Remember how your in-box overflowed in mid-May as companies rushed to notify everyone whom they had data on that they were updating their data privacy policies to meet the May 25 deadline for the European Union General Data Protection Regulation (GDPR)?

The California Consumer Privacy Act of 2018 (CCPA) that passed into law June 28 likely won’t cause a similar mad dash toward compliance when it goes into effect January 1, 2020. That’s primarily because many of CCPA’s requirements are similar to GDPR’s, and most of the large companies it will affect — those serving a global market that includes Europe and so had to become GDPR-compliant this spring — already have done most of what they need to do to comply with the new state law.

But that doesn’t mean meeting and hospitality professionals can ignore it.

As Kevin Iwamoto, GLP, GTP, senior consultant with GoldSpring Consulting, said, “Whether it’s CCPA or GDPR, meetings industry professionals will have to take accountability for the clients they service. If something were to go south and you had a data breach, everyone who touches personal data will be involved. You won’t be the only one under the bus, but you will get dragged into any lawsuits that result from that breach.”

Comparing CCPA and GDPR
CCPA is similar to GDPR in that it is designed to give consumers — in this case, California’s — more control over how their personal data is collected and used, and it applies to companies and associations that reside or collect data on those who reside in the state. The law also mirrors GDPR by giving Californians the right to know who is collecting their personal data, the business uses planned for that data, where the data is harvested from and the business categories of third parties it will be shared with. It also provides consumers the right to opt out and to have their personal data deleted upon request.

It also differs in a few ways from the European regulation. It only applies to large companies and associations that meet certain annual gross revenue, database size and database-derived revenue measures. And the financial penalties are much less significant: Where GDPR can level fines up to 20 million euros or 4 percent of annual global turnover (whichever is highest), CCPA’s private-right-to-action provision allows consumers to seek just $750 in damages for certain categories of data privacy violations.

“The fines are yawnable,” said Iwamoto. “A company could easily decide to pay the fine rather than come into compliance.” Also, while the CCPA gives the California attorney general (AG) authority to enforce the act — and the state AGs have historically been aggressive in enforcing data privacy — the small fines and already packed AG agenda could mean CCPA enforcement won’t be a top priority, he added. “How much time and effort will he put into it? I don’t know.”

Iwamoto also pointed out that the legislation was written with a lot more room for interpretation than GDPR was. He predicted that the major global tech companies in Silicon Valley are likely to bring some lobbying efforts to bear on what the ruling looks like come January 2020, though they “were kind of relieved when they saw the final version of CCPA, because it’s a lot less restrictive and financially significant to them than GDPR was.”

While he would advise those who haven’t already had to comply with GDPR to wait to do major revamps of their data privacy processes to meet CCPA requirements, it wouldn’t hurt to start thinking about what you will do and putting some baseline procedures in place now.

“It’s important that you examine current practices, find gaps and fix them so you can prove you handled data responsibly and within the law,” he said. “That means encrypting the data, not sharing the pass codes and being able to demonstrate that you understand how the data is being used. If you can show you have the processes in place, if you do get pulled into court, you can quickly get yourself out of the case if you can show you were thoughtful in your portion of the process.”

More to Come?
“Everyone collects data — whether through a travel-booking tool or a meeting registration tool,” said Iwamoto. “It’s what they do and don’t do with that data that matters.” The days where you can ask attendees and other stakeholders to just trust that you’re keeping their data safe are coming to an end, he predicted.

While other states probably won’t rush to join California and the European Union in putting data privacy protections in place before the U.S. midterm elections this fall, once that’s in the rearview mirror, more of this type of legislation could be on the horizon, Iwamoto said. “I think more states will start looking at what California’s doing because they realize how vulnerable their citizens are — how much their data privacy is at risk if the state doesn’t do something to protect them from the wolves at the door.” — Sue Pelletier