As most of you know, the California Consumer Privacy Act (CCPA) is going into effect on January 1st, 2020. The CCPA is a bill passed in California in 2018 to enhance privacy rights for California consumers.
As a company that specializes in attendee data collection in the trade show industry, specifically lead retrieval and session tracking, the impact of the bill and how it would affect us, is, of course a major concern to us.
To provide some background, the CCPA grants California consumers five basic rights:
- THE RIGHT TO DISCLOSURE – Businesses must clearly state what data they are collecting and why they are collecting it. This statement should include a link to a business’ “Do Not Sell My Data” page in the business intends to sell or transfer consumer data.
- THE RIGHT TO DELETION – If a consumer requests that their data be deleted, a business had 45 days to comply.
- THE RIGHT TO ACCESS – Consumers have a way to access the personal data a company has collected on them. This right applies to data collected up to 1 year before the request. Data must be sent in a portable and usable format.
- THE RIGHT TO OPT OUT – Consumers have a right to “opt-out” of having a business sell their data. Third parties that have been sold data must be give notice to the consumer and the consumer must have the ability to “opt-out” of the third party selling data that they receive.
- THE RIGHT TO NON-DISCRIMINATION – Consumers that choose to exercise their rights under the CCPA can not be discriminated against.
So where does lead retrieval fit with all of this? For the purposes of the CCPA, a lead retrieval provider is a “service provider.” A service provider is an entity that works at the behest of businesses that are covered by the CCPA.
One quick note here about the businesses covered by the CCPA. The CCPA covers for-profit entity’s in the state of California that meet one of the following criteria:
- Has annual gross revenues in excess of $25 million; or
- Handles data of more than fifty thousand people or devices; or
- Has fifty percent or more of revenue coming from the sale of personal data.
Assuming a business meets one of these qualifications, then what is a service provider?
A service provider is defined by the CCPA as the following:
- A legal entity organized for profit
- That processes personal information on behalf of a business
- To which the business discloses a consumer’s personal information for a business purpose.
- Pursuant to a written contract that prohibits the legal entity (the service provider) from retaining, using or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.
So let’s apply these qualifications to a company, such as Bartizan’s, who is providing lead retrieval. We are a legal entity organized for profit. By providing our lead retrieval apps to exhibitors at trade shows, we process consumer data by allowing exhibitors to capture attendee data. The business purpose is, of course, providing attendee data to exhibitors so that they can market their goods and services to the attendees who visit their booths
Most importantly, Bartizan does not retain, use or disclose the attendee data for any purpose other than that specified in the written contract with the business. This has been our policy for as long as we have been in existence. It is vitally important to us that we have the trust of the show organizers and reg. co.’s that work with us. And the only way to do that is to make sure that we only use the attendee data that we process for the business purpose for which it is intended.
About the author: In addition to his duties of EVP Sales & Business Development, Chris Eisenberg serves as Bartizan Connects’ in-house attorney specializing in Data Compliance. Chris advises companies on how to navigate the new data protection and privacy laws to ensure that they are compliant.