The CCPA will bring frustration, penalization, and litigation for ill-prepared businesses.
On January 1, 2020, The California Consumer Privacy Act (CCPA) took effect, granting California consumers a slew of rights to privacy, including all digital data. It is likened to the EU’s General Data Protection Regulation or (GDPR) that was enforced back in May 2018.
The law outlines the following rights that California residents have:
- They can ask what type of information is being collected related to them.
- They can require access to all personal information collected about them.
- They can ask if their personal information is being sold or shared, if so, to whom.
- They can choose to not be included in the sale of their personal information.
The difference between the GDPR and the CCPA is that, contrary to GDPR, CCPA does not make provisions for consumers to have the “right to be forgotten”. California law does not have regulations in place to give consumers the right to be left out of data collection entirely. However, consumers do have a right to specify what data is to be stored and how this data is to be used.
Some of the personal information that falls under the CCPA protection includes: Social Security number, a mailing or billing address, email, IP address, browsing history, purchase history, customer preferences, and profile information.
How Will The CCPA Affect Payments Businesses?
Even if your business is not located in the state of California, this new regulation will still affect you if you conduct your business with customers living in the Golden State. The jurisdiction of the CCPA is not determined by the company’s location, rather by the customer’s location.
Your company will require compliance to the CCPA if you meet the following criteria:
- Your annual gross revenue is $25 million
- You engage in buying, selling, or sharing the personal information of more than 50,000 customers per year.
- At least half of your yearly revenue comes from selling consumer’s personal information.
Although this new legislation has been enacted to protect consumers from being abused, it could have negative repercussions for businesses:
- Will Deplete Merchant Resources – There is an assumption that merchants personally hold all of this identifiable, personal consumer information. However, the opposite is true. Merchants don’t keep the information on file of those customers who have made purchases. But if a consumer makes a demand to find and delete this collected data, the law will require compliance. This puts merchants in the burdensome position of having to retrieve and delete said information, requiring much time and resources.
- Complicates The Management of Criminal Activity – Effective fraud management requires the analyzation of data to predict patterns and determine new risk factors. This requires complete, detailed data to thwart criminal attacks. CCPA allows customers to opt out of giving you data, leaving you with incomplete data sets, further complicating the detection of any vulnerabilities or fraud trends.
- Could Lead To Increase In Chargebacks – Information about consumer transactions prevents friendly fraud. This will ultimately affect the way you mitigate chargebacks. If a customer purchases something, then asks you to delete their information, only to demand a chargeback, you will have no evidence to submit the case.
A Tricky Road Ahead
It has been reported that the CCPA was drafted in about a week, hardly enough time to have concrete regulations and minimize confusion. Amendments and other changes are still likely to come. In the meantime, to avoid excessive fines, companies must do whatever they can to remain in compliance.