Take action before the end of the year to comply with the CCPA!
While businesses around the world must comply with the CCPA effective 1 January 2020 with respect to personal information pertaining to Californians, it is advisable for them to update their vendor agreements before the end of 2018 in order to avoid having to disclose "selling personal information" in 2019 further to the 12-month look-back provided for by the CCPA.
Information protected and impact on Consumer Goods and Retail (CG&R) businesses
Under the CCPA, "personal information" is defined broadly as "any information that ... relates to ... a particular [California resident] or household."; it is of note that not only consumers are protected under the CCPA – employees, individual representatives of businesses and any other resident of California are also protected. Personal information is a key asset for CG&R businesses – and the vast quantity of that information collected in an omnichannel world – means that CG&R businesses  with a physical presence in California, regardless of whether they sell only to businesses, need to ensure compliance with the CCPA.
While data has always been collected in stores, including via security cameras and credit card readers, but also when communicating with vendors and corporate business partners and in the direct marketing context, the omnichannel environment has augmented the channels by which data is collected. Online retailers – whether a proprietary brand-owned website, a multi-brand platform or a marketplace – constantly collect and process personal data, either via online ordering systems, loyalty card programs or through food aggregator platforms, to name a few – and as the industry moves towards increased personalization, new and more sensitive personal data (product preferences, skin conditions, hobbies, general interests, etc.) may be collected in order to better respond to consumer expectations.
Practical recommendations for risk mitigation
Even if 2020 seems far away, a year is not long, as anyone who has been working on complying with the EU General Data Protection Regulation (GDPR) well knows. Therefore, the time to take action is now! Retailers need to work with suppliers, vendors and other third parties with which they naturally share information. Multinational franchising models must pay particular attention to issues as additional ownership/processing queries are raised. Moreover, retailers currently using tactics like proximity marketing through personal tracking devices, i.e., smartphone IDs – which hasn't required consumer consent until now – will be protected as private data.
Companies should monitor initiatives for possible CCPA amendments and federal privacy legislation, but also consider immediate steps to assess and satisfy compliance obligations, including the following:
- modify contracts with service providers, affiliated companies and others to avoid triggering the extremely broad and counter-intuitive definition of "selling personal information," which includes any transfer of personal information for any valuable consideration.
Businesses that cannot eliminate "personal information selling" must
- disclose in privacy policies that they sold personal information in the preceding 12 months (i.e., looking back to 1 January 2019)
- provide a notice to California residents that information may be sold and that California residents have the "right to opt-out" of the sale of their personal information;
- provide a clear and conspicuous link on the business’s Internet homepage, titled "Do Not Sell My Personal Information," to an Internet Web page that enables a California resident, or a person authorized by the California resident, to opt-out of the sale of the California resident’s personal information;
- obtain opt-in consent to selling personal information from California residents under 16 years (and their respective parent or guardian for California residents under 13 years);
- honor opt-out requests;
- refrain from asking for opt-in consent for 12 months from California residents who opted out of selling; and
- refrain from using data submitted for purposes of the opt-out request except to honor opt-out requests.
- provide information access, portability and deletion on request
- provide a privacy notice at or before the point of collection, for example, in stores
- supplement or revise online privacy policies to disclose detailed information on data subject rights and information collected, disclosed and sold with prescribed terminology and disclosure formats that are not compatible with other jurisdictions "plain language" requirements
- consider impact on "free" services and avoid discriminating against California residents who exercise rights under the CCPA, including, but not limited to, by denying goods or services; charging different prices or rates, including through the use of discounts or other benefits; imposing penalties; or providing a different level or quality of goods or services;
- make available two or more methods for submitting requests, including a toll-free telephone number.
Possible sanctions and remediesThe California Attorney General can impose penalties of up to USD 7,500 per intentional violation.
Additionally, companies that become victims of data theft or other data security breaches can be ordered in civil class action lawsuits to pay statutory damages between USD 100 to USD 750 per California resident and incident, or actual damages, whichever is greater, and any other relief a court deems proper.
For more information, please see Analysis: The California Consumer Privacy Act of 2018 and Impact of the California Consumer Privacy Act on Employers or contact your Baker McKenzie relationship partner.
 Smaller companies may be able to claim an exemption, but most multinationals and businesses with a physical presence in California are covered, regardless of whether they sell only to businesses.