“Virtually all retail customers are willing to yield some personal data in exchange for more personalized service or tangible benefits."
NRF Senior Vice President David French
WASHINGTON – The National Retail Federation and the California Retailers Association today asked state officials to preserve popular customer loyalty programs, protect businesses from potentially ruinous financial penalties and address other provisions of a new privacy law set to take effect next year that could interfere with consumers’ expectations for customer service.
“Data drives retail and the customer experience,” NRF Senior Vice President for Government Affairs David French said. “Retailers are firmly on the side of consumers and collectively spend billions of dollars each year to enact policies and build systems to protect personal information. But we believe the California law will have far-reaching effects that will interfere with retailers’ ability to offer the customer service Californians demand.”
“Retailers know that establishing long-term relationships with their customers requires more than just providing merchandise at a price they can afford,” CRA President Rachel Michelin said. “It requires maintaining consumers’ trust. We look forward to engaging with the attorney general and the California legislature to ensure that this law and its regulations strike the proper balance.”
NRF and CRA today submitted comments to Attorney General Xavier Becerra as the state Department of Justice prepares to draft regulations for implementation of the California Consumer Privacy Act. The law, which was passed last summer and is scheduled to take effect in January 2020, places sweeping restrictions on how retailers and other businesses can collect and use information about consumers. The letter emphasized that retailers gather data about consumers primarily to better serve them, in sharp contrast to other industries that gather consumer data primarily to monetize it by selling it to other businesses.
NRF and CRA are concerned about non-discrimination provisions of the law including a prohibition on retailers treating consumers who exercise privacy rights any differently from those who do not, which could put an end to retail loyalty programs that offer discounts to members.
“Virtually all retail customers are willing to yield some personal data in exchange for more personalized service or tangible benefits like discounts or instant coupons,” French said. “The California privacy law, as currently written, will end these popular and valuable benefits.”
The new law may saddle businesses with penalties of between $100 and $750 per consumer per data breach incident, resulting in “enormous and financially ruinous damage awards without regard to the size of the business, the circumstances of the breach or mitigating factors such as the good faith or level of cooperation of the business,” NRF and CRA said in the letter to Becerra. Companies that are breached are “not malicious or reckless bad actors but rather are the victims of often highly sophisticated financial fraud and computer crimes,” the letter said.
While the law applies only to companies with locations in California or doing business with Californians, NRF is concerned that it could become a model for legislation in other states or in Congress.