The California Consumer Privacy Act (CCPA) makes it even more critical for event organizers/hosts to partner with the right technology provider
Do you plan to collect any personal information about California residents?
If so, you may be required to comply with the landmark new California Consumer Privacy Act (CCPA), which became effective on January 1, 2020 and is the strictest privacy law in the United States. The CCPA seeks to give California residents more control over their personal information and how it is used, while protecting them from the risks of unauthorized disclosure of personal information, such as identity theft and reputational damage. Under the CCPA, a consumer may:
- Request information from a company about its collection and use of his/her personal information, including the categories of information collected, the source of the information, how it is used, and what information is or was disclosed or sold to third parties;
- Request a copy of the specific personal information that the company collected about him/her in the previous 12 months;
- Require (with certain exceptions) that a company delete his/her personal information;
- Opt-out of the company selling the consumer’s personal information to third parties; and
- Not be discriminated against by a company for exercising these rights.
The law applies to for-profit businesses that do business in CA and meet any one of the following criteria (a) Global total revenue is greater than $25M; or (b) Collect personal information on 50K consumers globally (not just CA); or (c) sale of data for “any monetary value” (e.g., providing an attendee list to sponsor exhibitors). Businesses don’t have to be based in California or have a physical presence there to fall under the law. They don’t even have to be based in the United States. The law also applies to any entity, located in any country, that controls, is controlled by, or shares common branding with a for-profit business meeting the test above.
What defines personal information?
The California law takes a broad approach to what constitutes sensitive data. For example, olfactory information is covered, as well as browsing history and records of a visitor’s interactions with a website or hosted software application. The law lists over 40 different examples of data considered as “personal information”:
How to Meet the New CCPA Standards
The goal of the CCPA is to protect consumer data’s privacy and security. Privacy rights cover an individual’s right to (a) decide what personal information about him or her is kept by businesses and (b) whether that information is disclosed or sold to others. Security of data relates to how companies protect the information they have about an individual from outside bad actors (e.g., hackers) or simply from discovery and use by third parties (e.g., an accidental data leak).
Ascertaining what actions your company must take to comply with the CCPA depends on a “reasonability” standard; what is considered “reasonable” depends on your business’ size and activity, as well as the type of personal data you process and retain. There is a consensus, however, on the minimum that covered businesses should do to comply. Businesses must adopt new measures (or adjust existing ones) as follows:
- Perform Internal Data Mapping. Conduct an internal review to (a) determine all categories of personal information your company collects, stores, and discloses or sells; (b) map out your “data flows,” i.e., how your company collects, uses, and sells or discloses personal information; (c) know whose information is being collected by location, age, and purpose of collection. While performing this exercise, it may be wise to map these activities not only for California residents but for others as well, since many other states (15) are considering privacy laws similar to California’s.
- Review your data security. Classify all data you collect by its level of sensitivity in order to ascertain and configure the necessary levels of security. Security levels should correspond with the nature of the personal information and the processing activities your organization performs. Inadequate security can result in data breaches that are potentially very costly under the CCPA, which grants individuals a private right of action for data breaches. Ensure that your critical security controls and internal policies for response to breaches are sufficient. Benchmarking against industry standards will help demonstrate that your procedures are reasonable (more details are below under “Penalties for Non-Compliance”). It is also important to note that many cybersecurity incidents are related to business’ use of third-party products and systems that do not provide sufficient security and are not backed up by the business’ own security measures.
It is also important to note that many cybersecurity incidents are related to business’ use of third-party products (i.e. Virtual Conference Providers) and systems that do not provide sufficient security and are not backed up by the business’ own security measures.
- Implement and maintain internal policies and procedures for responding to CCPA consumer requests and data breaches, including an Incident Response Plan, Information Security Policy, and Employee Training Program. Your company must have an established method of handling consumers’ requests for access to and deletion of their personal information, opting-out of selling their information to third party supplires, and other rights under the CCPA. Procedures to verify the identity of requesting individuals must be established, as well as steps to respond to notice of a lawsuit.
- Training is mandatory under the CCPA, so businesses must prepare CCPA training materials for all relevant individuals within the organization, particularly the personnel who will be responsible for handling consumer personal information requests. The CCPA does not identify any specific training employees must receive, stating only that they must be “informed of all requirements” regarding consumers’ rights. At a minimum this would include educating employees to be able to explain to consumers their rights under the Act, including access, deletion, portability, and the opt-out of the sale of personal information. Presumably, a combination of written training materials, internal policies, and in-person training on a recurring basis would satisfy the requirements. The California Attorney General’s forthcoming regulations hopefully will contain more details.
- Implement “opt-in” buttons where required and “opt-out” (or “Do Not Sell My Information”) links on your attendee registration web-page as required by the Act. To collect personal information of children under 13 years old, parental opt-in is required (through the same methods as permitted by the Children’s Online Privacy Protection Act (COPPA)); those aged 13 to 16 can consent for themselves to the sale of their information.
- Requests to opt-out of the sale of one’s personal information must be implemented through a user’s browser, privacy settings, or a browser plug-in. Such requests must be handled by the business within 15 days. Consumers’ requests to access or delete their personal information generally must be handled within 45 days. Therefore, your business must put procedures in place to ensure the meeting of these deadlines. Further, your 3rd party virtual conference provider MUST have systems and processes in place to comply.
- If a company changes how it uses or discloses personal information, it must notify consumers and get their opt-in consent to the change.
- Businesses that collect or disclose personal information about more than four million individuals must include in their Privacy Notices the number of requests received in the past calendar year to access or delete personal information or to opt-out. This information also must include the number of requests that were complied with or denied (e.g., due to an inability to reasonably verify the requesting consumer’s identity) and the average number of days it took the business to respond.
- Consumers can register with the California Secretary of State to have an agent administer their consumer rights and make requests on their behalf. Businesses must include information on how to designate an agent in their Privacy Notices.
- Businesses must update agreements with third parties who may be processing personal information for you or accessing and disclosing or selling it, inserting, among other things, a clause identifying appropriate third parties as “service providers.”
Privacy Notice Requirements
- Privacy Notices must set out (among other things): (a) a description of consumers’ rights under the CCPA and the methods for submitting requests thereunder; (b) a list of the categories (which are referenced in the statute) of personal information collected in the last twelve months (if none, you must so state); (c) a list of the categories of personal information that the company has sold in the last twelve months; (d) a list of the categories of personal information it has disclosed to third parties for a business purpose; and (e) the intended use and purpose of each category.
- The Privacy Notice must be offered in all languages that the company uses on its website or in its sales or other communications.
- Privacy Notices must be accessible to those with disabilities. This requires that a business at least provide information on how a disabled consumer can access the notice in an alternative format. The WC3 web accessibility guidelines at https://www.w3.org/standards/webdesign/accessibility usually have been the default standard.
- Businesses may not discriminate against consumers who exercise their rights under the CCPA (e.g., requesting that their personal information be deleted). However, businesses may offer a higher level of service or another benefit (such as a financial incentive) if the value of the personal information is “directly related” to the higher service level or benefit. If the business chooses to do so, it must have conducted an internal analysis based on at least one of the methods identified in the CCPA regulations to explain how the value was calculated.
- If a business offers a different level of service or a benefit to consumers who do not request the deletion of their data or have not opted-out (or opted-in for children) of the sale of their information, the business must publish a Notice of Financial Incentive, usually as part of its Privacy Notice. Consumers must take affirmative action, i.e., opt-in, to receive the financial incentive and may revoke their opt-in at any time.
Penalties for non-compliance
Non-compliance with the CCPA puts a company at risk for fines imposed by the California Attorney General of up to $2,500 for each unintentional violation and $7,500 for each intentional violation. Further, consumers whose data “is subject to an unauthorized access and exfiltration, theft, or disclosure” (e.g., hacking or data breaches) as a result of a business’ failure to implement and maintain reasonable security procedures and practices, have a private right to sue the data controller/event host to recover damages. There are already numerous plaintiffs’ personal injury firms advertising their specialization in lawsuits involving data breaches.
Plaintiffs’ attorneys also may utilize the California Unfair Competition Law (UCL) and other consumer protection statutes to bring class actions and other private litigation based on CCPA violations, including in situations apart from data breaches. California municipality attorneys could also file UCL actions since, unlike private litigants, municipalities may recover up to $2500 in civil penalties per violation. In any such cases, attorneys bringing such lawsuits will have to overcome the CCPA’s proviso that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”
Another issue likely to arise is whether consumers have standing in federal courts to assert claims for alleged privacy violations under the CCPA. The U.S. Supreme Court made clear in Spokeo, Inc. v. Robins that a statutory violation alone does not establish an actual injury, and that plaintiffs must show a particular and concrete injury that resulted from the defendant’s violation. Courts have split on how to apply these standards in the data privacy context, but recent case law in the Ninth Circuit indicates that violations of data privacy statutes may be sufficient to establish standing in California even without actual damages.
Companies should be prepared for nuisance requests under the CCPA from plaintiffs who are “fishing” for CCPA violations. Implementing an effective request response program will help mitigate the risk from these requests. Businesses also can try to deter these types of legal actions by clearly explaining and documenting their compliance efforts, carefully aligning them with any written guidance or comments from the California Attorney General, and benchmarking against security industry standards and best practices, such as the Center for Internet Security’s 20 Controls & Resources, the NIST Cybersecurity Framework, the ISO/IEC 27001 Standard, Systems and Organization Controls (SOC) 2 (for technology service entities), or ISACA’s COBIT management framework.
If my company is GDPR-compliant, is it automatically CCPA-compliant?
First, the GDPR applies to more people – it covers all EU citizens and all businesses that handle any data of EU citizens, while the CCPA protects only California residents and applies only to entities having revenue of at least $25 million, collecting or receiving personal information of more than 50,000 California residents, or whose primary business is the sale of personal information. Second, while the GDPR defines “personal information” as information about an individual person, the CCPA’s definition is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
While GDPR requires parental consent (opt-in) to sell the information of anyone under 16, the CCPA allows those 13 and over to consent (opt-in) for themselves (although the requirements of COPPA still apply). The GDPR, but not the CCPA, allows consumers to correct inaccurate or incomplete personal information, and the GDPR gives consumers more rights to object to the simple processing of their data as well as the right to object to automated decision-making that has legal or other effects (such as profiling). The GDPR does not allow companies to give incentives to consumers for not opting-out of the sale of their data, as the CCPA does.
The most problematic difference between the CCPA and the GDPR is the method by which a business gains permission to use an individual’s personal information. The CCPA requires an “opt-out” box for the consumer to check, while the GDPR requires an “opt-in” box for the consumer to check. In other words, if the consumer does nothing, the CCPA allows for their personal information to be sold to third parties, whereas the GDPR prohibits it. Thus, separate options are needed for EU residents and California residents, and this must be thought through carefully in a company’s website design.
If you are hosting a virtual conference and expect one or more attendees joining from California, you’ll want to perform proper due diligence before contracting with any service providers including:
- Data breach precautions – Again, you are the data controller. If the service provider (data processor) that you outsource to has a data breach, your company is accountable and can face fines and legal actions. You will want to understand in detail where and how the service provider collects sensitive information, how and where it is being stored and how it’s being protected (at rest and in transit). This article has a checklist to ask your virtual conference provider.
- People and process/procedures in place to handle request from your attendees that want to delete their information, get access to their information, and opt out of having their information sold. You (data controller) has 45 days to comply to the request. Also, the data must be available for the prior 12 months.
- Make sure they are a legitimate corporation in which you can pursue recourse if needed to avoid fines and lawsuits. Ask for a copy of the service providers W9, which has their business address and tax ID #. If they are a shell company set up in the Cayman Islands, there is no recourse if you need to get your data.
“It is important to understand that the business hosting the virtual conference determines the purposes and means of the processing of personal information, defined as the data controller, and is accountable for CCPA compliance.”
We’re now living in an era of GDPR in Europe and CCPA in California. This is really the start of a privacy wave that will cascade across the US. For example, there are 15 additional states right now that are contemplating legislation along the lines of CCPA. So even if you do not have to comply with GDPR or CCPA, you will likely have to comply with one of these regulations coming from another states. That means start getting ready now and be aware of what is happening in these other states.
Communique is your trusted virtual conference platform partner. We take data security and compliance very seriously and we’re always on the cutting edge of what’s happening in the compliance arena. Finally, we’re always monitoring new and emerging security threats.