Ah, California. The land of sunshine, grape vines, stunning wine — and now, of the U.S's first major data privacy legislation. The California Consumer Privacy Act, or CCPA, came into effect at the very beginning of 2020, and affected businesses must now work to become compliant with its stipulations. It's a law with sweeping implications that can be challenging to dissect, but broadly, it aims to regulate and increase transparency into business use of consumer data.
With this major change in the works, we've been getting a number of questions from wineries across the region. The industry is full of questions over who will be impacted, what the implications are, and most of all, how to prepare your business for CCPA.
Here at WineDirect, CCPA is an important priority for us, and we're investing significant resources to ensure our clients can be compliant with this new legislation. That's why we've compiled these frequently asked questions and key facts that you should know about CCPA.
Let's start with the key facts and an overview of the law itself.
All for-profit businesses that operate in California that meet one of the following criteria:
In other words, while this wording will impact a great many businesses, it's still targeting a relatively slim segment of businesses. However, it's important to note that you don't need to be based in California for the law to impact you. As long as you interact with significant amounts of California residents and their private data, you need to comply with CCPA.
CCPA requires impacted businesses to boost their data privacy standards and change their management process. This can range from prompting customers to agree to your website's cookies policy to ensuring customers can access and control their own data. Specifically, you need to:
CCPA will be enforced with fines of up to $2,500 per violation. Companies that breach the law's regulations are also at risk of private lawsuits of up to $750 from each customer whose data was mishandled. Any companies that are non-compliant might also lose the trust of their customers, particularly as awareness rises.
Luckily, CCPA won't impact the majority of wineries. After all, wineries aren't generally in the business of selling data, and many are below the revenue threshold.
By and large, this is a very different scenario from last year's website ADA lawsuits — if you're a small to medium business, you're unlikely to face immediate impact. And chances are slim that you'll lose customers or licensing, particularly if you start taking steps toward compliance now.
However, that's not a blanket guarantee that you can ignore CCPA (or that it won't impact you directly in the near future). There are a few ways it can still affect you:
1. Your partners for marketing (such as Facebook for ads on its social platforms, or MailChimp for email campaigns) and payment processing likely do need to meet CCPA compliance rules. Their business is processing consumer data, whether that's email responses or credit card numbers; if they fail to meet standards, you may be implicated.
2. Your customers may come to you with questions about how you use their data.
3. Other, similar laws are likely to follow now that CCPA is in place, or CCPA itself may expand in scope — so even if you're not regulated now, you likely will be in the future. (In fact, CCPA is really just following the trend of GDPR before it in the EU.)
In other words, don't panic — but do prepare.
The next question that likely comes to mind is what you need to do with the data that you do have. For most wineries, especially those selling direct to consumer, that means billing data.
Here's the key: in the vast majority of cases, financial data histories are exempt from CCPA. While you should still consult with a lawyer or trusted financial partner if a case arises, CCPA doesn't supercede other laws, so you can and should retain billing information or order history to comply with other regulations.
This is because billing data doesn't fall into the same category as the Personally Identifiable Information (PII) that's covered by CCPA. That means that even if a customer requests that you delete all their data, you can retain their order history. This exception also applies to Payment Card Industry (PCI) regulations — if a customer asks to see all their data, you can't send their credit card data.
To prepare, you need to assess your current data usage and update your policies accordingly. CCPA compliance is something to prioritize as you build your budget for website or privacy updates.
For instance, to preempt customer questions, update your privacy policy so that it answers the majority of questions customers may have and promotes transparency. Use a good amount of detail to ensure that customer worries are thoroughly addressed. For reference, you can check out WineDirect's privacy policy which we recently updated.
Similarly, you should disclose how you use cookies. If you're unsure what cookies you have, check out this website (it's the same one we use internally). Add all those cookies to your privacy policy, and make sure to note the purpose of those cookies, too. Again, you can check out our privacy policy to see how it works!
You should also contact your partners - especially your DTC ecommerce provider - to confirm that they're CCPA-compliant, and determine how their practices may impact you. If you’re a WineDirect client, rest assured our systems are fully compliant. However, if you are sharing your customer data with any other partners, or if you host your website on another platform, you’ll want to dig into their practices as well.
CCPA regulations are still evolving, and WineDirect will continue to evolve with them to ensure compliant transactions. We're taking every possible measure to ensure that our data privacy and security processes meet the highest standard.
We've also worked diligently with our legal team to ensure our platform is compliant for our customers. Our DTC ecommerce software enables you to be fully compliant with all CCPA requirements, and our team is here for any questions or issues you might have.
Check out this page for more details, including how to manage different opt-out requests.
If you still have questions about CCPA, we're here to help. Security and privacy are major priorities for us. That's why we're committed to providing top-tier service that meets the high standards of CCPA compliance. We'll also continue to provide updates as they become available — so stay tuned, and reach out if any concerns arise!
