California Consumer Privacy ACT and the Trade Show IndustryMay 17, 2019
It’s only been a year since the EU’s GDPR became effective, changing the way, the trade show industry did business with potential attendees in the EU.
Now another milestone is looming as the California Consumer Privacy ACT or CCPA will become effective on January 1, 2020 with its own set rules on how to safeguard personal information and the protection and privacy of personal data continues to be a hot topic in the trade show industry.
The trade show industry must pay close attention to these new data protection and privacy laws as many of the organizations within the industry use and share the personal information of individuals from everything from building attendee databases for attendee marketing to exhibitor lead retrieval, attendee session tracking and beyond.
The CCPA is the most up to date and comprehensive data privacy and data protection law in the US. It applies to businesses collecting personal information from California residents that also meets one of the following threshold requirements:
- Businesses that have over $25 million in gross revenues per year.
- Businesses that buy, receive, sell or share the personal information of over 50,000 consumers per year.
- Businesses that derive 50% or more of their revenue from the sale of consumers’ personal information.
Businesses that meet one of these threshold requirements are referred to as the “Covered Entities.”
Personal information is defined broadly in this statute. It is defined as any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with any consumer or household.
Please note, it not only covers typical personal identifiers, but it also covers any information that could be used to infer a specific consumer or household.
Consumers are granted certain specific rights under the CCPA regarding their personal information. The first is the right to request information.
When a Covered Entity collects personal information about a consumer, the consumer is entitled to know:
- The categories of information and the specific personal information the Covered Entity collects;
- The sources from which the personal information is collected;
- The commercial purpose for collecting the information;
- The categories of personal information sold;
- The categories or third parties with whom the Covered Entity is sharing the information.
Consumers have the right to opt-out of having their personal information sold or shared by the Covered Entity. The Covered Entity must provide a clear and conspicuous link on their home page titled “Do Not Sell My Personal Information” that consumers can use to opt out of having their personal information sold.
Consumers also have the right of deletion (referred to in the GDPR and elsewhere as the right to be forgotten). A Covered Entity must delete the consumer’s records upon a verifiable consumer request and it must direct other businesses it works with to do the same, if it shared the consumer’s personal information with the other business.
There are a number of exceptions to the right to delete including the need to complete a transaction, legal obligations, security reasons and others.
Covered Entities will have certain new obligations regarding Consumer rights.
Covered Entities must inform consumers of the following before collecting Consumer data:
- The categories of personal information to be collected
- The purposes for the collection of data
- That Consumers have the right of deletion of their personal information
- That Consumers have the right to opt-out of the sale of their personal data
Covered Entities must also update their privacy policies to include the rights of California residents. Covered Entities must also provide an 800 number to consumers for all data access requests. This is in addition to the link on the home page for all consumers who want to opt-out of their having their personal information sold.
Covered Entities must not discriminate against Consumers who have exercised any of their rights under the CCPA. This discrimination could include denying good or services; charging different prices or providing a different level of service.
Covered Entities must also follow the principles of data minimization (not collecting more personal information than is needed). Covered Entities must also ensure that any employees who work with consumers understand the CCPA, a consumer’s rights under CCPA and how to direct consumers to exercise those rights.
For California residents that are minors, Covered Entities are prohibited from selling a minor’s data until the minor (if aged 13-16) or their parent/guardian opts in to the sale of the data.
Overall, the CCPA gives consumers a level of control over their data unheard of in the US. In many ways, it’s similar to the General Data Protection Regulation (GDPR) enacted by the EU. Unlike the GDPR, which focuses on whether or not an individual has opted in to allowing their personal information to be used (Otherwise known in the GDPR as “explicit consent”), the CCPA focuses on the ability of a consumer to opt out of having their information used. So even if a trade show or association has revised their online practices to be GDPR compliant, there is still work to do to be compliant under the CCPA as well.
The CCPA, which is still nine months away from becoming law in the state of California, still might be subject to revisions by the California legislature. However, one thing seems clear. Data Protection and Data Privacy laws are here to stay. Though it may be unlikely that the US congress will do anything in the near future, it is likely that other states will follow California’s lead and enact their own data privacy and data protections statutes. Stay tuned!