As the regular tax filing deadline grows near, we thought we’d take a look back at two significant changes that will impact small businesses and how their ecommerce functions. Focused on sales tax and consumer data privacy, these recent decisions don’t exactly answer all of the questions. Instead, they lay the groundwork for even more changes to come as our judicial and legislative systems labor to catch up with the ever-changing advancements in technology.
The first change is a result of the United States Supreme Court ruling in South Dakota v. Wayfair, Inc., et al. and the second is the California Consumer Privacy Act of 2018 (CCPA) that was signed into law on June 28, 2018, and will take effect January 1, 2020.
South Dakota v. Wayfair, Inc., et al.
The U.S. Supreme Court finalized a closely divided 5-4 ruling in late June of 2018. The ruling allows states to levy sales tax on online purchases regardless of whether or not the company has a physical presence in the state. This 2018 ruling overturned the Supreme Court’s 1992 Quill decision but without making the South Dakota law constitutional. As such, the specific impact on smaller businesses remains to be fleshed out by the lower courts and Congress.
The 1992 Quill decision created a tax-free shopping loophole because the courts deemed it necessary for a business to have a physical presence in a state in order for that state to impose a sales tax. As online retail sales grew, individual states felt compelled to put in place laws taxing Internet sales. However, many of those rely on consumers following an honor system of payment.
The South Dakota decision came about due to the changing dynamics of our economy which are a result of the influence of the Internet. The ruling is considered to be a sort of equalizer as it requires online retailers to follow the same tax laws as physical stores.
At the time of the 2018 decision, states without a state tax expressed concerns that the decision will require their businesses to become tax collectors for other states. There is also a concern that smaller companies with online retail business will continue to shoulder the impact of the Court’s decision especially as they look to deal with each individual state’s sales tax laws. And, of course, they will most likely pass the expenses on to consumers.
Since the South Dakota ruling, many states have adopted their own sales tax nexus provisions while acknowledging that to go beyond the South Dakota thresholds would mean fighting their own court battles. To avoid the appearance of causing excessive burdens on interstate commerce, most states have aligned their laws with the standard set in the South Dakota v. Wayfair, Inc. case.
California Consumer Privacy Act
The CCPA is a far-reaching consumer privacy law that establishes regulations for processing personal data of California residents and provides consumers with insight regarding what data is being harvested and then how that data is being handled. Due to the global nature of California’s economy, the CCPA is predicted to have a widespread impact.
The CCPA establishes a broader definition of personal information that expands it to include any information that relates to a consumer, household, or device (IP addresses, geolocation data, Internet browsing, and search histories and more). The new definition doesn’t include information available to the general public, information that is lawfully made available from government records, or information that can’t reasonably identify a consumer or device.
The law pertains to any company, domestic or international, that receives the personal data of California residents and reaches or exceeds one of three thresholds:
Annual gross revenue in excess of $25 million;
Collects information from more than 50,000 consumers; or
Earns 50% or more of their revenue from selling the personal information of California residents.
Platforms such as Google, Twitter, and Facebook could find their digital advertising practices impacted as might Internet providers that generate marketing profiles by collecting web browsing data. Any sites that store tracking cookies on visitors’ browsers will be required to provide consumers the option to have their information deleted if it has been collected.
Additionally, the CCPA requires businesses to disclose, at the time the information is collected, exactly what they do with that personal data. General privacy policies have to communicate which information is collected, where it was collected from, how it is being used, with whom the information is shared, and whether that sharing is simply disclosure or a sale of information to a third party. The CCPA also requires an opt-out in the form of a “Do Not Sell” link on the company’s home page.
California legislators strengthened response obligations in regards to timelines for acknowledging and handling consumer requests and complaints as well as timelines for notifying the Attorney General. The CCPA prescribes concrete measures that go beyond the European Union’s (EU) General Data Protection Regulation (GDPR) which went into effect in May of 2018 and was, at the time, the most consumer-centric regulating established.
In comparison to the GDPR, the CCPA establishes a more comprehensive definition of personal information by extending the rights to households and devices. The CCPA does not contain exceptions to accessing personal data as the GDPR does and it outlines different exceptions concerning the deletion of data. The CCPA also imposes stricter constraints in regards to how data is shared for commercial purposes.
To safeguard their ability to comply with requests for access, to delete, and so on, experts suggest that businesses inventory the personal information of all customers who are residents of California. Companies should provide a means by which consumers may contact the company for the purpose of requesting data and should also feature a clear opt-out link on their homepage.
It is additionally recommended that companies establish processes that allow them to verify the identity of anyone submitting a request, to accommodate requests in a timely manner, and to ensure that the opt-out period is a full twelve months. Privacy policies should also be updated to reflect all changes and guidelines established for documenting company actions related to compliance.
The California legislature has been working to simplify and align the CCPA as well as previously existing privacy laws. And there is still time before the January 2020 CCPA implementation date to allow further shaping of the regulations.
The landscape of the business world can be filled with rough terrain as entrepreneurs look to maneuver their way through tax and privacy laws. The experts at Strategy Driven Marketing are neither lawyers nor CPAs. We do our best, however, to stay abreast of legislative changes that affect ecommerce and other aspects of businesses we work with. We try to make sure our clients know when it might be time to check in with their legal or financial consultants.
Looking for a website revamp or a rebranding? Need assistance with social media management or content? Or maybe it’s time to sit down and rethink your big picture approach to marketing. Whatever your needs, the team at SDM is ready to help. Trust our experience and expertise to provide you with the resources you need to move your business to the next level. Contact us today!