A new California state law that took effect this year places sweeping restrictions on how retailers and other businesses collect and use information about their customers. The California Consumer Privacy Act provides a broad range of new rights to California residents, including the ability for customers to opt out of having data shared and demand that their information be erased. Other problematic provisions involve data breach requirements and unclear definitions of personal information, data and who may access to data. Most concerning is a provision that could lead to the elimination of popular and valuable customer loyalty programs and discounts. The law applies only to companies with locations in California or doing business online with California residents, but could become a model for legislation in other states or Congress.
Why it matters to retailers
The law could significantly disrupt a number of common retail operations that are popular with consumers and could stifle continued innovation in the consumer shopping experience. While retailers strive to protect consumer data, data is also the backbone of many retail functions. Among other provisions, the law prohibits retailers from treating customers who opt out of data sharing any differently than those who do not. That restriction could put an end to retail loyalty programs that offer discounts and other benefits to members in return for sharing information. The law could also interfere with preferred pricing for repeat customers, gas discounts, personalized online content, operation of mobile apps and shipping of products ordered online. Disclosure of what data is collected and how it is used or shared could also interfere with data security and physical security practices and retailers’ ability to cooperate with law enforcement. Retailers sued under the measure’s broad definition of a data breach could face penalties ranging from $100 to $750 per consumer per incident, adding up to millions of dollars.
NRF advocates for customer-centric data protection
NRF has followed the California measure since early 2018, when the new privacy law was first proposed as a ballot initiative that would have been presented to Californians as part of November’s elections. NRF worked closely with the California Retailers Association and held conference calls and briefings for retailers from across the country. In June 2018, supporters of the proposal changed tactics and chose to move forward with legislation rather than the ballot initiative.
The legislation was rushed through the California Assembly and Senate and signed into law by Governor Jerry Brown in less than a week, during which time it was presented to businesses on a take-it-or-leave it basis with little opportunity for input. The business community found the legislative process preferable, however, because under California law ballot initiatives are difficult to amend once approved by voters. While the ballot initiative would have become law the day after Election Day 2018, the legislative approach meant it did not take effect until January 1, 2020.
NRF was among 29 state and national business associations that sent a letter to state legislators saying the bill was “a serious threat to the California economy.” NRF also issued a statement of its own calling the legislation a “deeply flawed measure aimed more at lining the pockets of attorneys than protecting consumers.” NRF warned that the new law will severely hamper customer service if not amended before it takes effect and that California consumers “will want to know who’s to blame.”
In addition to its other problems, the law exempts financial institutions and telecommunications companies – both of which have been sources of data breaches – even though NRF and other groups have argued that privacy laws should cover all entities that handle consumer data.
NRF continued to follow the issue and worked with California lawmakers, retailers and others to seek to make the law manageable before it took effect. Ultimately, NRF supports federal privacy legislation in Congress that would provide uniform national rules preempting state privacy laws and covering cover all entities that handle sensitive data.