Surely, there exists a relation between the consumer and business which is one of give-and-take. Although known yet not much emphasized upon is the fact that while opting for a particular service from a business, a consumer inadvertently engages in sharing certain personal information or details about themselves. In a way, a business can easily collect specific information about a consumer. This might come across as an intrusion or breach of privacy. Keeping this privacy protection in mind, California has passed a Consumer Privacy Act, commonly known as the California Consumer Privacy Act (CCPA).
What is CCPA?
This new privacy law, Consumer Privacy Act, AB 375 has been passed by California in late June 2018. Taking effect from January 1, 2020, and with further six months’ grace period for its actual enforcement and proper implementation, this bill would “grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of 3rd parties with which the information is shared. The bill would require a business to make disclosures about the information and the purposes for which it is used.” In short, according to this law, a customer has the right to request business for the deletion of some personal information. As per the directive, “As the role of technology and data in every day lives of consumers increases, there is an increase in the amount of personal information shared by consumers with businesses. California law has not kept pace with these developments and the personal privacy implications surrounding the collection, use, and protection of personal information.” All in all, the challenge is to secure and protect the breach of private data.
Benefits of CCPA for Consumers
This law prioritizes the protection of private information and endows a customer with some high-end privileges:
• It will enable the customer to demand to see what all information a company has saved about them.
• It will also allow the consumers to view the full list of the third-party apps with which their information is shared.
• It will allow the customers to sue a company if it violates its privacy guidelines, even if there is no breach.
• Californians can easily say a no to the sale of personal information or ask for its
• They can still opt for equal service and price, even while they stick to exercising their privacy rights.
• Consumers can always opt-out of a particular service and the business cannot retaliate by changing their price.
What Companies is CCPA Targeting?
Since it’s primarily a state-level law, it targets the companies that serve California residents and make at least $25 million annual revenue. In addition to this, any company collecting personal data on at least 50,000 consumers or those collecting more than half of their revenue from the sale of personal data are also required to comply with CCPA.
[Note: The Companies do not have to be present in California to abide by the law. In fact, they are not even required to be based in US.]
GDPR and the Contrast with CCPA
The European General Data Protection Regulation (GDPR) took effect in May 2018 controlling how the companies and organizations can handle personal data. Surely, it has wider implications but while CCPA is based somewhat on the same lines when it comes to the protection of private data, the latter also goes a step ahead by investing or empowering the users with the new rights, like requesting a business for the deletion of personal information or opt-out completely of the data sale through the third party applications. On the other hand, GDPR controls how companies and websites should handle their data and that they must obtain prior consent from the user before processing any personal data.
While GDPR is more of a ‘privacy by default’ framework for EU, CCPA is more about creating ‘transparency.’ Again, while GDPR locks the door for the users by allowing the incentive of prior consent before data is processed, CCPA opens up the windows for the users to know how their data is being handled and decide whether or not they would like to sell their personal information to the various companies and finally opt-out if they do not feel comfortable.
Thus it’s more of a prior consent vs opt-out that sums up the contrast between the CCPA and GDPR.
What Type of Data Does CCPA Cover?
CCPA data coverage is surely broader when compared to GDPR’s. Here’s what AB 375 considers as “personal information”:
1)Identifiers like real name, alias, unique personal identifier, postal address, email address, account name, passport number, online identifier IP address, Social Security number, driver’s license number, and similar other identifiers.
2) Biometric information3) Commercial information including records of products or services purchased, personal property, and other consumer and purchasing histories.4) Characteristics of protected classifications under California or federal law5) Internet activity including but not limited to browsing history, application and advertisement, search history and other details regarding a customer’s interaction with the website.6) Professional details7) Geolocation details8) Educational information, something which is not publically available personally identifiable information (PII).9) Sensory information- audio, visual, olfactory, thermal, etc.10) Information reflecting customer’s tastes, preferences, characteristics, predisposition, attitude, etc.Is Your Hotel Prepared For CCPA?
CCPA basically applies to all the hotels that do business with California consumers. In fact, it is even for the hotels that are based outside of the state. But again, the application of CCPA for hotels is based on the following criteria. In other words, it will apply to only the hotels which • Receive a gross revenue of at least $25 million. • Collect, buy or share personal data of at least 50,000 Californian residents each year. • More than half of their revenue is generated from selling the data of the Californian residents.
All in all, only the larger hotels and chains are likely to be affected by the CCPA Regulation.
Why Am I to Abide by CCPA Regulation?
• Guests are extremely sensitive about their personal information
Well, who isn’t? Taking a cue from the instance of Marriott, Cathay Pacific and British Airways being hit by hackers that led to the personal details of the guests being exposed, it is important to reassure the guests. This is challenging but CCPA is your best chance to assure your guests that you respect their privacy.
Perks: greater confidence, better trust, more bookings, extreme satisfaction.
What if I Do Not Abide?
Businesses can be fined $2,500 per violation, or $7,500 if the violation is found to be intentional. As currently written, AB 375 allows for penalties of $100 to $750 per consumer per incident, or actual damages, whichever is greater.
What are the Practical Steps to be CCPA Compliant?
Of course, there are a few practical steps that you can undertake for hotel compliance when it comes to CCPA by protecting your guests’ data. While seeking out some legal advice is surely much sought after, you can also follow these steps in tandem:
1. Keep a data collection document
Sometimes, it might be just possible to miss out on what data is collected, stored and shared by your hotel. Having a list helps to gain a robust clarity on how the data is stored and processed for further use.
2. Educate your staff in this regard
Once you are CCPA compliant, you need to be prepared to answer consumers’ queries regarding how their personal information will be used. In fact, some people will even ask for the deletion of personal information. Prepare your staff in this regard so that they can face the customers and answer their questions.
3. Ensure that your partners and third-party suppliers are all CCPA complaint
Obviously, the stakes are high. So ensure that your partners and third-party suppliers are all working in accordance with CCPA. While most of the marketing softwares should be able to take care of the opt-in/ opt-out, a complete reliance is out of question.
You can undertake the following exercises to ensure the same:
• Engage in a conversation with the third-party and ask what are the steps taken by them to be CCPA Complaint. Since it is just the beginning, a dialogue will be mutually beneficial for all the parties involved.
• Create a compliance road map plan for each of them which aligns with your organization’s own CCPA impacted internal personal data processes with those of the third-party. Gather a team of responsible stakeholders on both sides to see the project through to completion.
• Contract language should be rectified to see whether it is CCPA compliant. Such an exercise is helpful in minimizing legal risk.
• Embed CCPA compliant elements in your business plan with the third-parties.
Other Beneficial Steps:
4. Make security updates and conduct an assessment of your IT infrastructure
An act of cybercrime will involve a lot of legal risks and has great potential to pose unthinkable damage to your reputation. Hence a comprehensive assessment of your security and IT infrastructure is the need of the hour.
5. Revise your policies
Your lawyer will help ascertain whether you need to revise the policies and terms and conditions of your website as per the CCP Regulations. So seek some legal advice.
6. Rebuild the Retargeting Lists
Retargeting lists built before January 1, 2020, which had not been given the opportunity to opt-out earlier will need to be rebuilt.
7. Ensuring opting-out through emails for advertising
On a similar note, even the emails used for advertising prior to January 1, 2020, which had not given out the opportunity to opt-out will now have to do so to maintain CCPA Compliance.’
8. Allow consumers to exercise their rights
Hotels can do so in two ways which make reaching out easier, both through the toll-free number and the website itself.• •
Many states and hotels are becoming aware of the growing need for CCPA Compliance. The need for safeguarding consumer data is going to grow only in the coming years. Hence it is better to start early and be prepared to avoid the risk of reputation damage by being CCPA Compliant. This will further enhance the customer confidence to book with you.
Have questions? We can answer!