Retailers in the United States including Walmart Inc will add “Do Not Sell My Info” links to their websites and signage in stores starting January 1, allowing California shoppers to understand for the first time what personal and other data the retailers collect, sources told Reuters News Agency.
Others like Home Depot will allow shoppers not just in California but around the country to access such information online. At its California stores, Home Depot will add signs, offer QR codes so shoppers can look up information using their mobile devices and train store employees to answer questions.
Large US retailers are rushing to comply with a new law, the California Consumer Privacy Act (CCPA), which becomes effective at the start of 2020 and is one of the most significant regulations overseeing the data collection practices of US companies. It lets shoppers opt-out of allowing retailers and other companies to sell personal data to third parties.
In addition to retailers, the law affects a broad swath of firms including social media platforms such as Facebook and Alphabet’s Google, advertisers, app developers, mobile service providers and streaming TV services, and is likely to overhaul the way companies benefit from the use of personal information.
The law follows Europe‘s controversial General Data Protection Regulation, which sets a new standard for how companies collect, store and use personal data. The European law gave companies years to comply while CCPA has given them a few months.
Draft regulations around the law were released in October. Retailers did not anticipate having to add signs in their stores, which are required by the regulations but were not part of the original statute. Requiring signs in stores is not an effective use of retailers’ dollars, said Nicholas Ahrens, a vice president at the Retail Industry Leaders Association, who leads its tech policy.
A Walmart source with knowledge of the matter told Reuters the company is “working through a lot of ambiguities in the law, for example, the language around loyalty programmes and if retail companies can offer them going forward.”
There is also a lack of clarity on what constitutes “sale” of information, retail lobbyists and attorneys advising retailers said.
Walmart spokesman Dan Toporek said the retailer supports efforts that give customers control of their information.
Home Depot spokeswoman Sara Gorman said the California law introduces new requirements but does not change the company’s “deliberate approach to customer data and privacy.”
Target spokeswoman Jessica Carlson said a “Do Not Sell” button on its website, will be visible to all US shoppers and California residents will have access to the information outlined under the new law. Target already allows its shoppers to opt-out of sharing their information with third parties for marketing purposes, she said.
Amazon.com Inc is taking a different approach. “We do not plan to put a “Do not sell” button on our website because Amazon is not in the business of selling customers’ personal data and it never has been,” a company spokeswoman said in a statement.
Amazon will launch a revised privacy notice and will review the final regulations to “understand what signage may be required to inform customers how to find the privacy notice” at its stores, the spokeswoman added.
Some national chains such as Sherwin-Williams, which sells paints and coatings, have already begun adding links on their websites in California, Reuters has found. The company did not respond to requests for comment.
Both Walmart and Amazon have ramped up investments in drawing out “data maps” in the past few months, which lets them collate the extent of personal information collected by different business units, where and how this information is stored, what they do with it and who it is shared with, sources said.
A Walmart source said the company’s different business teams including technology, marketing, advertising, payments, and security are investing resources in auditing and making decisions on how to respond to requests from customers to see their data or those who ask for it to be deleted.
An economic impact assessment prepared for the California Attorney General’s office by an independent research firm found compliance with the regulations will cost businesses between $467m and $16.5bn between 2020 and 2030. Industry estimates peg initial compliance costs at over $50bn.
The California Attorney General recently told Reuters in an interview that privacy law enforcement will look kindly on those that demonstrate an effort to comply.
But sources told Reuters they expect plaintiff lawyers to bring lawsuits in the new year against a range of businesses that may fail to meet the law’s requirements.
Many companies affected by the law have lobbied extensively for a federal privacy bill that might override the law in California. But their efforts have so far made little progress.