The CCPA is the first privacy law of its kind in the United States, setting the tone for other US jurisdictions looking to propose similar bills. As the consumer privacy landscape changes from recommendations, to guidance, to enforcement, there are still many B2B eCommerce businesses that aren’t adequately prepared for CCPA compliance and similar changes.
What is CCPA compliance?
The CCPA (also known as the California Consumer Privacy Act) is aimed at organizations that do business in California or keep customer data on California residents. Businesses that meet at least one of the following criteria are subject to the law:
- Businesses that sell to California residents
- Businesses that generate over $25 million in annual revenue
- Businesses that receive or share personal data on more than 40,000 people
- Businesses that make more than 50% of their annual revenue from selling personal data
What does this mean for B2B eCommerce? While CCPA compliance was written into law on January 2020, we won’t be seeing its enforcement before July 1, 2020. And, since this is a relatively new law, it’s difficult to predict how enforcement will come into play and how long before we see full enforcement.
CCPA vs GDPR: similarities and differences
GDPR, or the European Union’s General Data Protection Regulation of 2018 is viewed as a game-changer in customer privacy since it placed some unprecedented limits on businesses processing customer data. In fact, CCPA is so similar to its predecessor, that it’s been referred to as a “California GDPR”.
While both directives are closely aligned in their purpose, there are some differences between the two. And, since the devil lies in the details, it’s important to make the following distinctions:
|Applies to residents of California||Applies to businesses processing data within EU plus EU residents|
|Right to be informed, to have access, to delete, opt-in||Right to be informed, to have access, to modify or delete, opt-out|
|Customer consent needed for processing customer data||Legal basis needed for processing customer data|
|$2,500 per violation, and $7,500 if intentional||€20 million or 4% of global revenue (whichever greater) for violation|
CCPA checklist: how B2B eCommerce can prepare
The main aim of CCPA compliance is to protect the customer’s rights to data privacy. This puts pressure on B2B eCommerce businesses that are not transparent enough or have not been offering customers a way to opt-out of supplying their personal data. Here is the main CCPA checklist of what you should be doing:
- Being able to accommodate a customer’s request to reveal what data is being stored within 45 days, as well as being able to verify their identity before doing so.
- Including a “do not sell my personal information” option for allowing customers to opt-out of sharing their data with third parties.
- Implementing an opt-in for collecting data on persons under the age of 16, and for requesting parental consent for those under the age of 13.
More specifically, organizations can take the following steps to comply:
Audit your data handling
Review how your customer data is handled and managed by your company, including where it’s stored and how it’s used to prevent any unintentional violations. For example, take a look at what data points you’re collecting, in what format, if it’s encrypted, and where it is used afterwards. Since the CCPA also applies to whoever you receive or purchase customer data from, ensure third-party vendors you’re working with are also CCPA compliant.
Be able to manage requests
In order to better prepare themselves, B2B eCommerce businesses should establish a way to manage their customers’ personal data requests. Start by assigning a member of your team with the responsibility of handling these requests. Set a timeline and plan of action on how to respond (companies have only 45 days to do so), and whether that individual will carry out requests to disclose, modify or delete data.
Depending on the size and complexity of your B2B eCommerce business, you may want to determine how you will manage consent, which Oro accommodates out of the box. Consider widening the scope of responsibilities for your Data Protection Officers or Security Policy Officers, or implementing data access restrictions for team members.
CCPA compliance penalties
While small businesses may breathe a sigh of relief, larger businesses will have charges compounded if a penalty is levied on them. With fines assessed per person and set at $2,500 per unintentional violation and $7,500 per intentional violation, you could get an idea of the potential penalties you could be exposed to. For example, if you have 100 customers and a $2500 fine per customer, you’d be looking at a $250,000 fine.
How Oro products comply with CCPA compliance
Oro takes data our customers and their end-users entrust us with seriously. That’s why we comply with the latest PCI DSS as well as PCI DSS eCommerce compliance and SOC 2 requirements on data security. Oro products are also fully compliant with GDPR, which is explained in our GDPR guide. GDPR’s principles apply to CCPA, so using our Consent Management engine you can add necessary consents and manage them from the OroCommerce backend. Nevertheless, most of the responsibility for CCPA compliance lies with organizations depending on how they use customer data.
With CCPA and GDPR in full swing, it’s inevitable that we’ll see more data protection regulations in the future. These pressures on businesses may increase demand for Data Protection Officers and Data Protection Consultants that help B2B eCommerce businesses stay complaint and continue uninterrupted operations. In either case, the best way to do that is by ensuring you have all the technical requirements in place for compliance, and we at OroCommerce are committed to helping you do that.