Even if You’re Not in California, the CCPA WILL Affect You
The CCPA, or California Consumer Privacy Act of 2018, was formally approved on June 28 of this year. The law is set to go into effect on January 1, 2020, and it could have some profound effects on your business if you’re not prepared.
“But my business isn’t located in California!” you might say. Well, even if your office is on the other side of the country, this new rule is still going to impact your operations if you do business with consumers in the Golden State. With that in mind, let’s dig into the CCPA, see what this new law is all about, and how you can get ready.
What Is the California Consumer Privacy Act?
The CCPA is like California’s own version of the General Data Protection Regulation, or GDPR, implemented in the EU in May 2018.
The full text of the bill lays out that the right to privacy guaranteed to California residents in the state constitution includes all digital data. As a result, consumers have the right to know what data is collected about them and how it is stored. In addition, consumers also have the right to demand that businesses delete any personal information stored for any reason.
The law stipulates that consumers can:
- Ask what personal information is being collected about them.
- Demand access to any personal information collected about themselves.
- Find out whether their personal information is shared or sold, and if so, to whom.
- Choose to opt-out of the sale of personal data.
CCPA: The Specifics
Another important stipulation is the opt-in for people under the age of 16. In compliance with the federal Children's Online Privacy Protection Act, businesses can already be fined for not asking consent from a legal guardian before collecting data from users under 13. The CCPA ups the threshold, requiring that users under 16 be required to opt-in, but those between 13 and 16 can provide their own authorization, rather than a guardian’s. This necessitates an additional layer of age verification to identify users under 13, as well as those between 13 and 16.
The CCPA holds that customers are entitled to equal service and price regardless of whether they exercise their privacy rights. Businesses may offer financial incentives to encourage customers to share their data. However, businesses may not offer restricted service or pricing to customers who choose to keep their data to themselves.
Those changes are important; however, there are two other key points where the CCPA and the GDPR differ.
First, unlike the GDPR, consumers do not have a so-called “right to be forgotten.” The new California law does not give consumers the right to opt-out of data collection entirely. Buyers simply have more latitude in determining what data is stored and how it is used. That leads us to the second point: the GDPR covers a much broader scope of data.
The GDPR, identifies persona data as anything that may identify you based on your physical, physiological, genetic, mental, economic, cultural, or social identity. In contrast, the CCPA covers any data that can identify, relate to, describe, or could be reasonably linked with a consumer or household. The “personal information” described includes obvious items like Social Security number, mailing or billing address, and email. Data covered under the CCPA may also include:
- IP address
- Browsing history
- Buying history
- Customer preferences
- Profile information
- Any inferences or data extrapolated from individual user data
Does the CCPA Apply to Me?
As the nation’s largest state, California tends to determine regulatory trends throughout the country. It’s likely that, in a matter of years, the provisions of the CCPA will be expanded into a national regulation. But even if it hasn’t hit your state yet, you may need to be compliant with the California Consumer Privacy Act now.
Like GDPR, the jurisdiction of the CCPA is not based on the business’s location. Rather, it is determined by the customer’s location. Thus, if you want to sell products to buyers in California—the largest state in the US and the fifth-largest single economy in the world—you’ll need to play by the rules of the CCPA.
Your sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity will need to comply with the CCPA standards if any of the following apply:
- You have annual gross revenue of at least $25 million.
- You buy, sell, or share the personal information of more than 50,000 consumers annually.
- At least 50% of your annual revenue comes from selling consumer information.
If any of those three conditions describe you, then your business will soon be under CCPA jurisdiction.
Not Sure How the CCPA Affects Your Fraud Management?
Click here and speak with one of our experts today.
Potential Obstacles & Risk Exposures
The new rules are a good-faith attempt to protect consumers from abuse. But, just as with the GDPR, there could be unanticipated consequences. For example, the CCPA could:
Drain Merchant Resources
Rules like this are made with the supposition that merchants have more insight in consumer data than they really do. Merchants don’t generally maintain individualized files with detailed information on each person who buys something. However, when a customer requests you share or destroy any data collected about them, lawmakers will expect to comply as if that were the case.
The CCPA places a tremendous burden on businesses. Processing data requests and retrieving and deleting the relevant information will take a lot of individualized, human attention. That means dedicating staff—and other resources—to the issue.
Make it Harder to Manage Criminal Activity
Effective criminal fraud management relies on analyzing data to predict trends and new risk factors. If you want to stop as many criminal attacks as possible, you’ll need the most complete, detailed data set you can get.
Under the CCPA, though, customers may opt-out of giving you their data. This means you’ll be working with an incomplete data set, which could provide misleading information about fraud trends, vulnerabilities, and other key performance indicators.
Lead to a Rise in Fraudulent Chargebacks
It may be harder to identify friendly fraud, too. Both historical data and information about individual transactions are critical to preventing friendly fraud losses. Ultimately, this will loop back to affect your chargeback mitigation strategy and make it more difficult to assemble representment cases.
You can’t create a reliable representment case without information. For example, a buyer might complete a purchase, then request you delete their information under CCPA specifications. That person could then demand a chargeback; if you don’t have the necessary evidence to submit a case, you could be out of luck.
Get Ready for Change
The CCPA is the next big change coming down the pipeline. However, it wasn’t the first, and it certainly won’t be the last.
EMV cards, the PSD2, Visa Claims Resolution…each time a ruleset changes, it can have a profound impact on your business. For example, think about the fiasco that was EMV adoption back in 2015. It took years for merchants to acclimate to chip-enabled cards after the US liability shift.
Survey data suggests that nearly eight out of ten businesses report that the GDPR applies to them. The exact same portion say that GDPR compliance will make it easier to adopt the CCPA. Despite that, just 46% of retailers will be ready for the CCPA’s January 1, 2020 deadline.
Are you doing everything you can to get ready for the CCPA? Have questions about the new rules’ effect on your chargeback strategy? Click below and learn how Chargebacks911® can help make the most of your dispute strategy today.