On January 1, California made good on a big resolution: take consumer privacy seriously. The California Consumer Privacy Act (CCPA) became the first law in the United States that aims to implement a comprehensive set of rules around consumer data, forcing companies to disclose how they’re using customers’ personal information and giving consumers a chance to opt out of data collection.
The regulation comes in the wake of major data breaches and rising cybersecurity fears, which have ratcheted up concern about our data and personal information – how much companies know about us and what they do with that information. In response, countries and states have gotten serious about empowering consumers to protect their data. The European Union implemented the General Data Protection Regulation (GDPR) in 2018, and additional states beyond California are readying their own consumer privacy laws. There’s even speculation of a U.S. federal law at some point in the future.
The CCPA will be familiar ground for international distributors and suppliers who already had to shift processes to comply with Europe’s regulations. By and large, though, industry distributors and suppliers have been unaware of the new regulations. Companies that must comply with the CCPA are in for a rude awakening; with several addendums since its original draft, the actual parameters of the law have been a moving target, sending many companies scrambling for attorneys, compliance teams and tech experts to stay up to date on how the new rules may affect business.
Violations can include civil penalties of $2,500 (for an unintentional violation) and $7,500 (for an intentional one). But more importantly, it gives California consumers the right to sue if a breach occurs and their data hadn’t been properly safeguarded.
The good news? Even though California’s regulations went into effect at the beginning of the year, the state isn’t enforcing penalties until July 1. (Despite pressure from lobbyists and trade groups to delay the deadline due to COVID-19 disruption, as of press time the State of California hasn’t altered the enforcement date.) Companies also have 30 days to fix an error before they’re held liable. The bad news? Businesses can still be held liable for their actions between January and July once enforcement begins. Which means for companies that need to comply, there’s no time to waste.
Do You Qualify?
The CCPA applies to any company that does business in California and falls into at least one of three categories: 1. generates $25 million or more in annual revenue; 2. gathers data on more than 50,000 California users; or 3. makes more than half its money off user data.
It’s not likely that distributors and suppliers are making half their profits by selling user data or have that many customers in California. But even if a promo company may not qualify under CCPA guidelines, its vendor partners and clients might. A distributor may service an online store for a large tech company that collects data on more than 50,000 Californians; as the promo service provider, the distributor may need to update the client agreement, make changes to the language on the site or provide opt-out buttons on certain pages. (Data is broadly defined: name, web browsing history, IP address, geo-location or other information that makes it reasonably possible to link to an individual.)
Reece Hirsch, co-head of privacy and cybersecurity practice for global law firm Morgan Lewis, says direct-to-consumer and e-commerce models that are becoming increasingly popular in the promotional space make it more likely a distributor will need to comply. “You could have headquarters in Minneapolis,” says Hirsch, “but if you have 50,000 website visitors from California, you do in fact qualify under CCPA rules – and you’ll need to change your procedures in order to give site visitors a way to opt-out of you tracking their browsing behavior or saving their information.”
“It was certainly an onerous process, working with attorneys and IT to get it all straight, but these consumer rights policies are spreading, and it’s important to educate your team now.” Craig Nadel, Jack Nadel International
For B2B models and company stores that service only the clients’ employees, however, there are exemptions to the data gathering rules in effect until January 2021. “As the lawmakers continue to amend the details of the CCPA, it’s crucial to work with someone who understands your supply chain dynamics and the intricate aspects of the law; nor should you leave the door open to be taken advantage of,” says Hirsch. “If you’re asked to sign an updated service provider agreement for a client who qualifies for CCPA, beware of legal departments that may quietly add other bells and whistles, like more detailed data security measures or indemnification for security breaches. You need to know exactly what you’re signing.”
Steps Toward Compliance
For companies to which the law applies, the actions sound relatively straightforward: implement security measures to protect data and establish protocols for consumer inquiries and opt-outs regarding their data. In practice, however, the steps to comply are quite messy, considering consumer data is often scattered and customer service reps aren’t trained to handle such requests.
Industry companies should look to assemble a team that can help you through the process: attorneys, IT wizards, service providers and client representatives. Craig Nadel, president of Los Angeles-based Top 40 distributor Jack Nadel International (asi/279600), got a jumpstart on the changes last fall, with the goal of having his operation as compliant as possible by January 1.
Having gone through Europe’s GDPA regulation changes, Nadel knew to follow a similar process for the CCPA. “We consulted an attorney who was familiar with the law, then approached the people we outsource things to – third-party service providers, vendor partners and manufacturers – and told them what we needed,” Nadel says. “We ended up having to switch a few online company stores to different providers and drop a partner that couldn’t change their policies to become compliant. We also worked with one vendor back and forth quite a bit over the language and the waiver, and ultimately got on the same page.”
Distributors that use third-party providers such as BrightSites or other e-commerce platforms must ensure privacy policies are in place for customers entering personal credit card information, addresses and more when purchasing promotional items. “It was certainly an onerous process, working with attorneys and IT to get it all straight,” Nadel says, “but these consumer rights policies are spreading, and it’s important to educate your team now because. We’ll be seeing them in more states in the future.”
Indeed, when asked about CCPA by Counselor, just four of over a dozen large distributors and suppliers had heard of it, and high-level reps from three Top 40 suppliers admitted they haven’t taken steps toward compliance. One press representative from a California-based Top 40 supplier (which would qualify by having over $25 million in annual gross revenue), relayed a message from the company’s IT team: “CCPA doesn’t apply to this company because we don’t sell or share our customers’ data.”
Ignorance of the regulations can’t continue forever. States like Washington and New Jersey are following suit, both proposing bills to impose tougher restrictions on how companies collect and use consumer data. “The CCPA already affects all national companies since California is such a large piece of the market,” says Hirsch. “And as other states create their own privacy laws, the regulatory landscape is going to become quite complicated, which leads us to believe there may eventually be a comprehensive federal privacy policy. Now is the time to be looking at these issues – closely – and deciding the future of how your business operates.”
With connections in Silicon Valley, Nadel is seeing more CCPA questions on RFPs and has prospects asking about the company’s ability to handle the intricacies of the policy should they choose to do business together. “Not only does it work to our advantage to comply, but frankly, I’m happy to support policies that seem reasonable for citizens,” says Nadel. “I don’t want my private information out there either, so it’s only right that we protect that for others and figure out how to do business respectfully within those parameters.”