Our Mission

Learn who we are and how we serve our community

Leadership

Meet our leaders, trustees and team

Foundation

Developing the next generation of talent

Volunteer Community Advancement Awards & Recognition
C+CT

Covering the latest news and trends in the marketplaces industry

Industry Insights

Check out wide-ranging resources that educate and inspire

Government Relations & Public Policy

Learn about the governmental initiatives we support

DEI Center ESG Center ICSC PAC Small Business Center
Events

Connect with other professionals at a local, regional or national event

Virtual Series

Find webinars from industry experts on the latest topics and trends

Professional Development

Grow your skills online, in a class or at an event with expert guidance

ICSC LAS VEGAS Know Before You Go ICSC LAS VEGAS Shopper Preferences: ESG and CSR in Marketplaces
Find Members

Access our Member Directory and connect with colleagues

ICSC Networking Platform

Get recommended matches for new business partners

Student Resources

Find tools to support your education and professional development

Talent HQ
Become a Member

Learn about how to join ICSC and the benefits of membership

Renew Membership

Stay connected with ICSC and continue to receive membership benefits

Member Benefits Member Types & Pricing Member FAQs University Partnerships Program

Government Relations & Public Policy

States Pass Consumer Privacy Laws Impacting Brick-and-Mortar Businesses

States Pass Consumer Privacy Laws Impacting Brick-and-Mortar Businesses

May 13, 2022

Connecticut lawmakers have passed legislation (CT SB 6) that grants several rights to consumers over what personal information companies are allowed to collect. The news in Connecticut comes one month after Utah lawmakers enacted similar legislation (UT SB 227) that follows four other states — California, Colorado, Delaware, and Virginia — that have such a privacy law on the books. With Congress unable to agree on a federal solution, state lawmakers have taken the lead in advancing legislation that sets standards on protecting consumer data.

While each state has taken a slightly different approach, these privacy laws generally give consumers certain rights over their personal information, including the right to know what is being collected, the right to correct inaccuracies, and the right to opt out of certain processing of information for uses such as targeted advertising, the sale of information to third parties and profiling. Companies may also be required to disclose their privacy policy to customers, provide a “do not sell” link on their website and conduct data protection assessments on a regular basis.

In an increasingly digital world, debate over consumer privacy has been the main battleground over the limits of what companies can do with consumers’ personal data. While large tech companies are often the target for many lawmakers, consumer privacy laws that are broad in scope not only impact digital companies, but also brick-and-mortar retailers that do not rely on targeted advertising or selling customer information.

The scope of privacy laws can be broad

The question of who these privacy laws should apply to has been a source of some tension among lawmakers. Some Republicans have looked to target tech companies for perceived censorship on social media, but have run up against other pro-business Republicans who worry about an overly broad scope affecting other industries. 

Typically privacy laws have a revenue threshold to exempt smaller businesses from onerous compliance costs, as well as some requirement that the business collects data from a certain number of households to have the law apply. However, the California Consumer Privacy Act, which went into effect in 2020, applies to any company with at least $25 million in revenue, regardless of how much, if any, data is collected or sold.

The reach of a privacy law also does not necessarily require a business to be physically located in the state. If a company meets the threshold criteria and markets or sells to residents of a state with a privacy law, the company can still be required to comply with consumer privacy requests in that state.

Information collected on site

For brick-and-mortar businesses without a web presence, compliance with privacy requirements could still be required. Personal information can be collected through CCTV footage, or facial imagery collected from a self-checkout register. Notice to the consumer can be given through a sign-on location, and the retailer would need to give consumers an offline way to exercise their rights, such as forms they can complete.

Loyalty programs

Most of these privacy laws prohibit companies from discriminating against consumers for exercising their privacy rights. But non-discrimination clauses have raised questions about loyalty programs. Could the privacy law be interpreted to mean businesses cannot give preferential treatments for customers in their loyalty programs, which collect information on consumers in exchange for discounts?

California will allow loyalty programs, but the Attorney General has spelled out specific requirements requiring disclosures to the consumer and an opportunity to opt out. Other states have been more permissive in allowing loyalty programs to operate, but this is an area where retailers will need to ensure they are in compliance.

Company websites

Any company with a website can also be required to comply with state privacy laws. Businesses often collect personal information from customers on their websites, such as shipping addresses, contact details and payment information. Information such as IP addresses or location data to show directions on how to get to the store can count as “personal information.” Even a company that does not have a site but takes orders over the phone can be subject to privacy laws if they meet the threshold and are taking personal information from a customer. 

For more information contact Jim Hill, ICSC Vice President, State & Local Government Relations, at jhill@icsc.com.