Data privacy and meetings businesses could be on a collision course soon, at least in California. Meeting and event companies are among the California businesses that may have to scramble once the state’s Privacy Rights Act takes effect in January 2023.
As of January 1, 2023, companies in California will have to honor consumer requests to delete the personal information companies gather on them, as well as demand access to that data and prohibit companies from selling it to others. What repercussions might this new expansion of California’s Privacy Act have for companies in the meetings and events space?
At first glance, California’s Privacy Rights Act, which expands on the state’s two-year-old Consumer Privacy Act, doesn’t seem to have much to do with meeting and event companies in that state — or does it?
It very well may, according to a recent article on Bloomberglaw.com. That’s because the employee and B2B exemptions in the original California Consumer Privacy Act (CCPA), which took effect in January 2020, are due to expire on Jan. 1, 2023, so California businesses may have to apply those consumer protections to the contractors and freelancers they work with, the article says. Or they may not — it’s not entirely clear just yet how this will play out.
“Employee privacy is one of those sleeper issues that has really become central,” Jeewon Serrato, a partner at Baker & Hostetler LLP in San Francisco, told Bloomberg. “Not just for the gig economy, but for companies in general.” CCPA applies to for-profit entities that have more than $25 million in revenue, possess the personal data of at least 50,000 customers (globally) or derive more than half of their revenue from selling data.
While companies can refuse requests that are “manifestly unfounded or excessive” under the law, they may have to demonstrate why they need to hang onto that worker’s personal data, say for security reasons, or to stay in compliance with other laws.
One possible glimmer of hope is that companies that already have revamped their systems and processes to comply with Europe’s General Data Protection Rule (GDPR) already had to figure out how to apply it to workers as well, according to attorneys interviewed by Bloomberg.
While the California Privacy Protection Agency did release proposed draft regulations in late May, they do not specifically address the B2B or employee data exemptions that could bedevil meeting and event companies, destination management companies, and others in the California events ecosystem that may find themselves at a loss with what to do when an individual contractor asks them to apply the data protections, or outright deletion of personal data.
Stay tuned as the rules continue to be defined and guidance issued before the new expansion goes into effect in six months.