What does it do?

Grants California residents new rights regarding their personal information and imposes various data protection duties on for-profit entities conducting business in California.

Who is affected?

In a nutshell, for-profit companies doing business in California or with California residents.

More specifically:

Any for-profit entity doing business in California, that meets one of the following:

  • Has a gross revenue greater than $25 million
  • Annually buys, receives, sells, or shares personal information; or has more than 50,000 consumers, households, or devices for commercial purposes
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The law also applies to any entity that controls, is controlled by, or shares common branding with a for-profit business meeting the test above.

What does that mean for event industry professionals?

Changes are needed to ensure compliance, primarily providing your stakeholders with:

Transparency

Clearly stating what information you collect and how you use and share the information you gather about attendees, sponsors, and exhibitors.

Consumer rights

Providing stakeholders with the right to delete their information, get access to their information, and opt out of having their information sold.

Data security

Ensuring due diligence by understanding how sensitive information is being stored and that it’s being reasonably protected.

gdpr-blog

We’ve heard a lot about GDPR . How is CCPA different?

GDPR and CCPA are similar, but not the same. Consumer rights, the right to access information, the right to change information, portability, and the right to delete information are all the same.

But where GDPR permitted companies to use information whether with your consent or for legitimate business interest, CCPA doesn’t require either. CCPA focuses on transparency - letting consumers know what is going to be done with their information so that they can decide if they want to opt-out.

Who is subject to CCPA?

CCPA applies to for-profit entities that do business in CA and meet one of the following criteria:

  • Global revenue is greater than $25M (global revenue; not just CA); or
  • Collect PI information of 50K consumers (globally); or 
  • Derives 50% of revenue from selling data

CCPA does NOT apply to non-profits (unless it controls a for-profit entity)

What constitutes a Resident under CCPA?

The term “resident,” includes every individual (1) who is in the State for other than a temporary purpose (e.g. business or personal travel), and (2) who lives in California and who is temporarily travelling outside the state. All other individuals are nonresidents.

What is a Consumer under CCPA?

A California resident whose data you are processing, note that as of today, employees do not fall under the definition of a consumer under CCPA. This is set to be reevaluated by 1/1/2021. 

What does 'sell' mean under CCPA?

Any disclosure of consumer information for monetary or other valuable consideration.

What does 'collect' mean under CCPA?

Obtaining any personal information from a consumer, either actively or passively, or by observing the consumer's behavior. 

Do I need a “Do Not Sell My Personal Information” link on my registration page?

CCPA defines a "sale" as any sharing of consumer information for monetary or other valuable consideration. This definition is very broad and not necessarily intuitive, which is why independent legal advice is recommended to analyze your organization’s data practices. Planners should specifically think about whether they share attendee data with sponsors, speakers, exhibitors, and other key participants in the event industry.

If an organization concludes its data practices do fall within the definition of a sale, then the organization will need to include a "Do Not Sell My Personal Information" link where it collects information from consumers. Cvent's products provide optional functionality to include a "Do Not Sell" opt-out link that complies with CCPA.

What is the difference in consumer rights between GDPR and CCPA?
GDPR CCPA
1. Transparency 1. Notice
2. Access 2. Access and portability
3. Rectification 3. Deletion
4. Erasure 4. Opt Out of Sale of Personal Information
5. Restrict Processing 5. Equivalent Services
6. Data Portability  
7. Object to processing  
8. Automated decision making  

 

Do we need a "DPA" with our vendors?

Not necessarily. A separate agreement like a DPA is not specifically required, but CCPA requires a business to have a written contract with its vendors that prohibits the vendor from retaining, using, or disclosing the personal information for any purpose other than as specified in the vendor contract. A separate addendum (or “DPA”) may be the easiest way to achieve this purpose to make sure existing vendors are classified as Service Providers. See Cvent’s Customer Service Provider addendum here.

What is an example of a Service Provider?

A Service Provider is a business that you contract with to process personal information on your behalf (e.g. CRM provider, cloud storage, marketing automation software). 

Define personal information.

Personal information is information that identifies or could reasonably be linked to a particular consumer or household (e.g., name, online identifier, IP address, government ID number, email address, products or services purchased, pictures, voice recordings, browsing history, geolocation data, education information, and more). 

Do I have to be privacy shield certified?

No, privacy shield is for the transfer of personal data in between the US and the EU.

If a consumer makes a request for access or deletion for one company’s event, is that request carried across all companies whose Cvent-powered events the consumer have attended?

No. The consumer cannot come directly to Cvent to make the request. If we receive those types of requests, we point the individual back to the host of the event and the host needs to submit a request on behalf of the invitee/attendee through our approved form. The form asks you, the event host, for your specific account ID's and we only process the request within that account. In short, Cvent does not take a single request from a consumer and apply it across all of our customers’ accounts.

We ask attendees to opt in to have their email shared with sponsors and exhibitors who then purchase these lists. Since payment is being made, do we need to explicitly disclose that?

Since you're asking for consent, which goes beyond the legal requirement of CCPA, presumably you are already disclosing how the information is being shared and with whom. Under the CCPA, your Privacy Policy must disclose, among other things, what information you're collecting and for what purposes, including whether you sell Consumer’s personal information. That being said, we believe it's always best to check with your own legal counsel, who may know the specifics of your events, what information you're collecting, etc.

What notice will Cvent be providing in terms of how the data of California residents is handled with regards to CCPA?

Cvent will update its privacy policy by January 1, 2020, the effective date for CCPA, to include a section for California residents detailing the required disclosures. Our updated policy will detail the new California rights and how they can exercise them. Our privacy policy already discloses categories of information collected, but the update will provide some additional CCPA-specific items for clarity. We will also provide a link to an opt-out page.

Cvent also has the functionality for a customer to include a link to their own privacy policy where these disclosures can be made and tailored for their intended use. Cvent’s event products will also have the ability to include a “Do Not Sell My Personal Information” function where customers deem appropriate for their use.

What if an attendee asks to be anonymized more than 45-days prior to the event? Would it violate the law to leave that person’s information in the system for name badge printing and hotel reservations?

No. There are a number of exceptions under the CCPA to complying with a consumer’s deletion request. For example, a business is not required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business to maintain the consumer’s personal information to:

  • Complete the transaction for which the personal information was collected;
  • Provide a good or service requested by the consumer;
  • Reasonably anticipate within the context of a business’s ongoing business relationship with the consumer; or
  • Otherwise perform a contract between the business and the consumer.
If a non-profit that is not subject to CCPA hires a company that is subject to the CCPA to help run an event (e.g., a third-party planner), does the non-profit have to comply with CCPA requests for deletion or opt-out of “sale” since it hired the for-prof

Many non-profit organizations are not likely covered under the law (see next response below) and may not have to meet the CCPA obligations. A non-profit that is not covered by the CCPA and hires a business covered by the CCPA (e.g., a third party planner) is not going to create new obligations for the non-profit entity. The hired entity (e.g., the TPP) that is covered under the CCPA may still have obligations under the CCPA. 

Some non-profits make well over $25M in revenue. Does the law specify that all non-profits, regardless of revenue volume are exempt?

The definition of business under CCPA is an entity operated for profit. Generally, CCPA does not apply to non-profits unless it controls a for-profit entity in its structure, which is why independent legal advice is recommended to analyze your organization’s structure and obligations. If an organization concludes the CCPA applies to them, then Cvent and its products can assist the customer is meeting its CCPA obligations for its events and meetings.

Learn more about how we can help you be CCPA compliant

Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.