CCPA Compliance for Grocery – Grocery Podcast S2 E2
Are you wondering what the California Consumer Privacy Act (CCPA) is and how it applies to you? Look no further, as we explore in a two-part episode, everything you need to know about CCPA and more. Sylvain Perrier and Mark Fairhurst are joined by Privacy and Security experts, John Tomaszewski and Ted Murphree from Seyfarth Shaw LLP.
With CCPA expected to come into effect January 2020, retailers need to consider what is required to ensure they are compliant. Listen in for tips on how to prepare your business and set yourself up for success.
John Tomaszewski
John Tomaszewski
John Tomaszewski, Co-Leader, Global Privacy & Security Special Team, Seyfarth Shaw LLP
John Tomaszewski is a Partner in the International Data Protection Practice Group, and the Co-Leader of the Global Privacy & Security Special Team of Seyfarth Shaw LLP. He has significant experience counselling companies regarding data protection and information security throughout the Americas, Europe and Asia. His clients have included a myriad of technology companies as well as financial services, pharmaceuticals, and e-commerce businesses of all sizes.
Ted Murphree
Ted Murphree
Ted Murphree, Counsel, Corporate Department, Seyfarth Shaw LLP
Edward “Ted” Murphree is Counsel in the Corporate Department of Seyfarth Shaw LLP’s Houston office. Ted has over 17 years’ experience as a government attorney for the City of San Antonio, with over nine (9) of those years supporting the information technology department in security, privacy, and technology legal matters. Ted’s experience includes advising clients in myriad areas of law impacting government, and in his tenure, he has written laws, policies, and procedures.
Mark Fairhurst
Mark Fairhurst
Mark Fairhurst, VP of Marketing, Mercatus
Co-host on The Digital Grocer Podcast and as VP of Marketing at Mercatus, Mark brings to the show a marketer’s perspective on the rapidly evolving grocery tech landscape. He applies a strategic lens focused on a continual search for the next big trends and best practices. Mark enjoys exploring not just how things are changing in grocery retail, but also why they’re changing — and where they’re headed.
Sylvain Perrier
Sylvain Perrier
Sylvain Perrier, President and CEO, Mercatus
Named as a Top 10 Influential in Retail 2020 and a 2019 Grocery Game Changer, Sylvain Perrier is a true digital retail trailblazer. As President and CEO of Mercatus, he is the driving force behind the leading digital commerce platform in grocery retail. As host of The Digital Grocer Podcast, he infuses these conversations with his vast understanding of retail, grocery operations and technology, as well as his quick wit and good humor.
Full Transcript
Sylvain Perrier:
Welcome, ladies and gentlemen, to the Mercatus podcast, Digital Grocer episode 13, part 1 and we’re recording right here at Mercatus HQ. I don’t know what it is outside. Is it spring? Is it springtime. Here in downtown Toronto, it’s …
Mark Fairhurst:
It’s sunny but it’s still chilly.
Sylvain Perrier:
It’s a balmy 50?
Mark Fairhurst:
Fifty, 50 degrees.
Sylvain Perrier:
For the people that rely on the devil’s tool, the metric system, it’s nine degrees Celsius, which I get confused by the whole metric system. I’m your host, Sylvain Perrier, President and CEO of Mercatus. Joining me in the studio today is Mercatus’ very own director of marketing, Mark Fairhurst.
Mark Fairhurst:
Hello everyone.
Sylvain Perrier:
At the board is our trusted sound engineers. [Scottie] is wearing the red shirt. Kevin, go ahead.
Kevin:
How’s it going?
Sylvain Perrier:
Great. Mark, so the last time we recorded was at NGA 2019 in San Diego.
Mark Fairhurst:
National Grocers Association, that’s right.
Sylvain Perrier:
Yeah, it’s a good show. We participated in the cart event.
Mark Fairhurst:
Yeah.
Sylvain Perrier:
And Gary Hawkins released his most recent book, Retail in the Age of i. I actually just finished reading the book and it’s a really good book. For those of you that want to buy it on Amazon, you actually have to put in Gary E. Hawkins. You just can’t put Gary Hawkins because you’ll end up with a collection of books that are, I think, are like mythical sword creatures and stuff like that, which I know it’s nothing to do with retail.
Sylvain Perrier:
Then we sauntered over to beautiful Philadelphia.
Mark Fairhurst:
That was one heck of a saunter.
Sylvain Perrier:
It was a saunter for Home Delivery World 2019 and that was interesting because we got to see a lot of retailers, technology providers and miscellaneous companies that have sprouted up to really help the retail industry catch up to the last mile.
Mark Fairhurst:
Yeah, a lot of specialized logistics companies.
Sylvain Perrier:
Oh, there was, yeah, there was a lot. We were next to that company that did the automated vehicles. I can’t remember the name. Do you remember the name?
Mark Fairhurst:
Udelv?
Sylvain Perrier:
Udelv and they’re doing something with the folks over at Walmart. That was interesting but I managed to get up on stage, do a keynote, was on the panel with Jack Record, CEO of ShopperKit with Chad Petersen from Lowes Foods. We tackled some amazing subjects and we heard some really interesting stuff from Chad in terms of what they’re doing over at Lowes in terms of delivery, in terms of eCommerce in general.
Sylvain Perrier:
On the last day, I was able to interview Ron Bonacci and Ron is the VP of marketing and digital over at Weis Markets.
Mark Fairhurst:
Right? Yup.
Sylvain Perrier:
What was interesting at that whole show, whether we were at our booth, whether it was after a speaking engagement, we had a bunch of people coming up to us and asking us about CCPA.
Mark Fairhurst:
Yeah. I think the number of questions was surprising.
Sylvain Perrier:
Yeah, and then for those of you who don’t know, CCPA is the California Consumer Privacy Act. They wanted to know what is CCPA and how do we solve for it and what do we need to be worried about. Is it like GDPR. They know it’s coming. It’s post GDPR so they’re wondering, is it like it? GDPR is … it comes from the EU and we decided, I think we need to make a show about this and a two-part show because there’s a lot of ground to cover.
Sylvain Perrier:
Now at Mercatus we’re mindful about a bunch of things. We’re mindful of how do we store data, where do we store data. We have to deal with multiple privacy statements because we have both Canadian customers and we have US-based customers.
Sylvain Perrier:
In Canada, pre-GDPR, we’ve always had something called the Personal Information Protection and an Electronic Document Act. Canadians, we always do this. It’s always more than a mouthful.
Mark Fairhurst:
Try it in French.
Sylvain Perrier:
Oh yeah. It’s PIPEDA. PIPEDA has, it’s a federal act, but it has some minor … PIPEDA doesn’t have minor modifications but there’s some provincial flavors to it, specifically Quebec, Alberta and British Columbia. We deal with having to deal with the flavor specifically that’s in the province of Quebec because our French audience is a little bit different than the rest of the country.
Sylvain Perrier:
Now, in the US, it’s the Federal Privacy Act from 1974. California, and I know our guests on the show are going to correct me if I’m wrong here, California is one of the very first states to enact its own privacy law. It’s coming due January 2020 and I can only assume from what I’m hearing is it’s going to have a cascading effect with likely other states filing their own.
Mark Fairhurst:
Correct, yup.
Sylvain Perrier:
I can only assume that it won’t be long before in Canada, the federal government is going to make some changes to PIPEDA. Let’s jump right into it.
Sylvain Perrier:
To help our listeners understand GDPA and not GDPR, but CCPA and the impact in the industry, we have two experts joining us and they’re from Seyfarth Shaw LLP. Full disclosure, we use them as a law firm on our stuff, whether it’s ADA, whether it’s CCPA and likely some other stuff as well.
Sylvain Perrier:
They have over 850 attorneys. That’s a lot. That’s a big law firm. Probably bigger than the average Toronto-based law firm. They have offices in the US, London, Hong Kong, Melbourne and Sydney. I’ve never been. Have you ever been, Mark, to Australia?
Mark Fairhurst:
To Australia, no. I’d love to go.
Sylvain Perrier:
You’ve never been.
Mark Fairhurst:
No. We should ask our guests how often they go.
Sylvain Perrier:
I’m they go quite often. Our first guest is John Tomaszewski and he’s co-chair of the global privacy and security team over at Seyfarth. John, a pleasure having you on the show.
John Tomaszewsk:
Thank you. Glad to be here.
Sylvain Perrier:
And our second guest is Ted Murphree and he’s a member of the privacy and security team over at Seyfarth. Sir, a pleasure having you on the show.
Edward Murphree:
Thank you very much for having me.
Sylvain Perrier:
You’re welcome. John, I’m curious, you and I have been on the phone so many different times and you’re a bit of a scholar of history because I think you’d been in this space as long as I have. I never disclosed how long that is. I’m curious, what’s the history behind CCPA?
John Tomaszewsk:
California’s actually had privacy acts and privacy laws in place for some time and a number of the obligations that exist in the CCPA have been somewhat in California law previously. But the CCPA itself is an interesting, I don’t want to say anomaly, but it’s an interesting historical study because there’s this perfect storm that brewed in California a couple of years ago. We all spend a lot of time talking about the general data protection regulation or GDPR in Europe and that got a lot of press and a lot of discussion in the literature, not just in the legal literature but also with a bunch of folks outside the legal community.
John Tomaszewsk:
One of which was a gentleman by the name of Alastair Mactaggart who happens to be a real estate billionaire in California, San Francisco specifically. Alastair was looking at what was going on with the GDPR and since he lives in San Francisco, on the Bay Area, he’s also looking at what’s going on with all the technology companies that are basically making money on people’s data and went, “Hmm, not sure I like this.”
John Tomaszewsk:
Since California hadn’t been moving in the legislature to do anything to upgrade or modernize the existing law, what he did is he actually said, “What can I do about this?” California has this funny little thing that allows for the population, the residents of California to actually modify their constitution via ballot initiative. You can also pass laws via ballot initiative and the scariest thing about that is in the event that a law is passed on a ballot initiative, the only way that law can be amended in California is if 75% of the legislature approves the amendment so you need a super majority.
John Tomaszewsk:
Makes it very, very difficult to amend a law passed on a ballot initiative. Alastair being the “privacy advocate” that he is, I use the term very loosely and in air quotes. He wrote a ballot initiative law with the help of a couple of lawyers that is pretty anti-business.
John Tomaszewsk:
You guys are familiar with CASL in Canada, the anti-spam law. It makes it really difficult to comply with Canadian anti-spam law because of the way that the law is set up. Alastair’s drafting of the original ballot initiative statute has had the same problem.
John Tomaszewsk:
What the legislature did because the legislature got lobbied by the tech industry and said, “We can’t deal with this, you’d need to do something about it.” What the legislature did and Governor Jerry Brown did is they made a deal with Mactaggart and said, “Look, we’ll pass a law that’s better drafted than what you have that we can live with as long as you take your ballot initiative off the ballot.” He looked at what was drafted and said, “Okay, we can do that.”
John Tomaszewsk:
There was a very quickly drafted law that became CCPA and that was done mostly in response to the political pressure that had been placed on the legislature and Governor Brown as a result of Alastair doing something that really is commercially untenable. That’s really the history as to why that happened. It was both situation with Facebook as well as the situation with Cambridge Analytica, as well as the situation with the GDPR, as well as Alastair being a Scottish national, even though he’s made his money in California. There were a bunch of different things going on and the rationale behind why CCPA got drafted the way that it did was really a political conversation with Alastair Mactaggart to get his ballot initiative off the ballot.
Sylvain Perrier:
John, is it safe to assume that Alastair decided to do this post, the whole Cambridge Analytica scandal with Facebook?
John Tomaszewsk:
That was definitely part of it. It’s not all of it. The idea that, at least listening to Alastair talk, the idea that individuals need to have a higher level of control or value over their data is really the underlying theory behind what Alastair was doing. The idea is look, businesses like Facebook, businesses where you’re as a consumer not having to pay for the business, you’re then the product, that just sits wrong from an aesthetic perspective. That idea of … He’s Scottish, like us Texans, we have our independent streak. I really think that Cambridge Analytica was more of a nail in the coffin as opposed to the underlying rationale.
Sylvain Perrier:
Right, right. As an aside now in one of the latest articles, specifically on Facebook in this month’s Fortune magazine, there’s a paragraph that quotes your current governor. I think his name is Gavin Newsom. He’s now talking about that maybe there’s an opportunity here for organizations that are harvesting data and actually generating revenue that they should be paying back to the end user.
Sylvain Perrier:
Is that something that you’re seeing making its rounds or with some of your other clients that are discussing CCPA?
John Tomaszewsk:
Well, the CCPA provides for that. One of the things that’s it’s interesting about the way the CCPA is set up is there are provisions in the act that allow for financial incentives. The concept is there. The issue becomes one of, well, how do you operationalize that? Because it’s really cool and easy in concept, but in practice it’s a lot more complicated because it ends up getting tax law involved, ends up having a whole bunch of other issues around valuing something that is really hard to value because well, while data does have value, it also has a shelf life. What the data is being used for and the value you can extract out of that data is different depending on the context, so it’s a lot more complicated in practice than it is in theory, but it’s definitely something that we’d been hearing in the industry or the privacy space for probably the last three years.
John Tomaszewsk:
Haven’t had any clients start talking about it and mostly that’s because the businesses that are going to consider this are going to be businesses that are not necessarily retail but are more in the freemium or the big data space like your Facebooks and your Googles and your Apples.
Sylvain Perrier:
Right, Now, Ted, refresh my memory. What are the consumers’ privacy rights in the context of this?
Edward Murphree:
There’s actually five. The right of Californians to know what personal information is being collected about them. The right of Californians to know whether their personal information is sold or disclosed and to whom. The right to say no to the sale of personal information. The right to access and the right to equal service and price, even if exercising the rights.
Edward Murphree:
Now this last one is mentioned as a right but under the law, it’s listed as a duty on the part of the organization not to discriminate.
Sylvain Perrier:
I’m assuming there’s certain threshold of what type of business needs to worry about CCPA and Ted, is it the mom-and-pop shop that does $1 million has to worry about CCPA or is it larger corporations?
Edward Murphree:
I think that the drafters were going more after the big boys, so to speak. I think any organization that is concerned about the law really needs to ask themselves several questions. First question is, are they, obviously, are they a business, but are they a business that actually is for profit? Are they in the space of what I’ll refer to as a controller? Are they concerned with how the information is being controlled, whether they are doing business in California and whether or not they meet certain thresholds.
Edward Murphree:
For example, if they are doing $25 million in business and/or are they doing 50,000 records or they derive 50% or more of its annual revenues from selling consumers’ personal information. First thing they need to do, first and foremost, is to decide whether or not they come under that definition. The second thing is they need to decide whether or not they’re processing a consumer’s personal information.
Sylvain Perrier:
A large retailer domiciled in California that may have a loyalty program with over 2 million subscribers to it that they may be emailing on a weekly basis definitely fits into that environment.
Edward Murphree:
Could very well, yes.
Sylvain Perrier:
Now, is there a limit to what’s considered personal information? Is there a definition that really sets boundaries for that?
Edward Murphree:
There is and the easiest way I can describe it is as they’ve done under the law is to say it’s in everything and anything under the sun. What they’ve done is they’ve expanded personal information beyond what we’ve seen in other laws. What they’ve done is they’ve said personal information means information that identifies, relates to, describes, is capable of being associated with or can reasonably be linked directly or indirectly with a particular consumer or household. Then it provides a laundry list of what those things are and this is quite expansive.
Sylvain Perrier:
In case of a grocery retailer or any retailer, quite frankly in the state of California, this not only affects them online if you’re signing up for a loyalty program. It equally affects if they go in store to do the exact same thing. Ted, is that a safe assumption?
Edward Murphree:
I think that’s a safe assumption. Would you agree, John?
John Tomaszewsk:
That absolutely is correct. The idea that this only applies to an online or email campaign is a risky proposition at best. Now we have to remember that the regulations that are going to be used to enforce this law are still in the midst of being drafted by the attorney general. There may be some change there. We also have to remember that at present there are nine bills currently attempting to modify the CCPA. It’s still a little bit of a moving target, but the fact that this is going to apply to offline data as well as online data, that’s probably not going to go away.
Sylvain Perrier:
Okay. What about if a company like, I will use Amazon as an example or any company that’s domiciled outside of California, but doing business online and doing transactions online with California residents? Are they subjected to CCPA?
John Tomaszewsk:
Absolutely, absolutely. The trigger for the business is, are you collecting information about a California resident? The interesting thing about that, and this goes back to the offline versus online conversation, is depending on what you’re doing with an individual, that individual may be a California resident but it’s physically in your retail establishment. For example, a Kroger or a Safeway, one of these national chains, in another state. If I, for example, am visiting, I’m a California resident, visiting my in-laws or my friends in another state go into a retail establishment, join up for a loyalty program in the retail establishment, go back to California. All of that’s covered under the California law as well even though my joining the loyalty program happened in North Dakota or Utah or Nevada.
John Tomaszewsk:
It’s a lot broader than people think it is because of the fact that it is triggered off of a California resident. The way California resident is defined is basically if you pay taxes in California. The way it’s defined is under a reference to the revenue code.
Sylvain Perrier:
Now, the question I get a lot, John, is and you can imagine this is coming in on the heels of GDPR and there’s a lot of information that’s out there on GDPR and the cause and effect that it had on some of the technology providers in this space. I think the information that’s available on CCPA isn’t so well defined yet in terms of what’s online.
Sylvain Perrier:
We’re getting questions as well, isn’t CCPA like GDPR? What are the big difference from a high level perspective?
John Tomaszewsk:
Part of the reason why there’s not a lot of literature online around CCPA is we don’t know what the CCPA is going to end up looking like. But there are some significant differences as well as some significant similarities. When you look at the differences, there are more ways to get out from underneath having to provide an individual access to their rights under the CCPA than under the GDPR.
John Tomaszewsk:
GDPR has a number of exceptions under which you can say to an individual, I’m not going to give you a right of access, for example, or the one that everybody ends up talking about a lot is I’m not going to give you the rights to request deletion. There are more exceptions under the CCPA than there are under the GDPR to deny a deletion request, number one. Number two, the GDPR starts off with this concept of you have to have a legal basis for processing in an articulate six specific legal bases for processing.
John Tomaszewsk:
You can’t fit within one of those legal bases for processing. You can’t process the data at all under the GDPR. That’s not true in the CCPA. The CCPA, basically any reasonable commercial purpose is up for grabs. You can actually process data for that particular purpose.
John Tomaszewsk:
That’s a pretty big distinction in that the CCPA is still fairly permissive in terms of the basis for processing and the GDPR is not. You have fit within one of those specifically enumerated legal bases for processing.
John Tomaszewsk:
Now, there’s some question as to whether or not that’s a material difference or not because one of the bases under GDPR is legitimate interest but realistically, it’s just easier to figure out that it’s okay to process data. In a weird way, not in a weird way, in a more practical way, GDPR is an opt-in whereas CCPA is an opt-out kind of framework.
John Tomaszewsk:
The other thing that’s important to recognize is under GDPR there’s a private right of action for pretty much everything. Under the CCPA, the attorney general is going to be doing the enforcement work for almost all of the rights enumerated under the statute. The only private cause of action right now, the only personal right of action right now is for a security breach, which realistically had already existed in California law anyway.
John Tomaszewsk:
This is the other significant difference is California doesn’t have the same enforcement mechanisms that the GDPR does and the GDPR’s enforcement mechanisms our broader. It can be either the individual or regulator or somebody in civil society, some think tank that says, “Hey, I want to do this on behalf of all these injured individuals.” The risk profile under GDPR is a little bit larger, both from a finance perspective as well as from the number of different people who have standing to sue you under it.
Sylvain Perrier:
Here’s, John, a very hypothetical question that I want to share with you. In context of Mercatus’ platform, we have over 58 plus integration partners and some of those integration partners could be POS, it can be couponing systems, it can be ESP systems. In any case, when we act on behalf of the retailer, we allow a shopper to create an account online. We create that account, that information’s encrypted, stored in our database, transmitted over to the retailer, stored in their loyalty system and encrypted. We then in turn enable consumers to be able to clip coupons. There’s a certain amount of information that is sent over to the coupon processor. You can imagine then that generates some sort of transactional data for financial reconciliation and so on.
Sylvain Perrier:
Let’s say a consumer sends us or sends the retailer a notice, I want to delete my account. How far down do we really need to go to satisfy the law? That may not be defined but I’m just curious how far down do we need to go.
John Tomaszewsk:
Interesting question. The first response is the entity that is having the data requested obviously needs to delete the data out of their database in the event that the deletion request is permissive. What I mean by that is there are a whole host of reasons why you can deny a deletion request, not the least of which is it’s necessary to protect a business from, for example, a contract claim.
John Tomaszewsk:
If there’s a contract in place, that transactional data is related to that contract. For example, your subprocessor, you have a contract with your subprocessor and you have to maintain that transactional data to demonstrate that that subprocessor is fulfilling their contract, whether it’s service level agreements or quality levels or just simply the fact that they actually provided service.
John Tomaszewsk:
Just because somebody requests deletion of data doesn’t mean you have to delete it in that instance because you have to retain that data to demonstrate either compliance with or generate a legal claim that somebody has not complied with the contract. The statute of limitations on that’s anywhere from 4 to 10 years depending on what state you’re in.
John Tomaszewsk:
There, as I was saying earlier, there are a number of exceptions to the deletion requirement, but let’s say the deletion requirement is permitted. You’ve got an email address that’s only used for marketing and it’s in the marketing database and that people’s request for deletion is associated with that. You need to have the service providers that you are giving these and they come to Mercatus or they come to the retailer. They come to a Piggly Wiggly or a Safeway and say, “I want you to delete my data.” The retailer’s going to have to go to their service provider and say, we need you to delete the data.
John Tomaszewsk:
Realistically, the service provider is going to need to go to their subprocessor and say, we need you to delete the data as well. In general, you’re not going to have every service provider touch every piece of data. This is where life gets complicated and this is the reason why even though CCPA doesn’t require a data processing registry or inventory like the GDPR does, it’s a really good idea to do it because this way when you get a deletion request, you know which of your 50 or 60 or 100 service providers will have touched that data for that particular purpose. Because the other thing we have to remember is there are databases that contain the same data that may have a deletion request put against them that’s permissive, that’s permitted and there may be databases which have exactly the same data that you have to retain for legal purposes, for records retention purposes, or for whatever rationale that’s permitted under the CCPA.
John Tomaszewsk:
The purpose for holding onto that data is what’s going to give you the capacity to say, “Yes, I can delete it” or, “No, I can’t.” That’s really where you’re going to end up figuring out whether or not you need to push this down to subprocessors and sub subprocessors.
John Tomaszewsk:
Practically speaking, you’re only going to be able to do one level of attenuation away because that’s where your contractual privity stops. If Safeway comes to you, you go to your provider and then you’re done. Because if anything else, your provider then has to go to their provider, which they may or may not have contextual language that allows them to do that but realistically, that’s where you’re going to go.
John Tomaszewsk:
That was a long-winded way of saying if it’s required for you to do a deletion, you’re going to do one level down.
Sylvain Perrier:
Yeah and I think one of the first recommendations that we’ve been putting out to some of our clients on the West Coast that had been asking about this is at the very least you need to start immediately understanding your data maps and your data flows and what is exactly stored where and by whom and is it even possible today? Because there’s still some systems that are out there today that affecting a true delete, a true purge at the record level is impossible. I think that’s where some of the retailers are scratching their heads, should they be doing this on their own? Should they be going out to market to look at third party solutions that do this?
Sylvain Perrier:
I think, Mark, we’ve seen a couple of these systems.
Mark Fairhurst:
The compliance solutions.
Sylvain Perrier:
The compliance solutions, but those are very difficult to put in and take it all your third party systems and your processors integrated into that thing is quite challenging.
Sylvain Perrier:
John, is there a chance that Jan. 1’s going to be pushed out?
John Tomaszewsk:
Well, Jan. 1’s already pushed out.
Sylvain Perrier:
Perfect.
John Tomaszewsk:
The enforcement of the CCPA for everything except for the private right of action for a security breach is subject to AG regulation and the AG cannot under the statute start enforcing until July at the earliest. What happens-
Edward Murphree:
July 1st, right, John?
John Tomaszewsk:
July 1st. What happens is you’ve got the AG writing regulations and the regulations will be enforceable within six months of the regulations being finalized. The earliest point in time that the regulations can be finalized are January 1 because that’s the effective date of the statute. As a consequence, if that’s the effective date of the statute, if you write regulations before the effective date of the statute, the regulations have no basis in law so they’re not applicable.
John Tomaszewsk:
I doubt seriously the AG is going to get their regs in place by January 1 and the reason for that is not only do they not necessarily have the resources to do it, but the law keeps changing and it’s really hard to write regulations when the law changes. There are some pretty material changes to the law being contemplated in the various bills that are in the assembly right now.
John Tomaszewsk:
Are we going to necessarily have to comply directly on Jan. 1? You are but you’re not exactly going to know what you’re going to be complying with, number one, because the regs won’t be in place. Number two, the regs aren’t going to be enforced until the earliest of July, probably thereafter. Number three, even if you’re not compliant, one of the things that you have to remember is in order for the AG to do anything to you, they have to give you a notice of noncompliance and then you have 30 days to cure.
John Tomaszewsk:
If you don’t have a notice, you’re not going to be enforced against. The enforcement mechanism is a little bit challenging. It’s not as risky as saying, oh, they’re just going to be a private right of action for everything, which is what one of the bill’s actually says.
John Tomaszewsk:
One of the bills modifying the CCPA actually gives the private right of action back to the individual. Not really a good idea, but that’s not the state of the law right now. Jan. 1 is going to be more around the idea of the lookback provision. For example, if I have an access request or if I have a deletion request, you don’t delete everything or access everything. You only delete or access back to the last 12 months. That’s when the January 1 timeframe is really going to be relevant. It’s what you look back to as opposed to are you going to be enforced against.
Sylvain Perrier:
In the case where a retailer, if we were to think a Safeway out of Pleasanton who likely has a north of 5 to 10 million members strong loyalty program, they don’t have to retroactively go back to those 10 million individuals to let them know about the new rules. They just have to worry about the data they collected for the last 12 months.
John Tomaszewsk:
Yes and no. The question is going to be whether or not the notice provisions in the CCPA are going to be triggered for the data you already have. We don’t know that yet. What we do know is until you have an affirmative obligation to give somebody access and correction deletion rights, which is Jan. 1, you’re not going to be able to look backward.
John Tomaszewsk:
Starting Jan. 1 if somebody comes into the Safeway and says, I want to have access to all of my data that you have on me, Safeway can say, “Look, I’m giving you all the access to the stuff that you have a right to which is from Jan. 1 2020. It’s basically going to be a rolling back to January 1 and then 12 months backwards except your cutoff point is at January 1.
Sylvain Perrier:
Okay. What happens to retailers and then we know this in the industry today, there are a lot of retailers that actually sell their transactional data and the transactional data is anonymized to a certain extent, I think. I’m not privy to it, but if they sell it to a third party for the purpose of, I’m not sure, promotional designs or planigram management, are they at risk with CCPA?
John Tomaszewsk:
They are and the reason why they are is because the challenging thing about CCPA is the opt-out right. There’s, I don’t want to say it’s an absolute, but there’s a really close to absolute right to opt out from having your data sold to a third party.
John Tomaszewsk:
The definition of sale is really broad. It basically includes any transfer for consideration and consideration as a legal term is also really broad so it’s basically anything. Now when I say third party, I mean third party, not necessarily a service provider. If they’re transferring data to Mercatus and they’re getting a benefit out of it, which is a benefit would be considered a sale, you’re not a third party, you’re a service provider. It’s because you guys are under contract you can only use a data for purposes pursuant to the contract, you’re not going to be turning around and making money on the data itself. What you’re doing is you’re providing a service and that’s the way you can make money and that’s the benefit that your client gets. But if they’re turning around and selling it to a marketing house and they’re getting money because they have this nice long laundry list of folks that shop in their stores on a regular basis, they have to provide an opt-out. If they don’t provide an opt-out, they run a risk.
Sylvain Perrier:
My understanding is the state of New York and Pennsylvania is lining up now with their own flavor of CCPA. I mean, are you guys hearing the same thing? Is there a chance that Congress may jump in and this will be an amendment to the US privacy act?
Edward Murphree:
Yes, we are seeing this, actually. If you don’t mind me interjecting, John. Yes, we are seeing this. It’s not only New York and actually several states that are having some flavor of the CCPA that they’re bringing for. Texas, for example, has two CCPA-like bills in its legislature right now.
Edward Murphree:
Are we saying that this will go forward with other states? There’s a distinct possibility. Whether or not it’s going to be reality, we don’t know at this point, but we are seeing action as far as other states are concerned. As far as a federal standard is concerned, yes, you’re correct. There is some consideration on the federal front but again, things are still up in the air on whether or not that will bear fruit.
Sylvain Perrier:
John, Ted, it’s been a pleasure having you on the show today and you know what, I actually look forward to part 2. This is one of these subjects that’s just so fascinating and just has, Mark, would you say, it’s like the repercussion of this across the industry is widespread.
Mark Fairhurst:
I agree and I think that the grounding in CCPA that Ted and John provided is going to solicit more questions …
Sylvain Perrier:
Absolutely.
Mark Fairhurst:
… after this podcast is broadcast.
Sylvain Perrier:
Well, Ladies and gentlemen, thank you for listening and don’t forget to download our next episode, which will be part 2 and we’re going to be tackling this continued conversation around CCPA. Mark, I think you have some requests out for our audience.
Mark Fairhurst:
That’s right. We’re going to do something a little different other than, maybe typically, the conventional ways of reaching us, Mercatus, through our social channels and through our website, www.mercatus.com, there’s also an email address that we’re going to request that audience members send in their questions pertinent to CCPA following listening to this podcast. That email address is happygrocer, one word, @mercatus.com.
Sylvain Perrier:
How creative of you.
Mark Fairhurst:
Do you like that?
Sylvain Perrier:
I love it, thank you. Everyone, thanks for joining us and we’ll talk to you soon.