Calif. Privacy Law Marks Sea Change for Retailers’ eCommerce Strategies

Two years in, and data privacy’s seismic shift — with California at its epicenter — may upend the way retailers close the deal.

As noted Monday, there’s at least some backing and filling as companies draw more of a bead on what they’ll need to do to comply with the California Consumer Privacy Act (CCPA). The beginning of next year looms as a red line has been drawn, when a 30-day cure period sunsets and firms are on the hook for how they treat all sorts of personal information.

Sephora’s $1.2 million fine is small potatoes, we contend, for a company that logs $10 billion in annual sales. But there’s also the impact on reputation, which can’t be quantified. There’s also the possibility that other states might enact similar legislation, which in turn means that companies will have to grapple with a patchwork quilt of data protection mandates that differ here and there.

Read also: Retailers Scramble to Ensure Targeted Ads Comply With New Privacy Regs

In that case, the challenges will be especially acute for the companies that are increasingly going direct to consumer (D2C). The business model shift has its value, especially in the digital age. A streamlined D2C approach means that companies can cut out wholesalers and distributors and might need to jockey less actively for share on shelves and customers’ mindshare.

But such an approach also demands that, as new data privacy laws take shape and are implemented in states as far-flung as Utah and Virginia, companies must adapt to and adopt new laws as they arise, fine-tuning operations on the fly.

Compliance Complexities Mount

Eventually, as so many companies become global in scope, the compliance complexities mount. In an interview with PYMNTS, Dylan Lowrey, general counsel at Nium, told PYMNTS that “you cannot take a one-size-fits-all approach … you need to go country by country.” Companies and the platforms they operate on have to strike relationships with local regulators to make sure that data localization laws are followed.

We’ve noted that as recently as July, 90% of U.S. companies are not prepared to meet the rigors of CCPA. Part of the issue may be that they do not know just what they must do to comply with those regulations. And what these firms don’t know can hurt them: The CCPA’s civil penalties can quickly add up, with $2,500 for every unintentional violation and $7,500 for every intentional violation. We’d hasten to add that there may be some controversies moving forward as to what the intentional vs. unintentional divides might be.

Such controversies might be the province of litigation and of appeals, and all of it winds up costing time and money. For foreign firms, too, there’s the issue that operating as a “service provider” in California means they are covered under the CCPA. Given the fact that California is the most populous state in the country, it’s a market that no retailer seeking reach (and wallet share) would shun.

Sephora’s fines are the tip of the iceberg, it seems, a salvo that will be the first of many.

For all PYMNTS retail coverage, subscribe to the daily Retail Newsletter.