CCPA Regulation Update: What Do Brick and Mortar Businesses Need to Know?
Part 1 of 4
With enforcement of the California Consumer Privacy Act (CCPA) on the immediate horizon, despite efforts to postpone its enforcement in light of the COVID-19 pandemic, the need for companies of all sizes to execute an efficient compliance plan is now more important than ever. In light of the second set of modifications to the proposed regulations, it's important to remember that the regulations apply not only to online businesses, but also to those with physical locations, such as retail, exhibitors, and restaurants. Brick and mortar locations are not exempt from the CCPA, and information collected in person or otherwise from physical locations still matters. So for brick and mortar businesses, they need to evaluate the special considerations that apply and prepare a response for these specific needs.
Special Considerations for Brick and Mortar Locations
The CCPA requires that at or before the point of collection, a notice needs to be given to the consumer. The proposed regulations have advised that the disclosure should be "readily available where consumers will encounter it at or before the point of collection." Importantly, these disclosures should be accessible to those with disabilities, and would be equally applicable to a disclosure online or in-person. Practically, this could be as simple as signs posted by the entrance, or on cash registers. These notices do not need to be a complete privacy notice, but rather, the collection notice should provide some basic information about collection and use, and can also link to a copy of the full privacy notice online.
This is especially important for brick and mortar locations due to their use of Closed Circuit Television systems for loss prevention, and their role in collecting biometric data. The CCPA has a wide amount of information that can be considered a "biometric identifier." Importantly for consumers, this could include information like a CCTV system or self-checkout register, as cameras may catch an image of someone's face which could be used to create a face print, or allow an individual to get a gait pattern or rhythm. For physical locations especially, this means that a notice to consumers likely needs to be given if loss prevention measures involving a camera are used. It should be noted that CCTV systems have already sparked privacy litigation in Illinois, due to its own biometric privacy law and the role of CCTV systems in creating a face print.
Alternatively, for those collecting information in-person, they can provide the CCPA notice about collection orally.
While the notice requirement applies to both physical and online businesses, it stresses that businesses should prepare a "notice spiel" akin to those used for regular customer service purposes, informing consumers that their information would be collected.
How Do I Comply?
For businesses operating principally in physical locations, compliance plans should be adjusted or expanded slightly.
- Remember to post on-location notices regarding the collection of personal data, and make those notices accessible to those with disabilities.
- Address CCTV and on-location cameras as potential issues under the CCPA.
- For any situation regarding oral collection of personal information, train employees that handle these collections to give a notice spiel, akin to those used for regular customer service purposes.
Right now, the CCPA applies to businesses that meet the following three criteria: (a) a for-profit business; (b) engaging with California residents; and (c) either (i) has annual gross revenue in excess of 25 million dollars, (ii) buys, sells or receives for commercial purposes the personal information of 50,000 California consumers, households, or devices or (iii) derives half or more of its income from selling personal information.
Ultimately, even if a business is not currently required to abide by the CCPA under the current criteria, expect the CCPA to encompass additional companies in the future should the threshold criteria be reduced (e.g. a lower gross revenue amount or fewer pieces of personal information). All businesses should take this opportunity to anticipate an eventual need to comply with the CCPA and act accordingly.
Newmeyer Dillion is tracking these trends and issues to counsel our clients whose businesses are at stake during these unprecedented circumstances. Please reach out to our COVID-19 Task Force, [email protected] for any questions.