The advent of the new decade is sure to bring several significant changes to the events industry. In fact, the first one hit at the stroke of midnight Pacific Time. That’s when the requirements for the California Consumer Privacy Act (CCPA) went into effect. The CCPA is the first comprehensive U.S. law that oversees how companies manage consumers’ personal data.

Despite the name, the impact of this act will be felt beyond the Californian borders. Event marketers will need to be acutely aware of who they are gathering information from and how the CCPA impacts both parties.

What is the CCPA?

The California Consumer Privacy Act of 2018 is a set of laws that dramatically regulates the collection, storage, and sale of California residents’ personal information. The measure is officially known as AB-375, but it is referred to most often as the CCPA.

The CCPA was signed into law on June 28, 2018, which is, technically, when it officially went into effect. However, the requirements of the law went live January 1, 2020, and even those remain somewhat fluid since the California Attorney General has until July 2, 2020, to publish final regulations (the current status is known as “draft regulations”). No legal action can be taken against CCPA violators until July 1, 2020, or six months after the final regulations are published, whichever comes first.

Who Does the CCPA Affect?

The CCPA does not apply to all businesses. For-profit organizations fall under the jurisdiction of the CCPA if they meet any of the following requirements:

• The company has annual gross revenues of more than $25 million.

• The company makes a profit by buying, selling, or sharing the personal information of 50,000 or more consumers, households, or devices.

• The company earns at least half of its annual revenues by selling consumers’ personal information.

According to a conservative estimate by the International Association for Privacy Professionals, more than half a million U.S. companies will be directly affected by the CCPA. A business or organization does not need to be located in California or employ California residents to be impacted by the law, nor do California residents need to be within the state’s boundaries to be protected by the law.

For example, if your company is subject to the CCPA and you’re hosting an event in Utah, every California resident at the event remains protected by the CCPA. This is also true for Californian visitors to your event website.

What Are California Consumers’ Rights Under the CCPA?

The rights provided by the CCPA to California citizens are similar to those offered to European Union (EU) residents by the General Data Protection Regulation (GDPR), a law that significantly impacts how companies collect, manage, store, and dispose of the personal data of EU citizens.

Under the CCPA, consumers have the right to:

• Know exactly what personal information is being collected.

• A complete understanding of how their personal information will be used, including if there is an intent to sell it.

• Deny the sale of their personal information.

• Receive the same treatment, services, and pricing if they opt-out of the sale of their personal information.

• See what information has been collected about them.

• Request that some or all of their information be deleted. Also, if this information has been shared or sold to other organizations, those third parties must delete the data, as well.

The CCPA also makes it easier for the public to sue companies and organizations that abuse or misuse consumers’ personal data. This means that organizations have more incentive than ever to ensure that collected data is secure, since a data breach could quickly become a costly affair.

What is an Event Marketer’s Responsibilities Regarding the CCPA?

The TLDR answer is you need to tell people what you are doing with their data.

The good news is that consumers and event attendees want the service that data acquisition requires. They want a personalized event experience. They want experiential activations where certain elements appear specifically tailored for them. They want intimate educational sessions adapted to their needs.

Attendees understand that these activations cannot occur without providing their personal information and are typically willing to exchange their data for an extraordinary experience. What the CCPA requires is that you detail (upfront) what information you are collecting, how you intend to use it, and where and how long you plan to store it.

As far as what exactly counts as personal information, the CCPA defines it as anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Does that mean, if your organization falls under the CCPA and a cookie is placed on a Californian resident’s computer after they visit your event registration page, that you violated the CCPA? Probably not. However, if you use that cookie for a retargeting campaign (i.e., you are tracking and collecting information about a Californian user to predict their online behavior), then the CCPA does apply. The cookie itself is not the issue. It’s how transparent you and your organization are regarding the cookie and any information it gathers that’s important.

Companies are obligated to make it easy for consumers to deny the sale of their data, view their collected information, and request that it be deleted. For example, event websites and registration pages must have a “clear and conspicuous link” titled “Do Not Sell My Personal Information” that links to a page where visitors can opt-out of sharing their information.

The penalties for noncompliance with the CCPA vary depending on the severity of the violation. If the offense is found to be unintentional, the minimum penalty is $2500. For intentional violations, the fines can reach as high as $7500. Businesses must fix the violations within 30 days after notification. In addition, if the violation was a data breach, consumers have the right to file a class-action lawsuit where the costs can add up quickly.

How Can Event Marketers Prepare for the CCPA?

Be transparent when it comes to data collection and use. People need to know that a company or organization is going to be considerate with their data and use it responsibly. The majority of consumers and event attendees will share their personal information with organizations they trust.

However, that trust has to be earned. The days of consumers blindly trusting companies with their data are long gone. Bad faith organizations, such as Cambridge Analytica, and those that have been careless with data repositories have made consumers wary of sharing their personal information. A few bad apples really have spoiled the bunch, and now governments are stepping in with regulations.

The GDPR and CCPA are only the first laws to arise. Others will follow soon. In fact, New York, Massachusetts, Washington state, and Georgia are actively debating privacy regulations.

What that means, however, is that there will be a variety of compliance issues and notifications that event marketers will need to navigate in the very near future. Fortunately, there are far more similarities than differences between the GDPR and CCPA. That means other state’s regulations will likely follow suit.

It also means that, even if you are not affected by the GDPR or CCPA, the time to become transparent about your data collecting policy is now. Organizations that had to prepare for the GDPR had an advantage readying for the CCPA, just as those who are CCPA compliant will be better prepared for the next set of regulations.

There are sure to be some bumps in the road, but event marketers who will see the most success are those who are fully transparent about their data usage and who can provide significant value in exchange for attendees’ data.