by Kevin Iwamoto | July 30, 2018

Now that our industry has become accustomed to hearing about GDPR (the General Data Protection Regulation), which concerns safeguarding the private data of European and U.K. citizens and residents, we now have its American cousin in CCPA — the California Consumer Privacy Act.

The bill, technically known as AB 375, is similar to GDPR is some ways, but so far it still has a lot of undefined areas that we expect will get more detailed as the January 2020 launch date approaches. Keep in mind that this new regulation is getting a lot of attention from Silicon Valley corporate titans, because almost everything they do and provide is centered around personal data collection and utilization for revenue-generating purposes. They are concerned because CCPA aims to allow California residents the right to ask for the data a company has collected on them and to find out where the data has been sold.

These California companies have teams of lobbyists who focus on local, national and global interests, and rest assured that they will have influenced the final form the measure takes. For now, the bill's sponsors say they will work with the state’s attorney general's office to develop a plan to enforce the law.

Here’s some of the highlights of AB 375 or CCPA:

  • The California attorney general would oversee deciding whether to pursue legal action against companies for violating the law. Individual consumers can still sue under the law even if the attorney general doesn't pursue the case.
  • Damages paid to consumers top out at $750 per person in each instance where the law is violated, and the highest penalty per violation that can be levied against companies is $7,500.
  • Companies need to get parental/guardian opt‐in agreements to collect data on anyone younger than 16.

Below are some of the rights consumers will have because of this CCPA:

  • The right to know all data about you collected by a business;
  • The right to say no to the sale of your information;
  • The right to delete your data;
  • The right to be informed of what categories of data will be collected about you prior to its collection, and to be informed of any changes to this collection;
  • The right to know the categories of third parties with whom your data is shared;
  • The right to know the categories of sources of information from whom your data was acquired;
  • The right to know the business or commercial purpose of collecting your information.

I am still researching how this new law would impact us specifically in the business travel, meetings and events industries. Does this mean that, like GDPR, it doesn’t matter where a data-collecting company is headquartered? Does CCPA apply to you if you’ve traveled from another state or country to attend a meeting held by a California-based organization? Does it mean the reverse as well, that if you are a California resident and you travel to attend a conference, event or meeting in another state, that the CCPA laws still apply for your data privacy?

Watch this space as I will continue to monitor and update the story just as I did with GDPR. The good news is, I have a much longer runway to report and update on CCPA, because January 2020 is not as imminent as May 25, 2018, was for GDPR.

In the meantime, if you want to check out the current details on CCPA, go to


Kevin Iwamoto is senior consultant at GoldSpring Consulting. You can follow him on Twitter @KevinIwamoto.