will happen soon, as states typically don’t want federal laws that pre-empt their own.
NRF has been actively engaged in the federal privacy debate and tracking state privacy laws for decades. With the rapid rise of state privacy legislation in 2021, members of NRF’s Privacy Committee receive biweekly reports on state consumer data privacy bills and gather weekly in virtual meetings to discuss these and federal legislative proposals.