Compliance Challenges for Brick-and-Mortars Under the CCPA

As we approach the California Consumer Privacy Act's (CCPA) effective date of January 1, 2020, brick-and-mortar businesses that increasingly engage with consumers online will have to begin their compliance efforts. However, two challenges unique to brick-and-mortar businesses might hamper these efforts: (1) providing required disclosures to consumers before or at the point of data collection; and (2) knowing your data in a multi-channel environment. The CCPA requires businesses to give consumers notice of their rights and/or data collection practices on three separate occasions: (1) in the online privacy policy [section 1798.130(a)(5)]; (2) "at or before the point of collection" [section 1798.100(b)]; and (3) in response to a verifiable consumer request. The later business obligation is straight forward. But providing privacy notices at or before the point of collection might be challenging for brick-and-mortar businesses. To ensure that consumers see privacy notices at or before the point of collection, a brick-and-mortar business should take two actions. First, the business should post a link to the privacy policy in the online checkout page. Ideally, this link will appear before a consumer is required to input their credit card information. Second, if enrolling in a rewards program requires a consumer to give personal information such as their name, email or phone number, the cashier should provide a just-in-time notice to inform the consumer of his or her rights under the CCPA as well as comply with other applicable privacy regulations. This includes the Song-Beverly Credit Card Act which generally prohibits brick-and-mortars from requesting or collecting personal identification information as a condition to accepting credit card payments (Cal. Civ. Code § 1747.08). Brick-and-mortars may also consider posting a visible sign near the cashier registers or providing notice within the debit or credit card pin pad. Finally, knowing your data is important because the emergence of social media and mobile devices has led to an expansion of multi-channel retailing. The brick-and-mortars of today are long past the times of just interacting with consumers in the physical world. Today, these businesses are finding ways to connect with consumers both offline and online. This multi-channel environment makes it difficult to know exactly what data you have in your repository. To avoid these challenges, a business must implement a robust system that will enable it to track the points of data collection, where the data resides and how it is used and shared outside of the company. Overall, best practices for all businesses include giving consumers notice of their rights under the CCPA; keeping privacy policies, statements, procedures, and training current and accurate; sticking to principles of transparency and clarity; and keeping in mind both the online and offline marketing and data collection practices. Summer Associate Clarissa Olivares contributed to this blog post.