Odia Kagan, Partner, Chair of GDPR Compliance and International Privacy, Fox Rothschild LLP, shared with attendees what they need to know about the California Consumer Protection Act (CCPA), which went into effect January 1.
“Remember CCPA applies to any information that identifies people,” Kagan says. “It is super broad. It’s basically anything that could relate to a person … email address, IP address, browsing history, shopping history, and the last one, which is particularly important to those of you that do the marketing and the AI folks, is inferences derived from all of the information that you’re collecting. Profiles and consumer profiles, and inferences that you are making for the purpose of marketing and retargeting, and behavioral advertising, that’s all now included in CCPA.”
CCPA does not extend these rights to employees, Kagan explains. “If you have California employees, then you don’t need to give them all of these rights, but you do need to give them their own privacy notice about how you process their information.”
What CCPA does is it gives consumers (1) The right to ask for all the information a company has on them. “You need to have a process also for responding to them within 10 days saying, ‘Hey, we got your information. We’re giving you an answer,’ and giving the actual information in a form that’s easy to understand by the person within 45 days,” Kagan explains. (2) The right to delete: “People can make a request for you to delete all of the information that you have about them. In order to do that… you need to know where your information is,” Kagan explains. (3) The right to opt out of a sale of their information. “CCPA defines ‘sale’ in a way that is very counterintuitive,” Kagan warns. “‘Sale’ is sharing information, personal information with a third party, where the third party is non-service provider, either for money, or for any other valuable consideration.”
Hospitality companies should start by identifying what consumer information they collect. Think websites, clicking and browsing history, newsletters, pixels, loyalty programs, mobile apps, etc. “Any information that you’re collecting about people, you need to know what it is because you have to tell people what it is, and you have to organize your other obligations,” Kagan says.