November 26, 2019 · Stuart Butler
Fuel Hotel Marketing Podcast: Episode 127 – Everything You Need To Know About The California Consumer Privacy Act (CCPA)
By now you have probably heard the increasing chatter about CCPA. In this episode of the award winning Fuel Hotel Marketing Podcast, we do an overview and try to unpack the new California privacy regulations and what they mean for your hotel. Keep in mind that CCPA is just the beginning and we fully expect to see more legislation coming from other states in the very near future.
DISCLAIMER: We are not legal experts and this article and podcast episode are for entertainment purposes only and are not intended to be considered as legal advice. The information is based upon our limited understanding and some random Google searches and may contain errors or factual inaccuracies as well as the occasional dad joke.
IN ADDITION TO THE PODCAST WE HAVE A BUNCH OF WHITEPAPERS AND STUDIES YOU CAN DOWNLOAD HERE
REGISTER NOW for the HSMAI Marketing Strategy Conference and Adrian Awards – January 21, 2020 at the NY Marriott Marquis
What Is CCPA?
The California Consumer Privacy Act (CCPA) – not to be confused with the Federal Consumer Credit Protection Act – is a piece of legislation, also known as “AB 375,” has been created in order to enhance privacy rights and consumer protection for residents of California. This legislation has been described by some as “almost GDPR in the US.” It’s not, but it’s been described that way to get more clicks.
So What Does That Mean?
CCPA requires businesses tell consumers what data its collecting and gives consumers the right to say no to the sale of their personal information. It will also allow consumers to sue companies if their personal data is breached.
Why Was CCPA Created?
The California Consumer Privacy Act (CCPA) was created to protect the privacy and data of consumers. The CCPA initiative states that the act is intended to “give Californians the ‘who, what, where, and when’ of how businesses handle consumers’ personal information.”
The reality is that the act doesn’t really do a whole lot to protect consumers.
Who Has To Be Compliant With CCPA Regulations?
Anyone who does business in California and stores or processes data from California consumers. Basically, any hotel in the US and potentially worldwide that meets one or more of the following criteria:
- Exceeds an annual gross revenue of $25 million,
- Obtains personal information of 50,000 or more California residents, households, or devices annually; or
- Obtains 50 percent or more of their annual revenue from selling California residents’ personal information.
OR if you control or are controlled by an entity that meets the above criteria and share common branding with that entity.
The term “does business in California” has not been clarified by the California Attorney General but it’s safe to assume that it could be interpreted very broadly as that you do business via the Internet with people from California or that you have an office or an employee in California.
CCPA does not apply to non-profit organizations.
Please consult an attorney to determine whether or not your business needs to adhere to the CCPA regulations.
When Did CCPA Get Passed?
CCPA passed into California law on June 28th of 2018.
When does CCPA Go Into Effect
CCPA is set to be effective from January 1, 2020 but enforcement by the California Attorney General won’t begin until July 1st 2020 at the earliest.
The reason for this is that the California Attorney General has to adopt specific regulations based on the legislation sometime between Jan 1, 2020 and July 1 2020. The enforcement of these regulations cannot begin until 6 months after these regulations have been adopted.
What Does CCPA Actually Do?
According to the official website, the act has three major components. Consumers will have the following rights:
- The right to know what information companies are collecting.
- The right to say no to a business sharing or selling personal information.
- The right to protections against businesses that do not uphold the value of privacy.
Each business will be held accountable if these rights aren’t granted and/or if information is compromised due to their failure to take preventative security measures.
What Are The Penalties For CCPA?
Up to $2,500 per violation or $7,500 for intentional violation in fines. This may seem insignificant compared to the 4% of worldwide revenue that GDPR represents, but here’s where it’s different.
In CCPA is that individual consumers have a right to financial compensation of between $100-$750 per incident. This is where the risk is because it opens up the possibility of class-action lawsuits.
What’s the Difference Between CCPA and GDPR?
- Although the intent of both sets of regulations are similar, there are many differences between the two beyond the geography of the consumer. CCPA focuses more on reducing the unauthorized selling of personal information for profit, whereas GDPR focuses more on data ownership and rights of deletion.
- GDPR is much more restrictive in terms of the types of data being covered by the legislation and the rights pertaining to the data. For example, GDPR covers any data collected that relates to the consumer, whereas CCPA only covers data that was specifically provided by the consumer.
- Also, GDPR requires explicit consent to store and use the data before the data is collected. CCPA focuses more on giving the consumer the right to opt-out from their data being sold.
- CCPA requires a specific “Do Not Sell My Personal Information” link placed on a business home page, directed to a form that is tracked and processed. Note that this only applies to businesses that sell personal customer information to third parties.
- CCPA specifically excludes information that is publicly available from local, state, or federal government records (Pete’s example: your Monday Mugshot is not covered)
See our episode on GDPR for more information: https://www.travelboommarketing.com/blog/fuel-hotel-marketing-podcast-episode-82-hotels-need-know-gdpr-late/
Comparison of GDPR and CCPA by Data Guidance
What Does My Hotel Need To Do For CCPA?
- Review and understand what personal information is collected by your business.
- Understand how the personal information collected is used, confirm if the information is sold to third parties or shared and what is the purpose of such sharing.
- Review internal policies and procedures regarding the collection of personal information.
- Update internal and online privacy policies to comply.
- Prepare policies and procedures to make sure your company can respond when customers request access to, deletion from, or information related to the sale or disclosure of their information.
- Implement solutions that process requests made by the customers to opt-out of the sale of personal information.
- Train employees responsible for handling customers’ personal information.
- Review contracts with service providers that have consumer personal information provided by your business.
- Ensure that third party audits of service providers who have access to your consumer personal information are compliant with CCPA.
For more detailed information about how to comply with CCPA, we recommend the following resources:
CCPA Is Just The Beginning
We expect many states to follow suit and introduce similar legislation over the next few years. It is important that you begin preparing for this now by implementing better data policies.
Check out the list of 25 other states who are currently working on their own legislation:
Final Thoughts On CCPA and Data Privacy
At the end of the day, it’s important to remember that the data belongs to your guest. It is not your data. You have just been given the permission and the privilege to use the data in some way. You should never use a consumer’s data to manipulate them and you should never abuse the trust that they have given to you by mishandling their private information. You should always respect the consumer and their wishes and you should always be completely transparent with everything you do with their data. We are in the hospitality industry and we should treat the data we collect the same way we treat the guest themselves.
In The Newsaroos:
- Rich Answers In mobile SERP more than doubled since 2018