What does it do?

Grants California residents new rights regarding their personal information and imposes various data protection duties on for-profit entities conducting business in California.

Who is affected?

In a nutshell, for-profit companies doing business in California or with California residents.

More specifically:

Any for-profit entity doing business in California, that meets one of the following:

  • Has a gross revenue greater than $25 million
  • Annually buys, receives, sells, or shares personal information; or has more than 50,000 consumers, households, or devices for commercial purposes
  • Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The law also applies to any entity that controls, is controlled by, or shares common branding with a for-profit business meeting the test above.

What does that mean for event industry professionals?

Changes are needed to ensure compliance, primarily providing your stakeholders with:

Transparency

Clearly stating what information you collect and how you use and share the information you gather about attendees, sponsors, and exhibitors.

Consumer rights

Providing stakeholders with the right to delete their information, get access to their information, and opt out of having their information sold.

Data security

Ensuring due diligence by understanding how sensitive information is being stored and that it’s being reasonably protected.

We’ve heard a lot about GDPR – how is CCPA different?

GDPR and CCPA are similar, but not the same. Consumer rights, the right to access information, the right to change information, portability, and the right to delete information are all the same. But where GDPR permitted companies to use information whether with your consent or for legitimate business interest, CCPA doesn’t require either. CCPA focuses on transparency - letting consumers know what is going to be done with their information so that they can decide if they want to opt-out.

Who is subject to CCPA?

CCPA applies to for-profit entities that do business in CA and meet one of the following criteria:

  • Global revenue is greater than $25M (global revenue; not just CA); or
  • Collect PI information of 50K consumers (globally); or 
  • Derives 50% of revenue from selling data

CCPA does NOT apply to non-profits (unless it controls a for-profit entity)

What constitutes a Resident under CCPA?

The term “resident,” includes every individual (1) who is in the State for other than a temporary purpose (e.g. business or personal travel), and (2) who lives in California and who is temporarily travelling outside the state. All other individuals are nonresidents.

What is a Consumer under CCPA?

A California resident whose data you are processing, note that as of today, employees do not fall under the definition of a consumer under CCPA. This is set to be reevaluated by 1/1/2021. 

What does 'sell' mean under CCPA?

Any disclosure of consumer information for monetary or other valuable consideration.

What does 'collect' mean under CCPA?

Obtaining any personal information from a consumer, either actively or passively, or by observing the consumer's behavior. 

What is the difference in consumer rights between GDPR and CCPA?
GDPR CCPA
1. Transparency 1. Notice
2. Access 2. Access and portability
3. Rectification 3. Deletion
4. Erasure 4. Opt Out of Sale of Personal Information
5. Restrict Processing 5. Equivalent Services
6. Data Portability  
7. Object to processing  
8. Automated decision making  

 

Do we need a "DPA" with our vendors?

Not necessarily. A separate agreement like a DPA is not specifically required, but CCPA requires a business to have a written contract with its vendors that prohibits the vendor from retaining, using, or disclosing the personal information for any purpose other than as specified in the vendor contract. A separate addendum (or “DPA”) may be the easiest way to achieve this purpose to make sure existing vendors are classified as Service Providers. See Cvent’s Customer Service Provider addendum here.

What is an example of a Service Provider?

A Service Provider is a business that you contract with to process personal information on your behalf (e.g. CRM provider, cloud storage, marketing automation software). 

Define personal information.

Personal information is information that identifies or could reasonably be linked to a particular consumer or household (e.g., name, online identifier, IP address, government ID number, email address, products or services purchased, pictures, voice recordings, browsing history, geolocation data, education information, and more). 

Do I have to be privacy shield certified?

No, privacy shield is for the transfer of personal data in between the US and the EU.

Learn more about how we can help you be CCPA compliant

*All fields are required.

First Name
Last Name
Organization
Phone (no dashes or spaces)

Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.