As of January 1st, 2020, the California Consumer Privacy Act (CCPA) went into effect. You may have heard of GDPR, the European Union’s privacy act, which was put into practice in 2018. With the newest privacy act, California has expanded individual privacy rights within the US. Certain companies who engage with California residents must comply or face penalties. Let’s review CCPA and how it will affect you at trade shows and events:
Who Must Comply?
Most US for-profit organizations will need to comply with these standards, apart from select small businesses. Here’s the specific requirements for who must comply:
- Companies that interact with Californians and take in $25 million or more annually
- Companies that possess data of 50,000 Californians or more
- Companies that obtain half of their revenue from selling Californian personal data
Note: Since insurance institutions, agents, and support organizations already abide by similar regulations, a CCPA amendment exempts these organizations.
What Are the Penalties?
On the most basic level, CCPA lists penalties up to $750 per person per violation. But with a large data breach, such as 200,000 Californias, penalties could add up to $150 million. Not to mention potential lawsuits from affected individuals. Or the right of the California Attorney General to seek additional penalties. According to CCPA, these additional penalties could add up to $2,500 per violation, or a staggering $7,500 for deliberate violations.
What Does CCPA Cover?
Under CCPA, companies must do the following to comply:
- When collecting personal data, the company must notify the individual what personal data is being collected and for what purposes
- If an individual requests all his/her personal information, the company must send the individual all his/her personal data (up to twice in 12 months’ time)
- Upon individual request, a company must disclose categories/specific pieces of the individual’s personal information collected, the sources from which personal data is obtained, purposes for collecting and/or selling information, and any third parties that may also access the personal data
- Individuals have the right to request a company removes all personal information (excluding certain circumstances)
- Companies may not discriminate against any individuals for exercising any area of their rights under the act
CCPA vs. GDPR
GDPR, or the General Data Protection Regulation, went into effect in May 2018, affecting companies that interact with any European Union (EU) citizens. Compared to GDPR, CCPA has a similar framework, but with less stringent requirements.
One main difference is GDPR requires that companies obtain consent from individuals while collecting personal data. CCPA only requires that you inform individuals you are collecting personal data. Under CCPA, companies may process data and sell it to third parties without consent.
Rights under both CCPA and GDPR
- Right to be informed: the right for individuals to know what information is being processed and why
- Right of access: the right for individuals to obtain a copy of their personal data
- Right to portability: the right for individuals to move, copy, or transfer their personal information in a secure manner
- Right to deletion (CCPA) vs right to erasure (GDPR): apart from a few minor differences, both of these versions amount to the right for individuals to remove their data
- Right to opt-out (CCPA) vs. right to withdraw consent (GDPR): while these two have differences, they are a close comparison. For CCPA, it allows individuals to opt out of information being sold to third parties. For GDPR, it allows individuals to withdraw consent of information being gathered in any manner at any time.
Rights only under GDPR:
- Right of prior consent: While CCPA does give individuals the right to opt-out and to be notified, it does not require companies to obtain consent from individuals to collect, use, and sell their data. This is the most significant difference between CCPA and GDPR.
In summary, if you are already GDPR compliant, you are likely prepped to comply with CCPA at events.
Data Privacy and Events
Through digital contact, such as websites and email marketing, abiding by data privacy is an easier task. Your company can comply with CCPA standards online with the right disclaimer, privacy policy, and statement on your website. The same is true for your email footer.
But you will likely interact with California residents in-person, outside your website and email campaigns. In this digital age, live events still play a crucial role in today’s marketing strategies. Many companies allocate large sections of their budgets for attending and hosting events because of the value of face-to-face interactions for both branding and lead generation.
Although events boost marketing and sales, they also present data privacy issues. After all, it is harder to record face-to-face interactions vs. digital ones. With laws like GDPR and CCPA emerging, it is more important than ever to monitor how we obtain and process data.
US-only companies that now need to abide by CCPA (but not GDPR) thankfully do not need to worry about obtaining consent at events. Instead, as necessary, notifying the attendee what information is being captured and why takes precedence. Through digital contact, again, this is an easier task. But trade shows are a different beast. For in-person events, where your reps may encounter hundreds of people, how do you comply and protect your company from lawsuits?
How iCapture Helps
You may consider using pen and paper to track leads and manage data privacy at events. But that process can be tedious, time-consuming, and difficult to implement. Through automation, your company can meet data privacy standards in a simple and seamless process.
Here at iCapture, we are fully GDPR compliant. We have experience navigating through data privacy laws and leveraging our technology to help our clients comply. Just like GDPR, we are fully equipped to support you in complying with new CCPA standards. Here are some of our CCPA data privacy capabilities:
Digital Notification
iCapture makes it easy to include terms and conditions notifications and links to privacy policies either during or immediately following capture. You can customize all the content to satisfy your specific needs and legal limits. This is a non-intrusive, quick way to track notification of each person during capture as needed.
Data Management and Deletion
For any information captured at events through iCapture, the iCapture team can easily access or remove data upon request. As it applies to event data, we can help you abide by the right of access, right to portability, right to deletion, right to opt-out, and so on.
For further information on CCPA, please review the CCPA law text, the quick CCPA fact sheet, California’s Department of Justice official website, or the Californians for Consumer Privacy website. For more assistance on lead capture and CCPA, request a demo and speak with an iCapture team member.