What does it do?
Grants California residents new rights regarding their personal information and imposes various data protection duties on for-profit entities conducting business in California.
Who is affected?
In a nutshell, for-profit companies doing business in California or with California residents.
More specifically:
Any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million
- Annually buys, receives, sells, or shares personal information; or has more than 50,000 consumers, households, or devices for commercial purposes
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that controls, is controlled by, or shares common branding with a for-profit business meeting the test above.
What does that mean for event industry professionals?
Changes are needed to ensure compliance, primarily providing your stakeholders with:
CCPA applies to for-profit entities that do business in CA and meet one of the following criteria:
- Global revenue is greater than $25M (global revenue; not just CA); or
- Collect PI information of 50K consumers (globally); or
- Derives 50% of revenue from selling data
CCPA does NOT apply to non-profits (unless it controls a for-profit entity)
The term “resident,” includes every individual (1) who is in the State for other than a temporary purpose (e.g. business or personal travel), and (2) who lives in California and who is temporarily travelling outside the state. All other individuals are nonresidents.
A California resident whose data you are processing, note that as of today, employees do not fall under the definition of a consumer under CCPA. This is set to be reevaluated by 1/1/2021.
Any disclosure of consumer information for monetary or other valuable consideration.
Obtaining any personal information from a consumer, either actively or passively, or by observing the consumer's behavior.
CCPA defines a "sale" as any sharing of consumer information for monetary or other valuable consideration. This definition is very broad and not necessarily intuitive, which is why independent legal advice is recommended to analyze your organization’s data practices. Planners should specifically think about whether they share attendee data with sponsors, speakers, exhibitors, and other key participants in the event industry.
If an organization concludes its data practices do fall within the definition of a sale, then the organization will need to include a "Do Not Sell My Personal Information" link where it collects information from consumers. Cvent's products provide optional functionality to include a "Do Not Sell" opt-out link that complies with CCPA.
| GDPR | CCPA |
|---|---|
| 1. Transparency | 1. Notice |
| 2. Access | 2. Access and portability |
| 3. Rectification | 3. Deletion |
| 4. Erasure | 4. Opt Out of Sale of Personal Information |
| 5. Restrict Processing | 5. Equivalent Services |
| 6. Data Portability | |
| 7. Object to processing | |
| 8. Automated decision making |
Not necessarily. A separate agreement like a DPA is not specifically required, but CCPA requires a business to have a written contract with its vendors that prohibits the vendor from retaining, using, or disclosing the personal information for any purpose other than as specified in the vendor contract. A separate addendum (or “DPA”) may be the easiest way to achieve this purpose to make sure existing vendors are classified as Service Providers. See Cvent’s Customer Service Provider addendum here.
A Service Provider is a business that you contract with to process personal information on your behalf (e.g. CRM provider, cloud storage, marketing automation software).
Personal information is information that identifies or could reasonably be linked to a particular consumer or household (e.g., name, online identifier, IP address, government ID number, email address, products or services purchased, pictures, voice recordings, browsing history, geolocation data, education information, and more).
No, privacy shield is for the transfer of personal data in between the US and the EU.
No. The consumer cannot come directly to Cvent to make the request. If we receive those types of requests, we point the individual back to the host of the event and the host needs to submit a request on behalf of the invitee/attendee through our approved form. The form asks you, the event host, for your specific account ID's and we only process the request within that account. In short, Cvent does not take a single request from a consumer and apply it across all of our customers’ accounts.
Since you're asking for consent, which goes beyond the legal requirement of CCPA, presumably you are already disclosing how the information is being shared and with whom. Under the CCPA, your Privacy Policy must disclose, among other things, what information you're collecting and for what purposes, including whether you sell Consumer’s personal information. That being said, we believe it's always best to check with your own legal counsel, who may know the specifics of your events, what information you're collecting, etc.
Cvent will update its privacy policy by January 1, 2020, the effective date for CCPA, to include a section for California residents detailing the required disclosures. Our updated policy will detail the new California rights and how they can exercise them. Our privacy policy already discloses categories of information collected, but the update will provide some additional CCPA-specific items for clarity. We will also provide a link to an opt-out page.
Cvent also has the functionality for a customer to include a link to their own privacy policy where these disclosures can be made and tailored for their intended use. Cvent’s event products will also have the ability to include a “Do Not Sell My Personal Information” function where customers deem appropriate for their use.
No. There are a number of exceptions under the CCPA to complying with a consumer’s deletion request. For example, a business is not required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business to maintain the consumer’s personal information to:
- Complete the transaction for which the personal information was collected;
- Provide a good or service requested by the consumer;
- Reasonably anticipate within the context of a business’s ongoing business relationship with the consumer; or
- Otherwise perform a contract between the business and the consumer.
Many non-profit organizations are not likely covered under the law (see next response below) and may not have to meet the CCPA obligations. A non-profit that is not covered by the CCPA and hires a business covered by the CCPA (e.g., a third party planner) is not going to create new obligations for the non-profit entity. The hired entity (e.g., the TPP) that is covered under the CCPA may still have obligations under the CCPA.
The definition of business under CCPA is an entity operated for profit. Generally, CCPA does not apply to non-profits unless it controls a for-profit entity in its structure, which is why independent legal advice is recommended to analyze your organization’s structure and obligations. If an organization concludes the CCPA applies to them, then Cvent and its products can assist the customer is meeting its CCPA obligations for its events and meetings.
Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.