Ah, California. The land of sunshine, grape vines, stunning wine — and now, of the U.S's first major data privacy legislation. The California Consumer Privacy Act, or CCPA, came into effect at the very beginning of 2020, and affected businesses must now work to become compliant with its stipulations. It's a law with sweeping implications that can be challenging to dissect, but broadly, it aims to regulate and increase transparency into business use of consumer data.
With this major change in the works, we've been getting a number of questions from wineries across the region. The industry is full of questions over who will be impacted, what the implications are, and most of all, how to prepare your business for CCPA.
Here at WineDirect, CCPA is an important priority for us, and we're investing significant resources to ensure our clients can be compliant with this new legislation. That's why we've compiled these frequently asked questions and key facts that you should know about CCPA.
1. The basics: what does the law say?
Let's start with the key facts and an overview of the law itself.
Who's implicated by CCPA?
All for-profit businesses that operate in California that meet one of the following criteria:
Annual revenue of $25M or more;
Receive or share data from at least 50,000 California consumers; or
Make most of their revenue by selling personal data.
In other words, while this wording will impact a great many businesses, it's still targeting a relatively slim segment of businesses. However, it's important to note that you don't need to be based in California for the law to impact you. As long as you interact with significant amounts of California residents and their private data, you need to comply with CCPA.
What does CCPA compliance mean?
CCPA requires impacted businesses to boost their data privacy standards and change their management process. This can range from prompting customers to agree to your website's cookies policy to ensuring customers can access and control their own data. Specifically, you need to:
Notify people that you're collecting their data
Obtain voluntary consent from that person to collect their data
Enable customers to opt out of your data use; and
Accurately and promptly purge any data which you no longer have the right to process
What are the consequences of CCPA non-compliance?
CCPA will be enforced with fines of up to $2,500 per violation. Companies that breach the law's regulations are also at risk of private lawsuits of up to $750 from each customer whose data was mishandled. Any companies that are non-compliant might also lose the trust of their customers, particularly as awareness rises.
2. What does CCPA mean for wineries?
Luckily, CCPA won't impact the majority of wineries. After all, wineries aren't generally in the business of selling data, and many are below the revenue threshold.
By and large, this is a very different scenario from last year's website ADA lawsuits — if you're a small to medium business, you're unlikely to face immediate impact. And chances are slim that you'll lose customers or licensing, particularly if you start taking steps toward compliance now.
However, that's not a blanket guarantee that you can ignore CCPA (or that it won't impact you directly in the near future). There are a few ways it can still affect you:
1. Your partners for marketing (such as Facebook for ads on its social platforms, or MailChimp for email campaigns) and payment processing likely do need to meet CCPA compliance rules. Their business is processing consumer data, whether that's email responses or credit card numbers; if they fail to meet standards, you may be implicated.
2. Your customers may come to you with questions about how you use their data.
3. Other, similar laws are likely to follow now that CCPA is in place, or CCPA itself may expand in scope — so even if you're not regulated now, you likely will be in the future. (In fact, CCPA is really just following the trend of GDPR before it in the EU.)
In other words, don't panic — but do prepare.
3. What about customer billing data?
The next question that likely comes to mind is what you need to do with the data that you do have. For most wineries, especially those selling direct to consumer, that means billing data.
Here's the key: in the vast majority of cases, financial data histories are exempt from CCPA. While you should still consult with a lawyer or trusted financial partner if a case arises, CCPA doesn't supercede other laws, so you can and should retain billing information or order history to comply with other regulations.
This is because billing data doesn't fall into the same category as the Personally Identifiable Information (PII) that's covered by CCPA. That means that even if a customer requests that you delete all their data, you can retain their order history. This exception also applies to Payment Card Industry (PCI) regulations — if a customer asks to see all their data, you can't send their credit card data.
4. What should your winery do next?
To prepare, you need to assess your current data usage and update your policies accordingly. CCPA compliance is something to prioritize as you build your budget for website or privacy updates.
You should also contact your partners - especially your DTC ecommerce provider - to confirm that they're CCPA-compliant, and determine how their practices may impact you. If you’re a WineDirect client, rest assured our systems are fully compliant. However, if you are sharing your customer data with any other partners, or if you host your website on another platform, you’ll want to dig into their practices as well.
4. How is WineDirect preparing for CCPA?
CCPA regulations are still evolving, and WineDirect will continue to evolve with them to ensure compliant transactions. We're taking every possible measure to ensure that our data privacy and security processes meet the highest standard.
We've also worked diligently with our legal team to ensure our platform is compliant for our customers. Our DTC ecommerce software enables you to be fully compliant with all CCPA requirements, and our team is here for any questions or issues you might have.
If you still have questions about CCPA, we're here to help. Security and privacy are major priorities for us. That's why we're committed to providing top-tier service that meets the high standards of CCPA compliance. We'll also continue to provide updates as they become available — so stay tuned, and reach out if any concerns arise!
LEARN HOW WINEDIRECT CAN HELP YOU TAKE YOUR DTC SALES TO THE NEXT LEVEL.