What does it do?
Grants California residents new rights regarding their personal information and imposes various data protection duties on for-profit entities conducting business in California.
Who is affected?
In a nutshell, for-profit companies doing business in California or with California residents.
Any for-profit entity doing business in California, that meets one of the following:
- Has a gross revenue greater than $25 million
- Annually buys, receives, sells, or shares personal information; or has more than 50,000 consumers, households, or devices for commercial purposes
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
The law also applies to any entity that controls, is controlled by, or shares common branding with a for-profit business meeting the test above.
We’ve heard a lot about GDPR . How is CCPA different?
GDPR and CCPA are similar, but not the same. Consumer rights, the right to access information, the right to change information, portability, and the right to delete information are all the same.
But where GDPR permitted companies to use information whether with your consent or for legitimate business interest, CCPA doesn’t require either. CCPA focuses on transparency - letting consumers know what is going to be done with their information so that they can decide if they want to opt-out.
CCPA applies to for-profit entities that do business in CA and meet one of the following criteria:
- Global revenue is greater than $25M (global revenue; not just CA); or
- Collect PI information of 50K consumers (globally); or
- Derives 50% of revenue from selling data
CCPA does NOT apply to non-profits (unless it controls a for-profit entity)
The term “resident,” includes every individual (1) who is in the State for other than a temporary purpose (e.g. business or personal travel), and (2) who lives in California and who is temporarily travelling outside the state. All other individuals are nonresidents.
A California resident whose data you are processing, note that as of today, employees do not fall under the definition of a consumer under CCPA. This is set to be reevaluated by 1/1/2021.
Any disclosure of consumer information for monetary or other valuable consideration.
Obtaining any personal information from a consumer, either actively or passively, or by observing the consumer's behavior.
CCPA defines a "sale" as any sharing of consumer information for monetary or other valuable consideration. This definition is very broad and not necessarily intuitive, which is why independent legal advice is recommended to analyze your organization’s data practices. Planners should specifically think about whether they share attendee data with sponsors, speakers, exhibitors, and other key participants in the event industry.
If an organization concludes its data practices do fall within the definition of a sale, then the organization will need to include a "Do Not Sell My Personal Information" link where it collects information from consumers. Cvent's products provide optional functionality to include a "Do Not Sell" opt-out link that complies with CCPA.
|1. Transparency||1. Notice|
|2. Access||2. Access and portability|
|3. Rectification||3. Deletion|
|4. Erasure||4. Opt Out of Sale of Personal Information|
|5. Restrict Processing||5. Equivalent Services|
|6. Data Portability|
|7. Object to processing|
|8. Automated decision making|
Not necessarily. A separate agreement like a DPA is not specifically required, but CCPA requires a business to have a written contract with its vendors that prohibits the vendor from retaining, using, or disclosing the personal information for any purpose other than as specified in the vendor contract. A separate addendum (or “DPA”) may be the easiest way to achieve this purpose to make sure existing vendors are classified as Service Providers. See Cvent’s Customer Service Provider addendum here.
A Service Provider is a business that you contract with to process personal information on your behalf (e.g. CRM provider, cloud storage, marketing automation software).
Personal information is information that identifies or could reasonably be linked to a particular consumer or household (e.g., name, online identifier, IP address, government ID number, email address, products or services purchased, pictures, voice recordings, browsing history, geolocation data, education information, and more).
No, privacy shield is for the transfer of personal data in between the US and the EU.
No. The consumer cannot come directly to Cvent to make the request. If we receive those types of requests, we point the individual back to the host of the event and the host needs to submit a request on behalf of the invitee/attendee through our approved form. The form asks you, the event host, for your specific account ID's and we only process the request within that account. In short, Cvent does not take a single request from a consumer and apply it across all of our customers’ accounts.
No. There are a number of exceptions under the CCPA to complying with a consumer’s deletion request. For example, a business is not required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business to maintain the consumer’s personal information to:
- Complete the transaction for which the personal information was collected;
- Provide a good or service requested by the consumer;
- Reasonably anticipate within the context of a business’s ongoing business relationship with the consumer; or
- Otherwise perform a contract between the business and the consumer.
Many non-profit organizations are not likely covered under the law (see next response below) and may not have to meet the CCPA obligations. A non-profit that is not covered by the CCPA and hires a business covered by the CCPA (e.g., a third party planner) is not going to create new obligations for the non-profit entity. The hired entity (e.g., the TPP) that is covered under the CCPA may still have obligations under the CCPA.
The definition of business under CCPA is an entity operated for profit. Generally, CCPA does not apply to non-profits unless it controls a for-profit entity in its structure, which is why independent legal advice is recommended to analyze your organization’s structure and obligations. If an organization concludes the CCPA applies to them, then Cvent and its products can assist the customer is meeting its CCPA obligations for its events and meetings.
Cvent provides this material for informational purposes only. The material provided herein is general and in summary form and is not intended to be comprehensive. Further, it is not intended to be legal advice and should not be construed as such. Nothing herein should be relied upon or used without consulting a lawyer, data protection officer or other professional advisor who will consider your specific circumstances, possible changes to applicable laws, rules and regulations, and other legal and privacy issues. Receipt of this material does not establish an attorney-client relationship.