California Consumer Privacy Act

a busy coffee shop with customers waiting around

The Issue

A California state law that took effect in 2020 places sweeping restrictions on how retailers and other businesses collect and use information about their customers. The California Consumer Privacy Act provides a broad range of new rights to state residents, including the ability to opt out of having data shared and demand that their information be erased. Other problematic provisions involve data breach requirements and unclear definitions of personal information, data and who may access to data. Most concerning is a provision that could lead to the elimination of popular and valuable customer loyalty programs and discounts. The law applies only to companies with locations in California or doing business online with California residents but could become a model for other states or Congress.

Why it matters to retailers

The law could significantly disrupt a number of common retail operations popular with consumers and stifle continued innovation in the shopping experience. While retailers strive to protect consumer data, data is also the backbone of many retail functions. Among other provisions, the law prohibits retailers from treating customers who opt out of data sharing any differently than those who do not. That could put an end to retail loyalty programs that offer discounts and other benefits in return for sharing information. The law could also interfere with preferred pricing for repeat customers, gas discounts, personalized online content, operation of mobile apps and shipping of products ordered online. Disclosure of what data is collected and how it is used or shared could also interfere with data security and physical security practices and retailers’ ability to cooperate with law enforcement. Retailers sued under the measure’s broad definition of a data breach could face penalties ranging from $100 to $750 per consumer per incident, adding up to millions of dollars.

NRF advocates for customer-centric data protection

NRF has followed the California measure closely, working with the California Retailers Association to hold and briefings for retailers from across the country. NRF called the legislation a “deeply flawed measure aimed more at lining the pockets of attorneys than protecting consumers.” NRF warned that the new law will severely hamper customer service and that California consumers “will want to know who’s to blame.”

Cybersecurity for ecommerce

Among other problems, the law exempts financial institutions and telecommunications companies – both of which have been sources of data breaches – even though NRF and other groups have argued that privacy laws should cover all entities that handle consumer data. After passage, NRF worked with California lawmakers and retailers to seek to make the law manageable before it took effect. Ultimately, NRF supports federal privacy legislation in Congress that would provide uniform national rules preempting state privacy laws and covering cover all entities that handle sensitive data.