When visiting a new website, it has become the norm to receive an annoying pop-up with information about cookies, which is a direct result of GDPR, the EU’s General Data Protection Regulation. Some would say that these pop-ups are the only thing attributable to GDPR, given the very few incidents of enforcement that have been reported. Nevertheless, the spirit of the regulation is directionally correct.
As is typically the case with these types of laws, they begin in Europe, California adopts their own version, and then it spreads across the rest of the US. As such, right on schedule is the California Consumer Privacy Act (CCPA), which passed in 2018 and is due to take effect in 2020.
Both laws are aimed at protecting consumer data from unauthorized use. They try to enable consumers to control their own personal data by keeping them informed about its uses, allowing them to grant or deny permission to use or sell personal data, and to revoke such permission at any time. They also have provisions requiring business to inform consumers when their data has been lost due to a breach.
These are all admirable goals and certainly long overdue. Innovation in this area has been moving so quickly it is almost impossible for lawmakers to keep up. Of course, the introduction of these laws must be balanced with the possibility of stifling said innovation, which could easily occur if the regulations become too burdensome. The CCPA has addressed this concern by limiting the law to businesses with over $25M in gross revenue, therefore allowing start-ups to continue to experiment without fear.
One area where the CCPA goes further than GDPR is in how they address their customers – specifically that retailers must treat all consumers equally, regardless of whether they have invoked their rights under the CCPA. A basic premise of many loyalty programs is that if the consumer agrees to share their shopping data, they are rewarded. However, this can easily be interpreted as penalizing consumers that choose not to share their data, which is prohibited by the CCPA.
No more preferred pricing at the grocery store, discounts at the gas pump, or points awarded for being a valued member. These programs could be banned by CCPA.
As is the case with any new, complex legislation, many of the terms are open to interpretation. It is unlikely the writers were explicitly trying to ban loyalty programs, since they are widely adopted and used to the benefit of the consumer. At the same time, this law aims to prevent retribution against those that invoke their rights, which is also an important and necessary objective. Industry leaders, such as the National Retail Foundation (NRF), are encouraging clarification of this area and others before the CCPA goes into effect in 2020.
Loyalty aside, retailers that operate in California will need to disclose any collection of personal information upon request and receive permission to retain or sell. Consumers then have the right to revoke their permission and have the data deleted. Given these guidelines are similar to those of GDPR, many multi-national retailers already have a head-start. Additionally, retailers are more at risk from class action lawsuits when breaches occur as there is no longer a need for consumers to prove harm. This makes it even more important to avoid breaches altogether by encrypting anything sensitive.
Most retailers already have a security role in their organization, but it is probably time to separate out a privacy role as well. The privacy officer can work with the security officer to review procedures dealing with personally identifiable information (PII) and help ensure the business does not stray outside these emerging regulations.
The rising generation of shoppers are demanding a different type of relationship with retailers, one where consumers have much more control. Retailers will have to field requests from customers to opt-out of marketing programs, disclose what data has been collected, and possibly to purge a customer’s data altogether. Enforcing these rules will soon be table-stakes, and failure in this regard will tarnish brands, perhaps permanently.
Retailers would be wise to verify compliance with both GDPR and CCPA – even if they do not operate in either jurisdiction, since these laws will spread and become the new normal. As conversations around these laws continue to evolve, we can hope that the CCPA clarifies its stance on loyalty programs, as they are a key competitive differentiator – and so consumers can keep earning rewards!
-David Dorf, VP Infor Retail