- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Under the CCPA, can a company send follow-up emails after hosting a trade show or conference?
In the United States, a company can send follow-up emails after hosting a trade show.
On the federal level, the CAN-SPAM Act governs commercial use of email. While the CAN-SPAM Act prohibits the transmission of deceptive communications, and requires that companies include an unsubscribe link in commercial messages, it does not prohibit a company from transmitting email follow-ups following a trade show or conference, nor does it require that a company obtain opt-in consent to communicate a marketing message.
In California, the CCPA does not specifically address the use of email to communicate with attendees following a trade show or conference. The CCPA does, however, generally require that a company that collects email addresses from California-resident conference attendees provide the attendees with a privacy notice that discloses that the email addresses may be used for follow-up communications. Assuming that the privacy notice is provided, and California residents are informed about other CCPA-based rights (such as the right to request that their email address be deleted from the conference host), nothing within the CCPA prohibits a conference host from using the emails to transmit follow-up or marketing communications. Note, however, that if the attendee list is given to a third party to handle the follow-up emails, the conference-host should ensure that the third party is a “service provider” as defined by the CCPA or risk that the information transfer could be classified as a “sale” of personal information, which would trigger an obligation to honor “do not sell” requests.
In Europe, whether a follow-up email can be sent depends in part upon the nature of the communication. If the communication includes information relating to the event itself, the use of the email address may be permitted under GDPR Article 6(1)(a) (if consent had been obtained from the data subject), Article 6(1)(b) (if the follow-up communication is necessary to complete a transaction with the attendee), or Article 6(1)(f) (if the follow-up communication relates to other conference-related information, and the organizer failed to obtain consent to communicate). If the communication includes marketing content, the transmission could theoretically be permitted under GDPR Article 6(1)(a) (if consent had been obtained), or Article 6(1)(f) (the legitimate interest of the conference host to send marketing communications). It should be noted, however, that in order for a conference-host’s interest in marketing to be considered “legitimate” under the GDPR, the conference host must comply with other European laws that regulate marketing. Some Member States may have legislation implementing the ePrivacy Directive that requires a conference-host to obtain the consent of an attendee prior to the transmission of a marketing communication. The net result is that in many situations, a conference-host must obtain some form of consent before sending marketing communications to conference attendees.
Co-authored by Jason Schultz and David Zetoony
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
Can corporate affiliates share information for marketing purposes?
Companies that share consumer information between and among corporate affiliates rarely consider themselves as “selling” information. Specifically while corporate affiliates might be permitted to use the information to cross-market products and services, rarely do affiliated companies financially compensate each other for the information that they receive. Furthermore, because the information stays within the hands of entities that are subject to common ownership many companies (and arguably many consumers) do not perceive the information as being “transferred” at all.
The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.1 It furthermore states that two entities under common ownership are considered separate businesses unless they “share common branding.”2 For the purposes of the statute “common branding” is defined as a “shared name, servicemark, or trademark.”3 If a company “sells” information than the CCPA requires that it:
- Provide a “Do Not Sell My Personal Information” link on its homepage.5 If a consumer clicks on the link, the company must cease selling the consumer’s information.6
Based upon the above definition many corporate affiliates that share information for marketing purposes are concerned that their sharing could be interpreted as a sale, even if they receive no money in return for the information exchange, as a court might interpret the fact that information flows in both directions as “valuable consideration.” For example, if two fashion retailers are owned by the same corporate parent, and combine their customer lists so that each concept can separately market to the other concept’s customers, it is possible that a court could interpret the information exchange as a “sale” with the consideration being that each concept has gained access to the other concepts’ information.
The CCPAs treatment of corporate affiliates as potentially separate businesses that could sell information to, and from, each other has led many businesses to investigate the degree by which they “share common branding.” While that may be a straightforward inquiry in situations in which corporate affiliates operate under the same trade name and the same corporate logo, many affiliated corporate entities have some degree of autonomy from their sister corporations which raises questions and concerns regarding how much sharing of names, servicemarks, and trademarks is enough to be considered a unitary enterprise. The following provides six examples where corporate affiliates might utilize shared names to varying degrees on their respective websites and, as a result, may be subject to varying risks of being classified as separate “business” under the CCPA for which a sale of information has been made:
The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
1. CCPA Section 1798.140(t)(1).
2. CCPA, § 1798.140(c)(2).
4. CCPA, § 1798.130(A)(5)(C)(i).
5. CCPA, § 1798.135(a)(1), (2).
6. CCPA, § 1798.120(a), (d).