By Darwin Liu
Earlier this year, the beauty retailer Sephora was sued under provisions of the California Consumer Privacy Act (CCPA) and fined more than $1M for violating the act’s requirement to inform consumers when selling their data. Sephora is not the first company to be sued by the state of California under this act. In fact, there have been over 100 lawsuits filed against various companies since 2020.
Under current state law, the CCPA applies to companies doing business in California that meet any of the following criteria:
- Revenue exceeding $25MM annually, or 50+ Employees; or
- Buys, receives, sells, or shares the personal information of 50,000 or more consumers, households, or devices per year; or
- Derives at least 50 percent of its annual revenues from selling consumers’ personal information
Now, with the updates from the new California Privacy Rights and Enforcements Act (CPRA) of November 2020, CCPA has been expanded to include employee and B2B information starting Jan 1, 2023. Regulatory enforcement is expected to increase significantly beginning next year. Therefore, company decisions need to be made now to prepare for the new data privacy landscape in California coming in just over a month.
Is There An Option To Opt-out?
Consumer-facing privacy policies need to be updated with appropriate verbiage immediately to comport with the new CPRA requirements. In addition to this, retailers need to add an Opt-Out box selection for California residents. This is different from an Opt-In choice. If the consumer doesn’t Opt-Out, then the retailer can market to them. In other words, as long as the legal disclaimer is present, the consumer is automatically enrolled in the marketing program unless the consumer explicitly requests not to.
The Way Forward
California, through both the established CCPA act and the upcoming implementation of the CPRA additional provisions on Jan 1, 2023, is ramping up its enforcement of data privacy regulations. The soon-to-be California Privacy Protection Agency will be empowered to enforce and target regulatory violators. With the new provisions being implemented in just a few short weeks, it behooves retailers with a significant California footprint to prepare for the new framework immediately.
With the increased regulatory scrutiny being exhibited in California, and the newly created data privacy agency, coupled with the recent history of the state government’s aggressive pursuit of regulatory violators, all companies operating in California must ensure that all data and marketing efforts in California and to its residents must be exact in compliance with current and new laws.
Darwin Liu is the founder and CEO of X Agency, an integrated digital marketing agency of growth engineers with offices in Boston, Massachusetts, and Nashville, Tennessee.