What Is the California Consumer Privacy Act (CCPA) and Does It Apply To Your Customer?

What is it?

California is rolling out its own state-level version of GDPR, called the California Consumer Privacy Act (CCPA). The article linked below goes into detail on what it entails. The California Consumer Privacy Act goes into effect on January 1, 2020

If you have customers in California, especially larger ones, you should familiarize yourself with this new law so you can respond to them if they ask about it (which they might, even if it doesn’t apply to them). The good newsMost of our customers are not large enough to be subject to this law! Customers with huge contact databases could be subject to it, though.

But first, one extremely important note:
I am not a lawyer and none of this is legal advice.
This is, to the best of my ability, a summary of the relevant components of the law, as it relates to our customer base. If one of your customers may be affected by this law, talk to them and encourage them to consult with a lawyer familiar with the matter for guidance on the specifics of what we need to do to ensure compliance.

Big-Picture Summary

The law applies to California businesses meeting one of three criteria:

  1. Annual gross revenues exceeding $25 million.
  2. Possession of personal information of 50,000 or more customers, households or devices
  3. More than half of the annual revenue is derived from the sale of customers’ personal information (not really relevant to our customers).

What the law says:

Reading over the site, it looks like the big picture is that applicable businesses need to:

  1. Disclose on their website what, if any, personal data they collect about their users/customers, and if they provide that data to third-parties
  2. Provide a copy of an individual’s data to them upon request and/or remove said data
  3. Provide individuals the option to opt-out of the sale of their data.

If any of our customers are big enough to fall under this law, we’ll have to look in more detail into the exact requirements for what to put on their website.

Link: https://www.hotelnewsresource.com/article106244.html
Link: https://www.caprivacy.org/

A More Detailed summary of the relevant parts of the law

Who does the law apply to?

(a.k.a. “The good news”)

  1. Businesses located within California, with annual gross revenues over $25 million and/or possession of personal information of 50,000 or more customers, households or devices.
  2. Customers who live in, or who conducted the transaction in, California.
    (Meaning if I make a reservation with a CA business while I’m here in SC, and that’s when I provide them with all my data, this law does not apply to me. But if I were to provide them with my data during my stay, then it would.)

How does this affect Q4Launch/Applicable customers?

(a.k.a. “How do we comply?”)

On the Website: 

  1. If a customer is subject to the law, and we do their website, we’d need to add a “clear and conspicuous” notice/link on the homepage titled “Do Not Sell My Personal Information,” linking to a page where the customer can request info and opt-out via a toll-free number and/or an email address or form on the page.
  2. We’d also need to add relevant info about the law, a disclosure of what, if any, personal data is collected, if it’s shared with 3rd-party providers, and a link to the “Do Not Sell My Personal Information” page, within the existing Privacy Policy page.
  3. The customer would also need to provide two or more designated ways for consumers to request their data, including, at minimum, a toll-free number and a web address (I’m assuming this means a web form and/or an email address listed on the page).

Data Requests:

  1. The customer would need to comply with data requests within 45 days, free of charge. Must include 12 months’ worth of data.
  2. If a customer is subject to the law and gets a request from a consumer for their data, they’d have to include what data they shared with us (possible loophole – data we collect ourselves that our customer did not provide might not be subject?)
  3. If a customer gets a request from someone to not share their data, the customer couldn’t send it to us, and we’d have to remove it from our system if they’d already shared it.
  4. If a customer gets a request from someone to delete their data, we’d have to remove it from our systems as well (e.g. from Mailchimp).

What are the Exceptions?

(a.k.a. “ask a lawyer”)

Here’s where it gets confusing…

  1. Smaller businesses (<$25M) and those with databases < 50k customers.
  2. As mentioned, if a customer is not a California citizen, AND the data is not collected while in California, the law does not apply to them.
  3. Data doesn’t have to be deleted if it’s just used for transactional purposes/ongoing customer relationship (this is the kinda vague part that’s probably going to cause the most confusion/debate over what counts. Bring on the lawyers…)
  4. It looks like the basic guest records type info in a booking engine/PMS would be exempt since it’s for conducting business. But if they send it to us for marketing, that would count. This section is a bit vague/confusing. See bolded sections below for specific definitions & possible noteworthy exceptions.
  5. Businesses do NOT have to delete info if it is specifically used to “Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.”
  6. If the information is used specifically and exclusively for “business purposes” (i.e. completing the transaction, not marketing. Lettering and numbering below refers to corresponding sections within the bill itself).
    (d) “Business purpose” means the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.
    Business purposes are:
    (1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
    (5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.

Here’s the full text of the bill, if you want some light reading: https://leginfo.legislature.ca.gov/faces/billCompareClient.xhtml?bill_id=201720180AB375

Leave a Reply