Many retailers and some retail industry associations have expressed concerns or even actively opposed the upcoming California Consumer Privacy Act or CCPA, which will take effect on Jan. 1, 2020. The bill aims to enhance privacy rights and consumer protection for residents of California and impacts all industries, yet some of its requirements are particularly challenging for retailers.
The state of California by itself is the world’s fifth-largest economy, and the new regulation has an extraterritorial effect that reaches globally. It applies whenever a business collects personal data from California residents, regardless of where in the world the company and its servers are located.
This is one of many similarities that CCPA shares with the EU’s General Data Protection Regulation (GDPR), which went into effect last year and in many ways served as a model for California lawmakers. Another similarity is the obligation to get consent from consumers before collecting and using their data, even though CCPA and GDPR differ in the ways this consent needs to be obtained.
So, what makes CCPA extra challenging for the retail industry? Retailers not only often collect customer data across multiple channels, but do this across brands, sometimes across loyalty programs, online and in stores. The amount and diversity of endpoints where data is collected, combined with a similarly diverse landscape of back-end IT systems storing and processing this data, have become a significant problem for many retailers.
Now CCPA will require them to obtain consent from customers, be able to disclose what data they have on them, or even remove certain data completely from all of their systems on demand. The situation is even more complex for retailers that own multiple brands and share customer data among affiliates and franchises, which are now considered third parties under CCPA. The new regulation imposes significant restrictions on a third party’s ability to retain, use, disclose or sell personal information.
Given these new requirements, the process to achieve CCPA compliance is intrusive to many functional areas within a retail organization. It is not a task that can be left to the legal department or IT. It requires a thorough review and documentation of business and marketing practices and any process and system that involves the collection, processing and sharing of customer data.
Understanding the flow of that data within an organization is an important step, yet it can turn into a daunting task. In large organizations it can seem almost impossible and endless, as there can be hundreds of software systems exchanging data across branches, business units, brands and regions.
Instead of trying to understand and potentially clean up the data flow across this entire conglomerate, a pragmatic and often more efficient approach is focusing on endpoints where the data is collected in the first place. This includes websites, mobile apps, in-store POS and other places where customers engage and share personal data. These endpoints will need to be modified in order to comply with CCPA. For example, checkboxes to reject consent to data processing need to be added to online signup forms.
Typically, the management of such forms and other parts of the user experience related to a customer’s personal account can be centralized with a reasonable effort using dedicated software solutions. The customer data can then also be centrally stored and accessed, controlled and restricted from any other system (or person) within the organization. This might not solve all the cleanup work needed further down in the systems landscape, but it allows control of the flow of personal data in a top-down approach.
For example, an email campaign system that previously had access to a customer’s complete data record can now only be granted permission to read the email address and name. In case that consumer decides to opt out of email communication, the access to his or her email address can be locked down centrally. This centralization of customer identity management, in combination with restrictive data access control, still requires a certain level of effort.
Ideally, the new central customer database will be made the single source of truth for all other systems, which will require a certain level of configuration and architecture redesign. However, this is typically dwarfed by the effort and cost of trying to clean up all data processing systems in one go and make all those systems and their respective owners and administrators do the right thing – especially when all this needs to be achieved by Jan. 1.
Sven Dummer is Senior Manager, Product Marketing, Akamai Technologies