Whether fans are interested in football, baseball, NASCAR or major events like the Masters or the Olympics, they follow their teams or favorite athletes around the nation or even around the world. As a result, the sports-event industry ranks pretty high when it comes to the amount of personal data being exchanged en masse with third-party vendors.
The General Data Protection Regulation (GDPR) came into effect in May 2018, a binding European Union legislative act that places greater obligations on how organizations in the United States handle EU citizens’ personal data. The dust from the introduction of the GDPR has not yet settled and now the sports-event industry must brace itself for the new California Consumer Privacy Act (CCPA) that takes effect in 2020. Driven by the continued rise in consumer data breaches and growing privacy concerns, the CCPA is a landmark policy comprising the most stringent data protection regime in the United States. And it is likely to force significant changes on organizations not already caught by the GDPR.
For most sports organizations, travel and events are a major component of a larger chain. This chain involves complex workflows where data originates, is transformed and pushed elsewhere. This means that the data doesn’t live in silos and can be quite pervasive. As a result, the impact of data privacy regulations affects your organization’s entire ecosystem and workflow.
The core of the CCPA consists of five new rights awarded to Californians:
- A right to know what personal information is being collected about them;
- A right to know whether their personal information is sold or disclosed and to whom;
- A right to say no to the sale of personal information;
- A right to access their personal information;
- A right to equal service and price, even if they exercise their privacy rights.
The CCPA also contains less obvious rights embedded in the legislation, such as the right to data portability and the right for consumers to benefit from the sale or disclosure of their data to third parties.
Organizations anywhere in the world that receive personal data from California residents will be bound by new regulations if they (or their parent company or a subsidiary) meet just one of the following thresholds:
- Generate gross revenue above $25 million
- Gather personal information from more than 50,000 California residents, households or devices annually
- Receive at least 50 percent of annual revenue from selling the personal information of California residents
The law will significantly strengthen privacy in the United States when it goes into effect on January 1, 2020. And several other states are preparing to introduce their own sweeping consumer privacy laws, following in the footsteps of the GDPR and CCPA. If you’ve worked hard to comply with GDPR, you now have additional work to prepare for CCPA.
Your journey to comply with these privacy laws will go smoothly if you are operating in a well-architected software, maintain a process-driven environment and have an effective data governance program in place. Most of us aren’t operating in this ideal. Complying with the GDPR and/or CCPA is a business-wide challenge that takes time, tools, processes and expertise—and may require significant changes in your privacy and data management practices.
As a first step, you should learn about the new law, and work with a professional data privacy third party to interpret the new rules and monitor any changes. Then, do the following:
- Prepare data maps, inventories and other records pertaining to the personal information of California residents, households and devices
- Consider alternative business models, including California-only sites and offerings
- Establish designated methods for submitting data access requests
- Provide a clear and conspicuous “Do Not Sell My Personal Information” link on your website’s homepage
- Fund and implement new systems and processes to verify the identity and authorization of people who request data access, deletion or portability
- Update privacy policies with newly required information, including a description of California residents’ rights
- Establish policies to avoid charges that your business “willfully disregards the California resident’s age” by implementing methods of obtaining parental or guardian consent for minors under 13 and direct consent of minors between 13 and 16
The GDPR and CCPA dimension goes beyond the sports-event industry. Data protection compliance is the “new normal,” and the way organizations respond to new rules and regulations can make or break customer relationships. With the GDPR and CCPA, customers hold all the cards when it comes to their personal information and companies must treat all consent relationships with the respect they deserve if they expect to maintain long-term trust.
FileOM is a data and privacy management consultancy that helps businesses meet compliance with data legislation, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Amit Khanna is CEO and co-founder of FileOM and maintains overall responsibility for business strategy, partnerships, and operations.