CCPA Privacy FAQs: Under the CCPA, can a conference organizer use on-site tracking at their conference for third-party marketing?

Yes.

On-site tracking refers to the practice of scanning attendees’ badges manually (e.g., bar code) or automatically (e.g., RFID chip in badges read at doorways). Organizers track this information for various reasons, such as to award credit for attending various panels (e.g., continuing education verification) or for their own analytics (e.g., to track session attendance for future room allocation or to determine future programming).

Assuming that the CCPA applies to a conference organizer (e.g., the organizer does business in California and meets the minimum revenue or data subject thresholds), nothing within the CCPA prohibits the organizer from collecting on-site tracking data, or using that data for third party marketing (e.g., to market the products or services of conference sponsors to attendees).  The CCPA would require that a conference organizer disclose that they are tracking attendee behavior as well as disclose their purpose for tracking – including the use of the data to market third party products and services.  While the disclosure might come in the form of a privacy policy provided to attendees, it could be less formal – such as via a poster or sign at check-in.  Conference organizers should also consider the additional CCPA related implications:

  • If the organizer intends to sell the data to third parties, the organizer will need to provide a “Do Not Sell my Information” link in their online privacy notice.
  • An organizer may receive a request from an attendee for access to their information. In response to such a request, they may need to disclose all of the data collected about a particular attendee (e.g., locations tracked, activities recorded).
  • An organizer may receive a request from an attendee to delete their information. In response to such a request, they may need to have the ability to selectively delete information about the attendee, or to explain to the attendee why such information is not required to be deleted.  For example, if the information is being collected for a purpose other than marketing – such as security at the conference – the organizer may be able to deny the request on those grounds.
  • If the organizer transfers the personal information to a third party, and allows that third party to use it for their own purposes (e.g., to directly market to California residents), the organizer would have to include a “Do Not Sell My Information” link on their internet home page1 and within any only privacy policies.2 Further, the organizer cannot discriminate against any attendees who opt not to have their information sold by offering them fewer benefits or charging higher prices.3

Co-authored by Jason Schultz