Miriam Farhi is a partner in law firm Perkins Coie’s Technology Transactions & Privacy practice, where she focuses on advising retail, luxury, and technology companies on privacy and data security issues. She discusses the impact of the newly enacted California Consumer Privacy Act (CCPA), its key differences from the General Data Protection Regulation (GDPR) and why retailers should be prepared to respond to new enforcement measures.
Luxury Law Alliance: How has the fashion industry – particularly in the luxury space – been affected by the California Consumer Privacy Act?
Miriam Farhi: The CCPA went into effect in January 2020, but enforcement did not begin until July, so we are in the early stages of understanding the law’s impact on the fashion industry. Many of our clients have been working carefully to prepare for CCPA compliance and have invested time and resources to respond to their new obligations under the law. Covid-19 has accelerated the pressure on many retailers to get up-to-speed on data compliance issues. As brick and mortar stores shut down, the luxury brands who may have been slower to embrace e-commerce are adopting new technologies and digital strategies.
I have a number of clients in the beauty space, for instance, that are experimenting with AR/VR so customers can try on products in a digital context. Other clients, who have traditionally offered only physical products, like apparel, are engaging customers by providing new offerings, like online workout classes, self-care tutorials, or virtual fitting rooms. All of these technologies involve the collection of more (and new) types of data, which means there are privacy and data security considerations companies need to work through, including compliance with the CCPA.
LLA: What is the primary guidance you would offer to companies that are just starting to think about their compliance programs?
MF: It’s important for companies to know their data and understand their information practices. This means building out a comprehensive data map or inventory that provides an accurate, up-to-date view of how a company is collecting information from consumers, what type of information is collected, and how they use, store, share and protect consumer data. Mapping out the data and its life cycle throughout the company is foundational.
LLA: What are some of the key differences between the GDPR and CCPA that luxury brands should consider?
MF: This is a really important issue because there can be misconceptions about the differences between the two laws, especially for companies based in Europe. After completing the time-consuming and expensive work to comply with GDPR, such companies often think they are well-positioned for the CCPA, and that’s not necessarily the case.
GDPR compliance certainly helps companies address their CCPA obligations because, for example, they will already have a good understanding of their data practices and an up-to-date record of processing or data map. But there are important differences that have business impacts. The CCPA, for instance, imposes significant obligations on businesses that “sell” personal information or offer “financial incentives” – two concepts that are not addressed under the GDPR.
The CCPA has a very broad definition of “sale” and requires companies to add disclosures about any sales of personal information they engage in and to provide California consumers with the ability to opt out of this practice. Since “sale” is defined so broadly, we work with clients to assess their data sharing practices – including those in the ad tech space – to determine whether or not they are selling personal information.
The CCPA regulations also provide fairly onerous requirements around what a company has to do if they offer discounts or other benefits in exchange for the collection, retention or sale of personal information. For example, companies that offer a discount in exchange for a consumer’s email address (e.g., sign up for our newsletter and get 10% off your next purchase) may be required to provide additional information to consumers, such as a description of the material terms of the offer, how the consumer can opt-out of the offer, and a good-faith estimate of the value of the consumer’s data. Wherever possible, we work with companies to leverage the work they did for GDPR compliance and build from there to address their CCPA obligations, but it’s critical to understand and respond to the differences.
LLA: How will CCPA enforcement be affected by Covid-19?
MF: Enforcement of the law is underway. The California Attorney General has already issued of notices of potential violations, giving businesses 30 days to become compliant with the law. We’ve also seen the first wave of CCPA-related class action litigation, with more than 70 cases filed that cite CCPA violations in their complaints.
LLA: What can we expect in the near future?
MF: It’s important to remember that California tends to pave the way for other states when it comes to consumer protection and privacy in the U.S. I expect that this will be no different and that more states will introduce and enact comprehensive consumer privacy legislation. We may also see a federal privacy law, akin to the GDPR.
This underscores the importance of investing in a privacy compliance program now. Building a framework and establishing processes to manage personal data will make it easier to address new legal obligations as they arise.