There are a few things we can count on every new year: The ball will drop in Times Square, millions of people will make resolutions they may or may not keep, and new regulations will go into effect. The start of 2020 was no exception, and the law we’re focused on right now is the California Consumer Privacy Act (CCPA).
The CCPA is a law that gives California residents (known as “consumers”) certain rights related to the personal information that “businesses” (as defined below) have collected about them.
In particular, California residents are entitled to:
– Request to know the specific pieces of information the business has collected about them
– Request to know the categories of information the business has collected about them
– Request their personal information be deleted
– Opt out of the sale of their personal information
How personal information is defined under these rights is broad and covers much more than the traditional identifiable information, like name, address, and phone number. It also includes products and services purchased, internet activity, geolocation data, and professional or employment information. What’s more: It includes inferences drawn from the information collected, or what businesses assume about individuals based on their information.
We boiled that down as best we could, but since laws are, well, laws, let’s look at an example we can all relate to: a Californian requesting their personal details from a ride-sharing service operating in that state.
The consumer likely can request access to their saved rides, plus their location and route history (including dates and times). Additionally, they can learn what, if any, inferences the company has on them — ride-sharing related or not. For example, say I take a ride-sharing service to my local fitness facility every weekday at 6 pm. If the ride-sharing company has documented inferences that I likely live an active lifestyle and work traditional hours, I’m entitled to — upon request — know those details and to which parties they may have sold those inferences.
One of the most common misconceptions business leaders and marketers have about the CCPA is that the law doesn’t apply to them because they aren’t located in California. The reality is if you have any customers or users in California, you might be subject to the CCPA. So as an event marketer, if you have event attendees from California, you might be required to comply with this new law.
That said, the CCPA doesn’t apply to all businesses. If any of the following apply to your business, you must comply:
– Your gross annual revenue exceeds $25 million (globally — not just in California).
– You receive or sell personal information from 50,000 or more Californian consumers (a qualification that can technically be met from data collected by typical website analytics software).
– 50% or more of your annual revenue is from selling personal information.
Handle the personal information of more than four million consumers annually? You’re responsible for even more burdensome training and record-keeping obligations under the current draft regulations.
If the CCPA does apply to your company (based on the qualifications above), there are a few things your event marketers can do to respect consumers’ data privacy and comply with the CCPA.
Be transparent about the event data you collect. Law or not, giving your attendees full visibility into the data you have on them is just the considerate thing to do. With the CCPA, you also have to let them know what you plan on doing with it.
Keep your event data organized. Under the CCPA, Californians can request access to the data you have, and you’re required to hand it over. If or when that time comes, save time and energy by knowing where to find everything.
Consider an event marketing platform. Maintaining CCPA compliance can be much simpler with a technology that adds consent terms and any other legal-ese you need. And wouldn’t it be nice to have CCPA-compliant language appear automatically as soon as an attendee selects California as their state of residence?
Understand your vendors’ use of event data. Under the CCPA, providing personal information to any third party, including vendors, can be considered a “sale” under the law. This is, of course, unless you have entered into an agreement with the vendor restricting their use of the personal information in certain ways.
Even if the CCPA doesn’t apply to your company (for example, if you don’t meet the qualifications mentioned earlier), it’s a good idea to follow the regulations anyway. Laws like the CCPA are only the beginning of data privacy regulation, so it’s best to get ahead of the curve and start now.
Data privacy and protection is becoming a top priority for individuals and organizations, but the U.S. has historically lagged behind Europe on this issue.
In 2018, the General Data Protection Regulation (GDPR) went into effect, which offers personal data access and privacy controls similar to the CCPA for consumers residing in the European Union. Because of its steep potential fines and clear extraterritoriality, this was the first data privacy law that really impacted U.S.-based companies. According to a recent study by Capgemini, companies that are complying with GDPR have actually experienced some significant benefits like increased customer trust and engagement and even revenue growth.
But even so, there are currently no regulations protecting consumer data or a data protection agency at the federal level in the U.S. California has taken the lead in state-level data privacy law by enacting the CCPA, and other states, including New York and Washington, are working on enacting similar laws.
In the near future, we should expect that similar laws will pop up in these and other states across the country, making consumer data privacy more mainstream. This is why all marketers, including event marketers, should start to embrace these data privacy laws and requirements — even if they don’t necessarily apply yet.
Legal disclaimer:
One Clipboard, Inc. d/b/a Splash provides this guide for informational purposes only and not as legal advice. Splash cannot determine whether or not the CCPA or GDPR applies to you or your organization, and following the steps contained in this guide does not guarantee compliance with the CCPA, GDPR, or any other law or regulation. Splash is not a law firm, and the information in this guide is not a substitute for the advice of an attorney.
Rebecca is the Senior Manager of Content Marketing at Splash, where she leads content strategy and creation, and helps event marketers successfully scale their event programs through educational and thought-provoking content. A Chicago native, Rebecca recently traded the harsh winters for yearlong sun in the Arizona desert, where you can find her on running trails, in the pool, or at a patio cheering on the Chicago Bears.
