The California Consumer Privacy Act (CCPA) is now in effect, and every serious ecommerce site doing business in the USA should take note.
So what do you need to know?
The CCPA comes on the heels of a year rocked by privacy scandals and data inhibitions (e.g. Facebook and now Google), and California is the first US state to enact a complex online privacy act that appears to be up-to-date with how businesses actually transact online these days. Other states are expected to follow suit.
In the words of the California Department of Justice itself:
The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information that is collected by businesses. It also requires the Attorney General to solicit broad public participation and adopt regulations to further the CCPA’s purposes.
We certainly aren't lawyers here at Littledata. But we do help Shopify sites audit their analytics and ensure that no personally identifiable information (PII) is collected by Shopify stores in their Google Analytics setups, including Google Tag Manager (GTM).
So while we don't have specific features aimed at CCPA compliance, we do have a number of features designed to help Shopify merchants follow best practices for data collection and reporting.
Here's a quick guide to what you need to know about CCPA.
My first dine-in restaurant CCPA notice. Not sure how I feel about it. pic.twitter.com/vU6ZiTCF8o— Jad Boutros (@secplusplus) January 4, 2020
What is CCPA compliance?
In short, the CCPA is an attempt at limiting what can be done with consumer data, and making sure that companies don't use it without consumer knowledge.
The media has often described the CCPA as California's version of GDPR, the European regulations that went into effect in 2018 (has it been that long already?), but in my view it's actually quite a bit different — both more comprehensive in terms of targeting what's actually done with consumer data after it's been harvested, and more specifically aimed at larger merchants, which in Shopify's case generally means successful DTC brands and others using Shopify Plus.
It's clear that the act was written in a state known for both technical innovation and political hardball, though how it will be enforced is an open question.
Initially it looks like civil penalties will be limited to $2,500 USD per 'violation' or $7,500 USD per each 'intentional violation'.
The act has continued to go through a number of revisions and clarifications, including a number of new modifications posted for review on February 10th 2020.
Some of the most interesting, in my view, are attempts at trying to define a 'household' that uses a website. The recent revisions suggest changing this:
“Household” means a person or group of people occupying a single
"Household” means a person or group of people who: (1) reside at the same address,
(2) share a common device or the same service provided by a business, and (3) are identified by the business as sharing the same group account or unique identifier.
It makes sense that they're trying to clarify the end users here. But I wonder: are we going to get to a place where devices are 'people' under the law, corporations are 'people' under the law, and people are...ones and zeros?
But I digress.
You can read the complete law text of the CCPA online, and the California DoJ has also posted a legal overview with all versions of the law. But I've also included links to useful summaries below — the written law itself is pretty confusing if you aren't a lawyer!
Who needs to comply?
In short, if you're a larger ecommerce site with customers in California, you need to pay special attention to the CCPA.
You are subject to the CCPA if you meet one of these conditions:
- Have an annual gross revenue of more than $25 million USD
- Annually buy, sell, receive for commercial purposes, or share for commercial purposes the personal information of 50,000 or more California consumers, households, or devices
- Derive 50% or more of your annual revenue from selling California consumers’ personal information (yikes!)
And if you're selling globally, as are an increasing number of our larger customers here at Littledata, remember that you need to pay attention to privacy laws everywhere you do business.
So if you have customers in the EU, remember to pay attention to GDPR for ecommerce sites too.
CCPA for Shopify Plus
Shopify has put together a number of resources to explain how Shopify complies with the CCPA, including a timeline and white paper. Here are some of the most useful links from Shopify itself:
And Segment too!
Again, it's unclear whom they'll be targeting. California is now the world's fifth largest economy, surpassing even the UK, but nobody's sure if the state will be using CCPA to clamp down on successful DTC brands, for example, or if it will be taking a strategic line against larger fish like Facebook and Google (i.e. what happened in 2018 when seven consumer groups filed GDPR complaints against Google in Europe).
Confused? You're not alone. The increasing number of cookie popups and disclosures seems to only be confusing consumers, and nobody — including the businesses putting them in place — is interpreting them in a consistent manner. Part of this is being called a 'plague of popups' and (a la GDPR) 'banner blindness'.
But even if you aren't doing $20M a year yet, it's worth a read through the law so you can refer to it with your internal team.
Just like how Littledata doesn't fix historic data for your Shopify store — only your data collection going forward — it's essential to be forward-thinking about potential privacy regulations that might be enacted in the future, taking steps today to ensure smooth sailing later on. Google Analytics consultants are a good place to start.
Plus, sometimes it just comes down to common sense. When you're the consumer, how do you want your data handled?