Within the past year, several states have passed major data privacy protection acts designed to provide rights for their citizens in the area of data privacy and to provide substantial protections for their citizens in connection with those rights. California, following on the heels of its groundbreaking California Consumer Privacy Act, passed the California Privacy Rights Act that takes effect on Jan. 1, 2023. Virginia passed the Virginia Consumer Data Privacy Act, set to take effect on July 31, 2022. And Colorado passed the Colorado Privacy Act which becomes effective on July 1, 2023.
While social media companies, data aggregators, and other companies engaged in the acquisition, trade, sale, and use of consumer personal data clearly need to be aware of these laws and their nuances, the applicability of these laws to other businesses may not be readily apparent. But the following three reasons should make it clear that businesses in the retail and hospitality space should be aware of these laws and the potential impact they may have on their business and operations.
1. “My business is not located in California, Virginia, or Colorado, so I don’t need to worry about these laws.”
Setting aside the fact that California is the world’s fifth-largest economy and that doing business nationally in the United States requires a presence in California, each of these three laws have extraterritorial impact that increases their footprint well beyond the boundaries of the states where they have been enacted. As seen in the table below, each of these data privacy laws applies to the collection of personal information from residents of these states, regardless of where the collection takes place—encompassing both travelers providing information to businesses while staying at a hospitality venue and to consumers from these states purchasing goods or services through a website.
Applicability of State Data Privacy Statutes
|For-profit entities that collect personal information from CA residents and
|For-profit entities that conduct business in VA or offer products or services targeted to residents in VA and:
|Legal entities that:
|Have at least $25 million in gross annual revenue or
|Control or process the data of at least 100k VA consumers or
|Conduct business or produce products or services that are intentionally targeted to Colorado residents and
|Buys, sells, or shares personal information about at least 100k California residents or households
|Control or process the data of at least 25k VA consumers and derive more than 50% of revenue from the sale of personal data
|Either control or process personal data of more than 100k CO consumers per calendar year or
|Derives >50% of its annual revenue from the sale of California personal information
|Derive revenue or receive a discount on the price of goods or services from the sale of personal data and control or process the personal data of at least 25k CO consumers
In the interconnected world we live in, geography alone is not going to prevent a business from having to comply with these statutes.
2. “I don’t know what information I collect or with whom it is shared. I just sell goods and services.”
Ignorance is not a defense with these laws. Each of these laws have been passed but are being implemented on a delayed timeframe. That delayed timeframe is incorporated to allow businesses to bring themselves within compliance. It is expected by the regulators in these states that businesses will use this time to identify the information they are collecting from consumers, the entities they are sharing information with, and to enact policies and procedures account for all of this information and allow these businesses to fully comply with these statutes. And, these states have signaled that they intend to be aggressive and vigilant with enforcement once these statutes take effect.
California is a particular concern for enforcement. Under the California law, the state will create a new enforcement department, separate and apart from the State Attorney General’s office currently tasked with enforcing the California Consumer Protection Act. That new state regulator agency will also be funded by the fines collected by the agency. When an agency’s funding depends on issuing fines, you can bet that fines will be aggressively issued.
This self-funding regulatory situation has, in other contexts, particularly New York’s NYDFS system, resulted in robust and aggressive regulatory action against entities of all sizes.
3. “I don’t know where my customers are from and I don’t have any information about them.”
Compliance with these laws requires, for many businesses, a fundamental shift in how they handle and use information they collect. These statutes all include provisions that allow consumers to access and learn more about the information a business collects from them and to delete that information on request. These consumer inquiries must be complied with quickly (within 45 days for some). In order for even a moderately-sized business to respond to a request for all information about an individual possessed or controlled by that business on such a tight time frame, that business is going to have to have tracked that information from the time it came into the business to the individual from whom it was collected. This means that when information is collected, from whatever source or means it is collected, the business must know with whom the information is associated and must track that information through its organization and to any applicable third parties. That is going to require policies and procedures and internal enforcement procedures to ensure all information is properly accounted for. And these procedures must be enforced across all vendors, partners, and businesses with whom the information is shared. This information diligence and accountability is a key feature of these laws and will, no doubt, be a key feature of enforcement proceedings as well.
4. “I heard all of this when the GDPR rolled out and I was fine then.”
While much was made of the potential impact of the EU’s General Data Protection Act, its data protection laws, and the impact it was going to have on U.S. businesses, much of the dire warnings about enforcement proceedings from the EU against U.S. businesses have not yet materialized. But, enforcement actions in the EU have only really recently begun. And, it is, and continues to be, relatively painless for U.S. businesses to isolate themselves from EU operations to avoid the extraterritorial reaches of the GDPR. But, the trend in enforcement actions from the EU continues to be towards significant fines. And, the isolation techniques employed by businesses to keep themselves outside of the reach of EU laws will not work with U.S. laws.
Retail and hospitality businesses have unique vulnerabilities when it comes to these laws. By the nature of their businesses, retail and hospitality operations depend upon the collection of vast amounts of consumer data. Rooms cannot be rented unless the person who is renting provides information about who they are. Goods and services cannot be sold unless information about to whom those goods and services are to be delivered is known. And, marketing in both retail and hospitality relies upon identifying past and future customers and interacting with them through multiple media outlets. Consumer information is critical in these spaces.
Identifying which of these statutes you may be subject to may not be easy. And, complying with each of these laws, if you are subject to them may, not be easy either. But ignoring these statutes is not a recommended course of action.