Beginning next year, a new state law in California will place sweeping restrictions on how retailers and other businesses collect and use information about their customers.
Inspired by the controversial General Data Protection Regulation implemented in Europe last year, the California Consumer Privacy Act goes even further in some respects. By prohibiting “discrimination” against consumers who decline to share information, it could virtually outlaw popular retail loyalty programs that offer discounts in return for data. Allowing consumers to have information “erased” could end services like returning items without a receipt. And a minimum $100 fine per customer for data breaches — even in criminal attacks — could subject retailers to ruinous financial penalties.
California law could affect more than just California retailers
Over the past year, NRF has worked closely with the California Retailers Association to raise awareness of the unintended consequences of the California measure and try to rein in its most onerous burdens.
The reason is that the California law would affect not just California retailers but any retailer doing business with residents of California — one of our nation’s largest markets — online, by mail or otherwise. Moreover, the law is becoming a misguided model for other states: Similar legislation considered in recent months in Washington state has died, but other bills have been introduced in New York, New Jersey and Illinois, and Connecticut has voted to study privacy issues. And it could easily become a model for federal legislation in Congress.
That’s why NRF urged lawmakers to adopt a “uniform, nationwide, consumer-centric” privacy law as Congress held its first privacy hearings of the year in February and to “avoid the flaws” of initiatives such as GDPR and the California measure. We sent letters to both chambers spelling out our principles for privacy legislation, saying regulation needs to be at the federal level rather than allowing the states to pass piecemeal and potentially conflicting legislation on a national issue, that it must include all entities that handle sensitive data, that businesses must be transparent about their collection and use of data, and that consumers must be given meaningful choices in how data is used.
This week — as the Senate held an additional hearing and the House prepared to do the same next week — we gathered dozens of retailers from across the country in Washington at the NRF Spring Privacy Meeting to review the California law, similar legislative activity in other states and legislation in Congress.
Speakers at our privacy session included Federal Trade Commission member Rebecca Slaughter, senior aides from the House Energy and Commerce Committee and the Senate Commerce, Science and Transportation Committee (the two congressional committees taking the lead on privacy legislation), and attorneys from top U.S. and European law firms with expertise in privacy laws and proposals on both sides of the Atlantic.
Consumers are savvy and willing to share data
Consumer privacy has been one of retailers’ priorities for many years. It’s good that lawmakers are addressing such an important concern. But some efforts take an almost paternalistic approach.
Consumers are well aware of privacy issues. Research presented at our privacy meeting, however, showed they also know the benefits of sharing information and don’t want to lose those benefits. And they know the balance they are willing to strike. Coupons for a discount at a favorite retailer delivered in the mail in return for your street address? Most are fine with that. Handing over your cell number? Most are OK if it gets them a text offering free delivery, but less so for intrusive phone calls or a less valuable offer.
82 percent of opinion leaders said regulations related to data privacy should not restrict the retail benefits and services they currently enjoy.
Of opinion leaders and likely voters surveyed for NRF in California and Illinois (considered comparable to residents of other states), an overwhelming 82 percent said regulations related to data privacy should not restrict the retail benefits and services they currently enjoy.
Privacy and data security need to be addressed, but at the federal level. Conflicting data breach notification laws currently on the books in four dozen states — confusing for consumers and a compliance nightmare for businesses — are an example of what happens when states legislate on national issues.
In the quest to protect consumers, lawmakers should not assume the public is naïve. Virtually all consumers are willing to yield some data in exchange for more personalized service or tangible benefits. Lawmakers need to realize that and strike the right balance as they address this issue. And Congress needs to act before the states can balkanize an issue that is clearly national if not global in scope.