What Advisors Should Know About the California Consumer Privacy Act

by Paul Ruden
What Advisors Should Know About the California Consumer Privacy Act

Most large companies have reissued their privacy policies with new, and substantially similar, sections devoted to general principles from GDPR. Photo: Shutterstock.com 


In May 2018, Travel Market Report published my article about the then new General Data Privacy Regulation, or GDPR, that was about to become effective with potentially far-reaching consequences. I noted that “it is impossible to be certain of the circumstances under which the GDPR will apply to specific small businesses in the U.S.” and that “the potential penalties for violation of the GDPR are life-threatening to many businesses; the upper limit is 4 percent of a company’s global sales (or $20 million, whichever is larger).”

Almost a year has passed, and thus far, Armageddon has not happened. We know, for example, that most large companies have reissued their privacy policies with new, and substantially similar, sections devoted to general principles from GDPR. We also know that while GDPR has spawned many complaints, small businesses have not been singled out, in Europe or the U.S. Here, for example, is the reported enforcement activity so far:

  • 95,000+ individual complaints covering telemarketing, promotional emails, video surveillance (CCTV)
  • 41,000+ data breach notifications
  • 255 cross border investigations
  • Fines to date: social network operator €20,000; sports betting café €5,280; Google €50,000,000

The penalties are not insignificant, but there is no reason to believe that the GDPR enforcement people are running wild against small businesses over minor issues.

That is not to say, however, that GDPR can be ignored. If you have actual or potential clientele in the European Economic Area (the EU plus Iceland, Liechtenstein and Norway), you want to be sure your handling of personally identifiable information is compliant. That’s the good news.

Concerns about data handling
The bad news is that concern about EU enforcement is not the only issue. As expected, GDPR has inspired more comprehensive privacy legislation in the U.S. In this and succeeding articles, I will elaborate on the California Consumer Privacy Act (CCPA) that becomes effective Jan. 1, 2020. It’s not too soon to begin thinking about how your agency will comply.

No expense should be incurred just yet, however, for several reasons. There are 19 pages of “technical amendments” under consideration. Also, the California Attorney General will be issuing regulations under the Act likely between Jan. 1, 2020 and July 2, 2020. Enforcement may not begin until the earlier of six months after the final regulations are published, and July 1, 2020. You can sign up for notices related to that rulemaking here. All this means there may be significant changes in the legislation before enforcement can start.

That said, if your business is large enough to fall under the CCPA, you likely plan well ahead for investment and strategic purposes and should at least be thinking about how you will comply with a significant increase in demands for privacy controls on the personal data your business collects and processes.

As things now stand, small travel advisors do not technically have to comply with the CCPA at all. The CCPA is directed at for-profit businesses that have $25 million or more in annual revenue, or trade in the data of 50,000 or more persons or derive 50% or more revenue from selling consumers’ personal information. The “consumers” whose data is covered by the CCPA are “natural persons,” thus excluding corporations, residing in California. In addition to the size factors, the CCPA will only apply if the business collects and processes the personal information of California residents and does business in the State of California.

As some have learned to their sorrow, the legal principles governing what is “doing business” in a state are complex and far-reaching. For example, physical presence in California is not required to establish that you “do business” there. Selling to California residents using, for example, digital services like email solicitations would likely suffice. A passive website alone probably would not; otherwise, every company in the world with a website would be deemed to “do business” in California.

Thus, if your business is below the size thresholds I have mentioned, you are not subject to the CCPA at least. If you’re above the thresholds, and serve individuals residing in California, you probably should assume, for current planning purposes, that you will be subject to the law.

About compliance
If your business is subject to either GDRP or CCPA, you have myriad issues to consider. For example, under GDPR’s requirement for clear, specific disclosure of the purposes for collecting personal data, the exact means of compliance is up to the individual company. CCPA goes further by requiring a clear and conspicuous link on the business’ homepage, reading “Do Not Sell My Personal Information.” The link must lead to a site where a consumer, or the consumer’s designee, may opt out of the sale of the consumer’s information.” If this link requirement remains in the legislation, it’s going to affect the design of the home page of every travel website subject to the law.

Another troubling element of the CCPA is the notion that “personal information” incudes “inferences drawn from any of the information … to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.” This language appears to extend the data protection regime beyond the information gathered about the individual, but also information created on the basis of that information and identifiable back to the collected data.

In succeeding articles, we will explore these and other elements of the CCPA in more detail.

  1
  0
Tip of the Day

“I think it’s very important to remain optimistic and trust in the best outcome and move towards it…Think about what your goal is, and take steps to achieve it, then you’ll get there…[Advisors] just need to hang on and use this time to educate themselves and prepare to be where they want to be when this is over.”

Rose Haché, Esq., CTIE

Law Office of Rose A. Haché

Daily Top List
Brought To You By

5 Things Every Travel Agency Should Do To Boost Business

1. Specialize
2. Give a personal touch
3. Find your niche and sell an experience
4. Maintain a high standard of quality
5. Become a salesman…but inspire trust

Source: Azavista.com

Previous Daily Top List
TMR Recommendations
Top Stories
When You’re Ready, We’re Ready

Here's to traveling at your own speed. When you're ready, we're ready with clean, sanitized vehicles and a low-touch rental process.

Read...
ALG Vacations | Ready. Set. Go.
Read...
Why Sustainable Luxury Travel Will Be in Demand Post-COVID-19
Why Sustainable Luxury Travel Will Be in Demand Post-COVID-19

Torunn Tronsvang, CEO and Founder of Up Norway, discuss why sustainable luxury travel will be in high demand.

Read...
Travel Advisors Talk Service Fees
Travel Advisors Talk Service Fees

Advisors talking to TMR describe the case for, and against, charging fees

Read...
A Ship Board Romance Led to A Marriage and Travel Agency
A Ship Board Romance Led to A Marriage and Travel Agency

For Marc Hayes and Marisel Aleman, cruising holds a special place in their heart.

Read...
7 Day Challenge

USTOA President & CEO, Terry Dale, issues you a "7 Day Challenge" by sending a handwritten note to a USTOA Member to say thank you for being a friend and a partner. Please send this letter to your U.S. elected officials about the devastation the travel and tourism industry has experienced from the COVID-19 pandemic.

 
Read...
News Briefs
TMR Outlooks
Distribution Outlook
Polar Outlook
Alaska Outlook
View All
Advertiser's Voice
https://img.youtube.com/vi/NhuPy4x2cVs/0.jpg
Video: Tips for Selling Theme Parks and Resort Vacations During a Pandemic