Fortunately for event planners and marketers, the CCPA is in many ways less stringent than GDPR particularly with regard to how it will be executed in live data-collections scenarios. While it’s still unclear the exact impact that CCPA will have on the events industry, there are enough similarities to GDPR that we can begin to get an idea of how to properly prepare for January 1, 2020 when the law goes into effect. We’re here today to cover a few questions that might come up as you begin your CCPA prep.
Who is covered under CCPA?
CCPA protects “consumers” who are residents of California. A California resident in this case is someone who has “domiciled” (California’s word - not ours) in the state even if they are currently traveling outside of the state. The potential implication is that even events outside of California will have to be prepared to comply with CCPA if there are California residents travelling to their event - barring, of course, a clarification from California legislators stating otherwise.
What are the criteria for businesses?
CCPA obligations must be met by a business if:
It is a for-profit entity.
It collects or in some other way obtains consumers’ personal information.
It decides how and why to process consumer data.
It does business in California.
It meets certain capital/data thresholds.
In plain English, if you are a large company that deals with the data of California consumers, you should take steps to protect and respect their data. If you are a large vendor that deals with the processing of vast amounts of consumer data, you should take steps to protect and respect consumers.
If you are a company that makes less than $25 million, collects the data of less than 50,000 consumers, households or devices, and derives less than 50% of your annual revenue from the sale of personal information, CCPA does not recognize you as a business. Huzzah for small (non)businesses!
What are the rights given by CCPA?
California consumers have five rights:
The right to disclosure - Businesses must clearly state what data they are collecting and why they are collecting it from consumers before or at the point of collection. This statement should include a link to a business’ “Do Not Sell My Personal Information” Page if the business intends to perform such transactions.
The right to deletion - If a consumer requests to have a business delete their data, businesses have 45 days to comply.
The right to access - Consumers must have a way to access the personal information a company has collected on them. This right applies to data collected 12 months before the request. Data should be sent in a portable and useable format.
The right to opt-out - Consumers have the right to “opt-out” of having a business sell their data. Third parties that have been sold data must give notice and the ability to “opt-out” of their selling of consumer data that they received.
The right to non-discrimination - Consumers that exercise the rights given to them under the CCPA cannot be discriminated against by businesses.
It is worth mentioning here that, given the right to access, businesses should be tracking what data they store from California consumers beginning on January 1, 2019 since the law gives the right to access personal information going back 12 months.
What are the penalties if a company is found in violation of CCPA?
The fines for CCPA are, at first glance, much less terrifying than those for GDPR:
Up to $2500 for each violation
Up to $7500 for each intentional violation
While this might feel like a less terrifying fine than the 4% of annual turnover demanded by GDPR, if you process the data of ~400,000 Californians (about 1% of the population), and you are found to have intentionally violated CCPA in your dealings with each person’s data, you could face fines of up to $3 billion.
I’m GDPR compliant, do I need to do anything different for CCPA?
Most likely, yes. Nothing drastic, mind you, but there is at least one clear step called for by CCPA that is not in GDPR -- the building of a button on a company’s website that says “Do Not Sell My Data.” Otherwise, companies that are GDPR compliant should already have most of the building blocks for CCPA compliance already in place. Companies should consult with legal teams for the exact work they will have to do on their policies to meet both requirements.
What does this mean for marketers and event planners?
Take steps to make sure that you are respecting consumers’ personal information - you never know where a Californian might be.
Just as GDPR should be thought of as the Good Data Practices Regulation, businesses should view CCPA as the Care for your Customer’s Privacy Act. Make sure that you are transparent with your attendees about what information you collect on them and what you do with it. Invest in tech that alleviates the steps for you to keep you compliant. Keep your data organized so that if you are asked to produce information, you can do so readily.
What should I expect from my suppliers?
While there aren’t strict processor regulations in CCPA like there are in GDPR, you should still demand a certain level of excellence from all of your tech vendors handling your customer’s data:
Make sure vendors can supply you with exactly how and where they process and store data.
Have an open line of communication to ensure that any consumers opt-outs can be quickly conveyed to suppliers who can execute promptly.
Negotiate with new suppliers to include data protection stipulations in deals so that CCPA (and GDPR) to ensure that vendors can be relied upon.
Check data ownership terms in vendor contracts and make sure they are in line with your legal teams specifications for your company.
What happens after my event? Do I need to delete information that’s no longer relevant?
After your event, the most important thing to ensure is that any data you collected is used only for the purpose that you stated prior to/during collection. If you decide to repurpose data, make sure you have a clear way of notifying consumers.
Also remember to keep data collected within 12 months of the current date easily accessible in case consumers invoke their right to access.
How can using a technology like Glisser help?
Glisser has made data security a priority since we were first asked about GDPR at a lecture in 2016. Early on, we put into place our GDPR plan and took the extra step of becoming ISO 27001 certified in 2018 to make sure we were doing everything we could to respect and secure our clients’ data.
By embracing these new data regulations instead of trying to dodge them, we commit to placing the consumer first and we can help you do the same at your events.
Our customizable consent terms at the beginning of Glisser sessions ensure that you can clearly state to attendees your intentions with their personal data. Our secure servers give you data that is easy to download or delete permanently. Our tech is built to give you thorough documentation for all data collected and processed.
CCPA is here to stay, and Glisser is here to help.