What Does the CCPA Mean for the Grocery Industry?


As a retail vertical that shoppers interact with multiple times per month, grocers (and their packaged goods partners) benefit more than others from the use and optimization of data and analytics. 

Following implementation of the General Data Protection Regulation (GDPR), a European Union privacy law that came into effect in 2018, a sweeping focus on privacy is expanding and affecting every industry, including grocery. This is especially true in California, where the California Consumer Privacy Act (CCPA) goes into effect in January 2020. Once the act is in place, grocers and other retailers will need to comply with new customer data regulations.

Given the rise in concern over the collection of customer data (especially following the Facebook/Cambridge Analytics scandal), California and other municipalities are emphasizing the need for individuals to have a greater level of control over, or reciprocal value from, their data. Grocery retailers must take time to understand the details of CCPA and consider the implications for their data collection and sharing policies.

Furthermore, in a time when many grocers are giving up control of data to third-party partners, it’s critical that they understand these processes, who owns the data and exactly how that data will be used.

Consumer Rights Provided Under CCPA
The CCPA provides consumers in California with five privacy rights:

  1. The right to know what personal information is being collected about them.
  2. The right to know whether their personal information is sold or disclosed and to whom.
  3. The right to say no to the sale of personal information.
  4. The right to access their personal data.
  5. A duty on the part of the organization not to discriminate, even if consumers exercise their privacy rights.

Does Your Company Fall Under the Law?
The first step in preparing for CCPA is to determine if your company is impacted by its provisions. The CCPA applies to any business that collects personal consumer data, does business in California and fulfills at least one of the following:

  • Generates annual gross revenues in excess of $25 million.
  • Possesses the personal information of 50,000 or more consumers, households or devices.
  • Earns more than half of its annual revenue from selling personal consumer information.

The CCPA will not only affect a retailer’s online initiatives, but also its in-store activity. For grocery, CCPA equally affects in-store loyalty signups and programs. Additionally, CCPA doesn’t just apply to retailers within California. If they’re collecting information about California residents after they visit the chain in another state, join the loyalty program and go back home, they’re still possibly covered. 

How to Prepare
To prepare for the CCPA, companies must immediately start understanding their data maps and data flows to examine what is stored where and by whom, in order to ensure that all levels are abiding by the law. 

Under the CCPA, individuals can request details on how a business uses and discloses their data, and they have the right to request that the business delete the information. However, just because somebody requests the deletion of data doesn't necessarily mean the company must erase it. There are plenty of exemptions for businesses within the CCPA that companies should familiarize themselves with as 2020 approaches.

The truth is, many systems in operation today are incompatible with a true “delete” of an individual’s data. Whether grocers handle this on their own, or with the assistance of compliance solutions, they must tackle the challenging task of making sure all systems are capable of identifying the data is being used and can delete it if necessary.  

It’s essential for companies to question if their partners are compliant, as well. The data tree has deep roots, especially with partners who help manage loyalty programs. In order to ensure that data is safe and accessible in the case of a request to delete, companies must either own the data themselves or be in close contact with their partners while preparing systems and, moving forward; they also should partner with companies that are deeply familiar with the CCPA’s implications. 

Make Time Now
We’re almost into the last calendar quarter of 2019 already. Do companies need to take care of everything they need to comply by Jan. 1, 2020? Maybe not. The regulations that will be used to enforce this law are still being drafted by the California attorney general and may not even be in place by then.

Therefore, we won’t know exactly what businesses will need to comply with until that is finalized. Additionally, the regulations won’t be enforced until July 2020 at the earliest. But while there’s still time to optimize your systems, it’s important to begin doing so now.

It’s also important to remember that there currently are nine legislative bills attempting to modify the existing CCPA, so it’s a breathing law at the moment that likely will see changes made. The fact remains, however, that this will soon be law, and concerns about consumer privacy in general are not going away and must be taken seriously.

About the Author
Sylvain Perrier is chief executive officer and president of Mercatus Technologies Inc., which helps drives success at many large retailers using pragmatic easy-to-use technology. He has more than 15 years of executive-level experience in retail technology, pushing the boundaries in specialty areas such as mobile devices, web technology, in-store solutions, and software-as-a-service architectures. Perrier also is listed as the lead inventor on more than 75 granted intellectual property patents for more than 10 distinct inventions.