Frequently asked questions
As many of you know, the California Consumer Privacy Act will soon go into effect. Like GDPR, it has wide-sweeping effects for the hotel and technology industries at large.
To help prepare our customers, we’ve prepared a Q & A below to educate our clients on the new legislature, how hotels need to prepare and what we’re doing to support. Please review thoroughly below and let us know if you have any further questions, which should be directed to Denise Barker, our Privacy and Security Officer at dpo@cendyn.com.
What is an overview of the CCPA?
This new legislation has a wide impact as well as a broad focus. It defines personal information broadly and gives consumers certain rights over their data.
The main individual rights include:
- Right of access
- Right of deletion
- Right to data portability
- Right to information on data selling
- Right to opt-out of data selling
- Private right of action in the case of breaches
What types of disclosures are covered?
With CCPA, consumers can demand to see the personal information that hotels have collected about them, including:
- The categories of personal information it has collected about that consumer.
- The categories of sources from which the personal information is collected.
- The business or commercial purpose for collecting or selling personal information.
- The categories of third parties with whom the business shares personal information.
- The specific pieces of personal information it has collected about that consumer.
What is the scope of the California Consumer Privacy Act?
The CCPA covers “businesses” defined as for-profit entities that collect consumer personal information, determine the purposes and means of processing, do business in the state of California and either:
- Earn $25 million in revenue per year;
- Receive for commercial purposes, sell, or share for commercial purposes 50,000 consumer records pear year; or
- Derive 50% of annual revenue from selling personal information.
When does it go into effect?
CCPA goes into effect on January 1, 2020 and the enforcement date is July 1, 2020.
What personal information is covered?
According to CCPA guidelines, personal information is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
It includes, but is not limited to, the following:
(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(B) Any categories of personal information described in subdivision (e) of Section 1798.80.
(C) Characteristics of protected classifications under California or federal law.
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
What can consumers request regarding their data and how should they make requests?
Consumers may ask for the following:
- Access to Data
- Deletion of Data
- Data Portability
a) Data requests from consumers who have had data collected directly by Cendyn via corporate marketing and Cendyn.com webforms can email privacy@cendyn.com with the request starting January 1, 2020. This is the same process for consumers requesting data reports per GDPR, which can be requested now.
b) Data requests from consumers of our hotel clients should be managed directly through the client’s channels and processes.
What responsibility does Cendyn have in regard to our clients and how they use data?
Cendyn’s responsibility is processing our clients’ data in a responsible, secure and private way as instructed by the client. Cendyn is also committed to help educate hoteliers on how to plan for CCPA with guides, blogs and other resources on Cendyn.com.
Will CCPA change how Cendyn manages data and communicates to our own marketing database?
On the personal data request side, the majority of regulations mandated by CCPA were already completed by Cendyn with GDPR preparations in 2018. However, we will be using this opportunity to implement a global opt-in policy for our email database moving forward. We feel this is best practice and ensures only those people who truly want to hear from Cendyn receive our messages. Please note this is for Cendyn’s own corporate marketing efforts, not our hotel clients.
What is Cendyn’s representation of the new law?
Cendyn sees the CCPA as a global trend of consumer awareness around data privacy and the need for hotels to ensure they establish a tight, secure and clear process around data collection and transparency. Data collection is a powerful tool to serve guests in a personalized way – it’s the core of our business – but it’s imperative that our clients use that power wisely with the proper channels for guests to opt in, request data collected and establish clear steps to opt out of collection should they wish to.
What are we recommending our clients do?
Cendyn recommends that our clients 1) review all data collection channels across their organization 2) establish an updated Privacy Policy detailing information collected and 3) ensure a clear process is in place to share this information with guests as requested and provide collection opt out vehicles that are straightforward and processed quickly.
What is Cendyn doing to prepare for the CCPA?
Cendyn has been working with data/privacy specialists and attorneys to ensure our processes and platforms are built to comply with CCPA and to provide recommendations to our clients on how to prepare in advance.
Should changes to Websites be implemented?
Cendyn clients who sell their data will need to comply with CCPA in a few areas on their Web site:
- Update their Privacy Policy to include a statement of what data they sell and to whom it is sold.
- Add an obvious call to action on every page of their Web site that allows their users to request that their data not be sold, and then act upon the request.
- Enter into an updated Data Processing Agreement with Cendyn indicating that the Client (owner of the data) and not Cendyn is selling this data.
Cendyn clients that do not sell their data will need to update their Privacy Policy to indicate the categories of user data they collect.
Does Cendyn sell our client data?
No. We do not.
Please note this is not to be treated as legal advice, the information included here is to be treated as best practices only.