The nation’s toughest data privacy law is coming next month
Do you allow those who enter personal info on an event registration or other website to forbid having that information sold or shared? Are you prepared to delete someone’s personal data if asked?
These are the kinds of questions some planners will have to address when California’s new data privacy law, California Consumer Privacy Act (CCPA), goes into effect in January. It’s the strictest of its kind in the United States—and will most likely heavily influence data protection in the rest of the states.
See also: Is Your Business CCPA Ready?
You must remember how planners and venues scrambled to make sure they did not run afoul of the EU’s precursor in this space, the European General Data Protection Regulation (GDPR), which went into effect in May.
Is this GDPR Deja Vu?
Is more scrambling in order? Not exactly. In fact, the truth seems to be that, as far as most in the meetings industry are concerned, CCPA is akin to being GDPR’s Mini-Me.
“It’s quite limited,” says Corbin Ball, CMP, a nationally recognized meeting tech expert. The California law, for example, excludes all not-for-profit organizations. Instead, it targets internet marketing and technology companies, but only those with annual revenues of more than $25 million, those that make 50 percent of revenue by selling customer information or collect personal data from more than 50,000 customers a year. GDPR, in contrast, applies to all businesses that process data of EU citizens, regardless of size.
“Personal data” is broadly defined. It can be anything that identifies or relates to a consumer or household. Examples: real names, aliases, passport numbers, and driver’s license and Social Security numbers. Anything, as the statute puts it, that can be used “to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”
Of course, the law applies only to data collection involving residents and organizations in California. If you plan a meeting in another state that is attended by Californians, however, you are still potentially liable for noncompliance.
Companies that meet the parameters of the new law must disclose data collection and sharing practices to consumers, who have the right to opt out of the sale or sharing of their personal information. Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent.
Consumers also have a right to opt out completely—via a readily apparent link on the company’s website—of the sale or sharing of their personal info, and they have a right to request that their data be deleted.
Under GDPR, on the other hand, EU citizens must actively and explicitly opt in, and the regulation simply requires the data collector to say in plain language what the data will be used for.
Fines under the CCPA cap at $7,500 per violation, and citizens may be awarded up to $750 per violation in a class-action lawsuit. Under GDPR, no awards to individuals are specified, but businesses can be penalized up to 4 percent of a company’s annual global revenues, up to 20 million euros.
6 Months to Adapt?
Even after January, a six-month grace period from enforcement will allow businesses to acclimate to the new CCPA law. It will also allow for fine-tuning of the law based on public comments received in the state’s formal review period.
“Although the California Consumer Data Privacy law is not as comprehensive as the GDPR,” states Jon Fielding, EMEA managing director for Apricorn, Inc., an American designer and manufacturer of computer storage products, utilities and accessories, on helpnetsecurity.com, “it’s the first step to protecting consumer data. California pioneered tech innovation and is now paving the way for consumer privacy.”
In a new ranking of U.S. privacy laws by Paul Bischoff, a tech journalist and privacy advocate on comparitech.com, California is far out in front of the pack. Only Nevada also requires that companies allow consumers to opt out of third-party data sharing, for example, and California is the only state that dictates that companies must delete personal data on demand.
“In general, though, if your company is GDPR-compliant, it covers all the bases except for putting an opt-out link at the bottom of your website,” Ball says. “I don’t see CCPR being as big a speed bump for planners as GDPR.”