Back in 2018 with the implementation of GDPR, global retailers with business in the EU faced great pressure to be compliant. This year, the California Consumer Privacy Act (CCPA), another tough and impactful data privacy regulation from the U.S., will come into play. Global retailers need to understand its implications and be better prepared this time.
Overview of CCPA
CCPA is a new state regulation intended to enhance privacy rights and consumer protection for residents of California. Similar to GDPR, it will have a global impact as it applies to any for-profit business that collects personal information of the residents of California, the fifth-largest economy in the world. Besides the above criteria, if your business meets any of the following thresholds, you will need to be compliant:
- Has gross annual revenues in excess of $25 million
- Buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices
- Derives 50% or more of annual revenues from selling consumers' personal information
Source: CCPA Fact Sheet, State of California Department of Justice
CCPA went into effect in January and is going to be enforced starting in July 2020. Penalties per incident per customer can go up to $7,500, which means if you have 100,000 users of information in your database, the potential fine can add up to $750 million.
Global Trend of Data Privacy
1. Rising consumer expectation of data privacy
First of all, there are rising consumer expectations that retailers put in strong measures to protect their data privacy. According to Deloitte, 70% of consumers avoid purchasing from companies that they believe do not protect their personal information. And 66% of surveyed consumers from Akamai's Consumer Attitudes Toward Data Privacy Survey believe governments should pass more data privacy laws. However, there are equally strong -- if not stronger -- expectations from consumers that companies understand their needs and expectations, and provide personalized services across digital touchpoints. Companies that can envision and adopt a balanced approach to address the two priorities will have a strategic differentiator in the hyper-digitized retail landscape.
2. More countries will adopt stricter data privacy laws
According to recent data from the United Nations, 107 countries have put legislation in place to secure the protection of data and privacy. The most common regulatory requirements come in seven aspects across GDPR, CCPA, and other major regulations: consent, objection, access, erasure, portability, security, and breach notification. If you're interested in learning more about these aspects, please read our blog post about this topic.
However, despite big-picture similarities, if we look at individual regulations, there are different levels of protection measures and implementation uniqueness. For example, CCPA mandates opt-out for consent, while GDPR mandates opt-in. CCPA mandates a "do not sell my data" link, while GDPR does not.
To be compliant, it is essential for global retail businesses to provide different user interfaces and experiences depending on where users are located. If a company is compliant with GDPR and assumes they are fine elsewhere, it could lead to major risks for the business.
High-profile user data breaches are on the rise, with more businesses going online. Ever since a major data breach in 2013 due to a malware phishing attack, we've been seeing increased headlines on cyberattacks involving breaches of user data, and significant fines. And the attack method varies -- malware phishing, application vulnerability exploit, and tampering with third-party code, to name a few. Also, it is not only major brands that are threatened. Akamai observed that the whole retail sector has been heavily targeted due to the fact that retailers usually hold a large amount of valuable user information. See more information on the Akamai State of the Internet / Security page.
To add to the challenge, with the quick digitization of traditional retailers and omnichannel approach of online retail companies, there are ever-increasing digital touchpoints with consumers -- websites, mobile apps, IoT-enabled kiosks, etc. Different technology stacks, connection technologies, widespread physical locations, and siloed data management all add to the complexity of defending critical user data assets. Due to the profound business impact of data privacy, it is generally recognized that this challenge needs to be addressed at board level.
How should global retailers be prepared?
Global retailers need to review their approaches to managing and protecting user data from three dimensions. First, they need to confirm that user data is handled and protected properly through the data lifecycle, including but not limited to the creation, storage, usage/access, and erasure of user data records. Second, customer digital touchpoints -- including websites, applications, and APIs where users can access their data -- must be protected against sophisticated application-layer attacks, which often aim to gain unauthorized access to user information. Third, retailers also need to ensure that the infrastructure they use to host those applications and data is compliant and has adequate levels of protection. Also, and above all, embracing a future-facing technical architecture is key to maximizing business agility and reducing cost in the process of adapting to an ever-changing data privacy landscape. As a recognized industry leader in customer identity management and cybersecurity solutions, we at Akamai are happy to partner with you on this journey. Stay tuned for more posts on this topic.
Disclaimer: The content of the article is intended to convey general information and serve educational purposes only. It does not provide any legal advice or opinions on any matter discussed. Please consult with an attorney for any legal advice on the discussed matters.