What Advisors Should Know About the California Consumer Privacy Act

In May 2018, Travel Market Report published my article about the then new General Data Privacy Regulation, or GDPR, that was about to become effective with potentially far-reaching consequences. I noted that “it is impossible to be certain of the circumstances under which the GDPR will apply to specific small businesses in the U.S.” and that “the potential penalties for violation of the GDPR are life-threatening to many businesses; the upper limit is 4 percent of a company’s global sales (or $20 million, whichever is larger).”

Almost a year has passed, and thus far, Armageddon has not happened. We know, for example, that most large companies have reissued their privacy policies with new, and substantially similar, sections devoted to general principles from GDPR. We also know that while GDPR has spawned many complaints, small businesses have not been singled out, in Europe or the U.S. Here, for example, is the reported enforcement activity so far:

• 95,000+ individual complaints covering telemarketing, promotional emails, video surveillance (CCTV)
• 41,000+ data breach notifications
• 255 cross border investigations
• Fines to date: social network operator €20,000; sports betting café €5,280; Google €50,000,000

The penalties are not insignificant, but there is no reason to believe that the GDPR enforcement people are running wild against small businesses over minor issues.

That is not to say, however, that GDPR can be ignored. If you have actual or potential clientele in the European Economic Area (the EU plus Iceland, Liechtenstein and Norway), you want to be sure your handling of personally identifiable information is compliant. That’s the good news.

Concerns about data handling
The bad news is that concern about EU enforcement is not the only issue. As expected, GDPR has inspired more comprehensive privacy legislation in the U.S. In this and succeeding articles, I will elaborate on the California Consumer Privacy Act (CCPA) that becomes effective Jan. 1, 2020. It’s not too soon to begin thinking about how your agency will comply.

No expense should be incurred just yet, however, for several reasons. There are 19 pages of “technical amendments” under consideration. Also, the California Attorney General will be issuing regulations under the Act likely between Jan. 1, 2020 and July 2, 2020. Enforcement may not begin until the earlier of six months after the final regulations are published, and July 1, 2020. You can sign up for notices related to that rulemaking here. All this means there may be significant changes in the legislation before enforcement can start.

That said, if your business is large enough to fall under the CCPA, you likely plan well ahead for investment and strategic purposes and should at least be thinking about how you will comply with a significant increase in demands for privacy controls on the personal data your business collects and processes.

As things now stand, small travel advisors do not technically have to comply with the CCPA at all. The CCPA is directed at for-profit businesses that have $25 million or more in annual revenue, or trade in the data of 50,000 or more persons or derive 50% or more revenue from selling consumers’ personal information. The “consumers” whose data is covered by the CCPA are “natural persons,” thus excluding corporations, residing in California. In addition to the size factors, the CCPA will only apply if the business collects and processes the personal information of California residents and does business in the State of California.

As some have learned to their sorrow, the legal principles governing what is “doing business” in a state are complex and far-reaching. For example, physical presence in California is not required to establish that you “do business” there. Selling to California residents using, for example, digital services like email solicitations would likely suffice. A passive website alone probably would not; otherwise, every company in the world with a website would be deemed to “do business” in California.

Thus, if your business is below the size thresholds I have mentioned, you are not subject to the CCPA at least. If you’re above the thresholds, and serve individuals residing in California, you probably should assume, for current planning purposes, that you will be subject to the law.

About compliance
If your business is subject to either GDRP or CCPA, you have myriad issues to consider. For example, under GDPR’s requirement for clear, specific disclosure of the purposes for collecting personal data, the exact means of compliance is up to the individual company. CCPA goes further by requiring a clear and conspicuous link on the business’ homepage, reading “Do Not Sell My Personal Information.” The link must lead to a site where a consumer, or the consumer’s designee, may opt out of the sale of the consumer’s information.” If this link requirement remains in the legislation, it’s going to affect the design of the home page of every travel website subject to the law.

Another troubling element of the CCPA is the notion that “personal information” incudes “inferences drawn from any of the information … to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.” This language appears to extend the data protection regime beyond the information gathered about the individual, but also information created on the basis of that information and identifiable back to the collected data.

In succeeding articles, we will explore these and other elements of the CCPA in more detail.