Editor’s note: Darwin Liu is the founder and CEO of X Agency.

Earlier this year, the beauty retailer Sephora was sued under provisions of the California Consumer Privacy Act (CCPA) and fined more than $1 million for violating the requirement to inform consumers when selling their data. Sephora is not the first company to be sued by the state of California under this act. In fact, there have been over 100 lawsuits filed against various companies since 2020.

Under current state law, the CCPA applies to companies doing business in California that meet any of the following criteria:

Now, with the updates from the new California Privacy Rights and Enforcements Act (CPRA) of November 2020, CCPA has been expanded to include employee and B2B information starting January 1, 2023. Regulatory enforcement is expected to increase significantly. Company decisions need to be made now to prepare for the new data privacy landscape in California.

Consumer-facing privacy policies need to be updated with appropriate verbiage immediately to comport with the new CPRA requirements. In addition to this, retailers need to add an opt-out box selection for California residents. This is different from an opt-on choice. If the consumer doesn’t opt-out, then the retailer can market to them. In other words, if the legal disclaimer is present, the consumer is automatically enrolled in the marketing program unless the consumer explicitly requests not to.

There are other options to consider when addressing this new regulatory framework. Of course, in addition to the new legally approved verbiage in the privacy policy, a retailer should add the opt-out box to the website access process based on location (IP address) for California residents. For the retailers’ backend, the company will need to set up CCPA/CPRA compliance in all the utilized marketing platforms like Facebook, Google Ads, etc. A final option for addressing ...