A new California law that ensures data privacy of all residents is the strictest of its kind in the United States and will have major implications for professionals and companies, including those involved with the meetings industry.
Last week, Gov. Jerry Brown signed the law, the California Consumer Privacy Act of 2018 (CCPA), which contains provisions that echo those of the European General Data Protection Regulation (GDPR) legislation that was enacted in May.
The new Golden State law will go into effect in 2020. It will affect companies with more than 50,000 annual customers, those acquiring more than $25 million per year and those gaining 50 percent of revenue by selling customer information. Companies fitting that description will have to disclose personal information obtained, allow the deletion of data and abide by customer refusal to have personal data sold to third-party companies.
The scope of said “personal data” is broad. It can include anything that identifies or relates to a consumer or household. Examples include real names, aliases, passport numbers, driver’s license numbers and Social Security numbers.
The bill summarizes personal information as “inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”
“There’s a whole new meaning to what privacy is about in this era of the internet,” said state Sen. Robert Hertzberg. “We in California are taking a leadership position with this bill. I don’t think there is a question this will be the most far-reaching privacy bill across the country. I think it will serve as inspiration across the country.”
GDPR sets stringent guidelines for data collection and processing, protecting citizens from being exploited by large companies. Because the guidelines are extremely similar to those of GDPR, this means event planners and hoteliers will most likely have to exercise even more caution. This is despite the bill being mostly aimed at internet and technology companies.
There are some differences, though. The California law allows users to opt out of data collection and trading. On the contrary, EU citizens must actively and explicitly opt in. GDPR simply requires the data controller to explain to the “data subject,” in plain language, what the data will be used for. The CCPA says a link on the company’s website should be apparent and readily offer the consumer a chance to opt out of data selling.
Each violation of the new act could warrant a $7,500 fine from the attorney general and an up to $750 fine from class-action lawsuits. Under GDPR, awards to individuals are not guaranteed.
However, this might not be all bad news for companies. The bill allows businesses to offer financial incentives to internet users who allow their data to be sold. Another section, confusingly written, bars businesses from charging customers choosing to opt out differently for goods and services. But at the same time, there’s nothing stopping businesses from doing so if the price difference is “reasonably related” to the value of the customer’s data. Further litigation is expected to take place before 2020 and will hopefully mitigate some of the muddy language. A period of public consultation will be held by the State of California.
Other states could begin to see the effects of the law, as well.
“It’s going to be impractical for companies to maintain two separate sets of privacy protections—one for California and one for everyone else,” Cynthia Larose, a cyber security expert at the law firm Mintz Levin, told Associated Press.