California privacy regulations

Editor’s note: Darwin Liu is the founder and CEO of X Agency.

Earlier this year, the beauty retailer Sephora was sued under provisions of the California Consumer Privacy Act (CCPA) and fined more than $1 million for violating the requirement to inform consumers when selling their data. Sephora is not the first company to be sued by the state of California under this act. In fact, there have been over 100 lawsuits filed against various companies since 2020.

Under current state law, the CCPA applies to companies doing business in California that meet any of the following criteria:

  • Revenue exceeding $25 million annually or 50+ employees.
  • Buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices per year.
  • Derives at least 50% of its annual revenues from selling consumers’ personal information.

Now, with the updates from the new California Privacy Rights and Enforcements Act (CPRA) of November 2020, CCPA has been expanded to include employee and B2B information starting January 1, 2023. Regulatory enforcement is expected to increase significantly. Company decisions need to be made now to prepare for the new data privacy landscape in California.

Incorporating an opt-out option

Consumer-facing privacy policies need to be updated with appropriate verbiage immediately to comport with the new CPRA requirements. In addition to this, retailers need to add an opt-out box selection for California residents. This is different from an opt-on choice. If the consumer doesn’t opt-out, then the retailer can market to them. In other words, if the legal disclaimer is present, the consumer is automatically enrolled in the marketing program unless the consumer explicitly requests not to.

There are other options to consider when addressing this new regulatory framework. Of course, in addition to the new legally approved verbiage in the privacy policy, a retailer should add the opt-out box to the website access process based on location (IP address) for California residents. For the retailers’ backend, the company will need to set up CCPA/CPRA compliance in all the utilized marketing platforms like Facebook, Google Ads, etc. A final option for addressing this updated data privacy law is not to sell to California residents at all. These are critical business decisions that need to be made, certainly not lightly.

Adjusting to the change

California, through both the established CCPA act and the upcoming implementation of the CPRA additional provisions on January 1, 2023, is ramping up its enforcement of data privacy regulations. The soon-to-be California Privacy Protection Agency will be empowered to enforce and target regulatory violators. With the new provisions being implemented, it behooves retailers with a significant California footprint to prepare for the new framework immediately.

Critical business decisions, up to and including, in some cases, the possibility of pulling entirely out of the California market, need to be made now. Less impactful but equally essential actions related to the retailer’s published privacy policy must be implemented as soon as possible. Legal consumer-facing verbiage must be provided, as well as an opt-out feature to experience and purchase from the company’s website.

With the increased regulatory scrutiny being exhibited in California and the newly created data privacy agency, coupled with the recent history of the state government’s aggressive pursuit of regulatory violators, all companies operating in California must ensure that all data and marketing efforts in California and to its residents must be exact in compliance with current and new laws.