Large U.S retailers are rushing to comply with a new law, the California Consumer Privacy Act (CCPA), which becomes effective at the start of 2020 and is one of the most significant regulations overseeing the data collection practices of U.S. companies. It lets shoppers opt out of allowing retailers and other companies to sell personal data to third parties. In addition to retailers, the law affects a broad swath of firms including social media platforms such as Facebook and Alphabet’s Google, advertisers, app developers, mobile service providers and streaming TV services, and is likely to overhaul the way companies benefit from the use of personal information.
The law follows Europe’s controversial General Data Protection Regulation, which set a new standard for how companies collect, store and use personal data. The European law gave companies years to comply while CCPA has given them a few months. Draft regulations around the law were released in October. Retailers did not anticipate having to add signs in their stores, which are required by the regulations but were not part of the original statute. Requiring signs in stores is not an effective use of retailers’ dollars, said Nicholas Ahrens, a vice president at the Retail Industry Leaders Association, who leads its tech policy.
A Walmart source with knowledge of the matter told Reuters the company is “working through a lot of ambiguities in the law, for example, the language around loyalty programs and if retail companies can offer them going forward.”
There is also lack of clarity on what constitutes “sale” of information, retail lobbyists and attorneys advising retailers said.Walmart spokesman Dan Toporek said the retailer supports efforts that gives customers control of their information. Home Depot spokeswoman Sara Gorman said the California law introduces new requirements but does not change the company’s “deliberate approach to customer data and privacy.”
FILE PHOTO: Walmart's logo is seen outside one of the stores ahead of the Thanksgiving holiday in Chicago, Illinois, U.S. November 27, 2019. REUTERS/Kamil Krzaczynski/File PhotoTarget spokeswoman Jessica Carlson said a “Do Not Sell” button on its website, will be visible to all U.S. shoppers and California residents will have access to information outlined under the new law. Target already allows its shoppers to opt out of sharing their information with third parties for marketing purposes, she said. Amazon.com Inc is taking a different approach. “We do not plan to put a ‘Do not sell’ button on our website because Amazon is not in the business of selling customers’ personal data and it never has been,” a company spokeswoman said in a statement.
Sacramento lawmakers struck a deal to turn it into law, and unusually for a law that stands to affect billion-dollar companies, it remained largely unchanged by lobbying efforts through 2019.In the data economy, users’ personal information can be used in lightning-fast transactions, like the real-time auction that goes on behind each online ad, and stored in databases for decades.
Amazon will launch a revised privacy notice and will review the final regulations to “understand what signage may be required to inform customers how to find the privacy notice” at its stores, the spokeswoman added.
CCPA: What you need to know
DELETE MY DATASome national chains such as Sherwin-Williams, which sells paints and coatings, have already begun adding links on their websites in California, Reuters has found. The company did not respond to requests for comment. Both Walmart and Amazon have ramped up investments in drawing out “data maps” in the past few months, which lets them collate the extent of personal information collected by different business units, where and how this information is stored, what they do with it and who it is shared with, sources said.
A Walmart source said the company’s different business teams including technology, marketing, advertising, payments and security are investing resources in auditing and making decisions on how to respond to requests from customers to see their data or those who ask for it to be deleted.An economic impact assessment prepared for the California Attorney General’s office by an independent research firm found compliance with the regulations will cost businesses between $467 million and $16.5 billion between 2020 and 2030. Industry estimates peg initial compliance costs at over $50 billion.
The California Attorney General recently told Reuters in an interview that privacy law enforcement will look kindly on those that demonstrate an effort to comply.
But sources told Reuters they expect plaintiff attorneys to bring lawsuits in the new year against a range of businesses that may fail to meet the law’s requirements.Slideshow (2 Images)
Many companies affected by the law have lobbied extensively for a federal privacy bill that might override the law in California. But their efforts have so far made little progress.
(This story has been refiled to add missing quotation mark in paragraph 12)Reporting by Nandita Bose in Washington; Editing by Vanessa O'Connell, Steve Orlofsky and Nick ZieminskiOur Standards:The Thomson Reuters Trust Principles.