Beginning in early 2023, U.S. states Virginia, California, Colorado, Connecticut and Utah, will be introducing new data privacy laws. These separate privacy acts go by different names, but they aim to accomplish the same things, namely, giving the consumer more control over what is done with their information.
The new laws will bring these U.S. states’ data privacy regulations closer to the European Union’s Global Data Protection Regulation (GDPR), which passed in 2018. GDPR is the EU’s premier law on data protection and regulation (“the toughest privacy and security law in the world,” according to GDPR.eu).
But despite GDPR being a European creation, the dynamic of its law allows it to reach outside its borders. “It covered Europe, but it also covered meeting attendees coming from Europe to the United States,” says Jill Blood, vice president of deputy general counsel for Maritz Global Events.
“So, even if you were a U.S.-based company, you needed to comply with it. For Maritz, around 10% of our total attendee base is European across all of our clients. Some only have U.S., some have higher percentage, but it impacted us, it impacted a lot of people. For domestic companies, it was the first time a lot of people even had to think about this.”
While these new laws aren’t quite on the level of GDPR, they still spell significant changes for meeting professionals and their attendees.
What New Privacy Laws Mean for U.S. Attendees
There are five main areas these new privacy laws cover, according to Blood: data minimization, security, notice requirements, consumer rights and contractual requirements.
“Keep as little data as possible,” Blood says. “The idea being, if you have somebody’s personal information, only hold it as long as you need it and only have it if you need it. So, you give your Social Security number to somebody, you want to make sure they’re only using it for that purpose and then they’re getting rid of it as quickly as possible.
“All of these laws come with enhanced security features,” Blood says. “They’re wanting to make sure people are protecting their data as much as possible.”
For California in particular, its new law, the California Privacy Rights Act (CPRA) revises the California Consumer Privacy Act, adding new data privacy concepts to the state. One of which is marking certain types of information, such as social security numbers, passport numbers, biometric data and “precise” geographic location as “sensitive,” qualifying it as personal information and giving consumers additional control over how that information is used.
A large part of data collection is collecting cookies—data used to identify your computer and track internet browsing habits—and cooking are where notice requirements will begin to play a larger role.
Blood says notice requirements are a way for people to understand how their data is being used and that if data is being shared with a third party, there’s transparency among everyone. A lot of that’s done through privacy policies. You’re going see a lot of people, including Maritz, update their privacy policies. There’s some talk that you might need multiple privacy policies on websites that would make sure that you know who’s using their data and how they’re using it, even as it moves downstream.”
“This is the ability for me or you to contact a company and say, ‘I don’t want you to use my data anymore. I don’t want you to keep it. I want to know what data you have and how you’re using it.’”
In the CPRA, this comes in the form of, but isn’t limited to, the “right to restriction,” which allows consumers the right to limit the use and disclosure of personal information, the “right to access information about automated decision making”—which involves the use of data and algorithms to make decisions without human intervention—and “the right to restrict sensitive personal information.”
Blood sees the increase of contractual requirements already bleeding through hotel agreements, DMC agreements and client agreements. New contractual requirements will mean planners and organizers will have “an obligation to make sure that people who were sharing the data with are also protecting it and sort of doing what’s right by it,” she says.
“I think we’re going see even more of those [agreements] and even stricter requirements. We’re certainly seeing that from our clients, more and more these provisions [are going] from one paragraph to multiple pages. There’s more accountability and there’s more in the terms of those requirements.”
What This Means For Planners
“As an industry, we’ve always been pretty good about respecting people’s right to privacy. I don’t think it’s an industry where I hear a lot of people doing unexpected things with data,” Blood says.
Despite the relative lack of security threat in the meetings industry, these new laws will require planners to be more thoughtful about how they use attendees’ information. Blood says there was a time where you could simply say you have data without specifying what it’s being used for.
“What it requires now is making sure that when you’re transferring that data, you’re doing it thoughtfully,” she says. “You’re putting it through encryption, you’re putting it through portals, you know who you’re sharing the data with and you know you’re sharing it with responsible people that you have contractual requirements with. It’s not just, ‘We’re sending the data around.’”
Target marketing is where Blood says more of these regulations really began to show. She says a test for Maritz is asking if they’re using the data in a way people expect; actions like using one’s information for registration and printing a name badge are unlikely to present problems for planners, as they’re par for the course.
Blood says it’s about categorizing things into what’s an expected use and what’s not. She says the transparency and giving the people the right to opt in or out is also good for business. It prevents them from overstepping boundaries. “We don’t want somebody to show up on site and be creeped out because there’s suddenly a picture of their family in their hotel room and they’re saying, ‘How did you get that?’”
The Big Scary
Blood says many event planners tend to avoid the topic of data privacy altogether. She says she often gets clients who get overwhelmed and don’t know what to do, especially association clients who don’t have an in-house legal or privacy team. “I think it’s one of those things that when you get into it, there’s a lot more you can do than it seems like initially.”
“We almost have people overreact and kind of shut down completely and say, ‘Well, maybe we just don’t have people from Europe. Maybe we don’t use the data at all,’” Blood says. “The message we send a lot to our clients is we have to be smart, we have to be thoughtful….This isn’t a reason to not plan something. It’s not a reason to not design the event you want to do.”
Another area of intimidation for planners is trying to navigate the laws of all 50 different U.S. states, Washington D.C., and all other countries abroad. But luckily, Blood says most of these states are copying off each other, with California leading the way. “While they have unique sort of ideas, almost all of them are based on the same kind of core tenants, so you’re not complying with ten different completely unique laws,” she says.
Businesses outside of the industry have given a lot of pushback, Blood says, claiming that that these security laws are burdensome and expensive to comply with. “For companies like ours, we’re not necessarily who these laws were targeted at,” she says. “We’re not often doing sort of outside-of-the-box, creepy things with data, but we do get impacted by them, and for small companies this can be pretty burdensome if you don’t have an internal team, so I think there’s a fair amount of pushback, but my crystal ball would say we see more of this and eventually we see a push for a federal law.”
According to the U.S. State Privacy Legislation Tracker, most states either haven’t had a privacy legislation bill introduced or their bills are inactive.
“I think more [laws] will come. My hope is that eventually we get a federal law that makes it easier for companies to comply with one requirement. But I suspect we’re at least a few years away from that becoming a reality.”
Generational Change of Data Attention
Blood believes the future is data and understandably so. She points to AI and bots in particular, which allow planners to tap into data more than they were ever able. “Our teams are looking into that stuff constantly….I think we’ll see data used around things like risk mitigation and security. Knowing where people are in the event something happens. We saw some of that around Covid, as people were looking at testing and vaccines.”
The shift to a greater use of data almost seems inevitable. And with younger generations, more familiar with data in general and how it’s being used to cater to them more specifically, it will demand that companies use data responsibly.
“[Millennials and Gen Z] live their lives online,” Blood says. “They’re really thoughtful about data. I think it’s going require all of us to sort of step our game up, and they’re going to want those disclosures. They’re going to want to know more. They’re going to want more access to data. And I think they’re going to be more sensitive about how it’s used.”
And Blood believes, in turn, the response from the newer generation will make the industry better. “I think we’ll hear it from attendees when we get it wrong. That’ll help us as an industry get smarter and sharper. That learning curve will probably be pretty quick. The world’s changing faster than it ever has before.”