Hidden Danger: Where Is Your CCPA Notice?
Insights
3.02.20
As I was checking my wife and myself into a nearby beach town resort during a recent spontaneous trip, I wondered when the smiling gentleman behind the counter would present me with the hotel’s CCPA notice. I am referring, of course, to the privacy notice that the California Consumer Privacy Act (CCPA) requires many businesses to provide to California residents as of January 1, 2020.
This notice identifies the categories of personal information about the consumer the business collects and all the business purposes for which the information is used. The new law requires that this notice be provided at or before the time that personal information is collected from consumers, which in the hotel context usually means at or before the time that the reservation is booked or the guest checks into the hotel.
Searching In Vain For The Required Notice…
Because I have been counseling many clients (including hotels and restaurants) on this CCPA requirement, I knew to look for it at this resort, mostly out of curiosity for how hotels I haven’t worked with are complying with this new law. After having me sign and initial some forms that I reviewed carefully, the gentleman handed me our room key and showed us on a property map how to get to our bungalow. Still, no CCPA notice.
I glanced around. Perhaps this hotel decided to post a sign in a prominent location that directs guests to the web address of the hotel’s privacy policy, a method of disseminating the notice that the statute does not expressly authorize but may be an option if the California attorney general’s proposed rules take effect in the Spring of 2020. But after a visual sweep of the hotel lobby, I did not observe any sign – at least none that drew my attention or that I could see. Which means that if signage was this hotel’s chosen method of communicating the CCPA notice, it clearly was not effective.
I then checked my email. Perhaps this hotel decided to email me its CCPA notice upon check-in, which would be a compliant way to provide the notice – as long as the email is sent at the time of check-in, not 15 minutes later. Still, no email. I had made the reservation through a third-party booking app, so I looked through the reservation confirmation emails. But still, no CCPA notice. I checked the booking site’s app that I used to book the room to see if it provided any CCPA notice on behalf of the hotel during the booking process. They didn’t, as far as I could see. And that makes sense; why would they take on this liability on behalf of the thousands of hotels listed on their app?
Missing Out Can Be Costly
I then thought to myself: surely a fancy resort like this one must have good lawyers on payroll or retainer. In my experience, good business owners typically do not knowingly fail to comply with the law. I had to believe that this hotel’s management or owners simply didn’t know about the CCPA or that the CCPA applied to them. I started getting anxious thinking about all the CCPA legal alerts they must have received over the last several months that just went to their spam folder. Or maybe they never actually read through them to understood what’s required.
However, ignorance of the law is no excuse (although in some circumstances it may result in lesser penalties based on lower culpability for the violation). The CCPA authorizes the attorney general to impose penalties of $2,500 to $7,500 per violation based on the severity of the violation and whether it was knowing or willful, or if it was repeated or continued after ample warning.
Warning: The Law May Apply To You
Many small or solo franchisees in the hospitality industry may think that the CCPA does not apply to you because you don’t meet one of the three threshold criteria. Your annual revenue is under $25 million; you do not annually collect the personal information of 50,000 or more California residents, households, or devices; and you are not in the business of selling information. But upon closer inspection, you may be disappointed to learn that this new privacy law, which became effective January 1, 2020, may yet still apply to you. Here’s why.
If you rely on the internet for your legal advice (bad idea!), you will learn the basics – that the CCPA applies to any for-profit business that does business in California, collects the personal information of one or more California resident, and satisfies one of three thresholds: (1) generates annual revenue of $25 million or more; or (2) collects the personal information of 50,000 or more California residents; or (3) derives 50% or more of its annual revenue from the selling of personal information. If your business is a local franchisee of a regional or national franchise, or a subsidiary or sister company among a family of companies, and your business does not satisfy any of the three thresholds, you may think this should be the end of the analysis. However, it is only the beginning.
The CCPA also applies to any other entity that “controls” or is “controlled” by a covered business and shares common branding with that covered business (whether the same trade name, dba, trademark or servicemark). This means that if your business is affiliated in any way with and shares common branding with another business that meets the above criteria and is subject to the CCPA, then the law would derivatively apply to your business if your business “controls” or is “controlled” by that CCPA-covered business.
The CCPA’s definition of “control” for purposes of this analysis appears to be broader than the concept of control in other areas of law you may be familiar with (such as the control group test applied by the Employment Development Department, for purposes of the Affordable Care Act, or for joint employment). The CCPA defines “control” or “controlled” as one of the following: (1) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of the business; (2) control in any manner over the election of a majority of the directors of the business or of individuals exercising similar functions as directors; or (3) “the power to exercise a controlling influence over the management of” the business.
The first two tests for control under the CCPA’s definition are easy to understand and apply. The third test, however, is where the ambiguity and debate lie. Hence, this is where the risk of litigation and enforcement actions may be elevated. Neither the statute nor the attorney general’s proposed regulations shed light on what it means to have the power to exercise a controlling influence, what exercise of such power looks like, what a controlling influence means, and what constitutes “management” over which the level of influence must be assessed. Does this require control over all aspects of managing the business, or just simply one aspect of management such as product development or sales process?
Franchisees, Be Warned
In the context of hotel and restaurant franchisees, if the CCPA applies independently to the franchisor, then it will also apply to franchisees where the franchisor has “the power to exercise a controlling influence over the management” of the franchisee. Reading the words of the statute for their plain meaning, this appears to not be about whether the franchisor actually exercises a controlling influence, but whether the franchise agreement can be interpreted to vest the franchisor with the “power” to exercise such influence.
Reading further, the phrase “controlling influence over the management” does not seem to require the influence to be the primary or only controlling influence, but rather just “a” controlling influence. The meaning of this phrase is wide open for different interpretations. One possible interpretation is that having a controlling influence over a company’s management for purposes of the CCPA is not the same standard as “control” for purposes of joint employment and wage and hour issues, as management here is not limited to controlling the hours, schedules, timekeeping, and wage payment practices of the franchisee.
The franchise business model typically gives franchisors power and control over the brand, the making, preparation, packaging, and presentation of products sold or services provided by the franchisee, and the design, décor, marketing, etc. of the franchisee’s retail place of business (whether a restaurant, hotel, or other establishment). Under the franchise model, franchisees typically have to follow certain rules required by the franchisor to maintain the brand image – again, nothing to do with control over employees for purposes of joint employment. While no court has been presented with this issue yet and the final meaning of “controlling influence over the management” has not been determined, there is certainly a potential argument that the franchisee-franchisor relationship inherently and inescapably involves the franchisor not only having the power to exercise sufficient control but actually doing so in their daily operations.
Based on this analysis, it is possible that the CCPA will apply to franchisees, subsidiaries, and sister companies even if these individual entities do not satisfy any of the primary thresholds for CCPA coverage. The CCPA will apply to such businesses if they either (a) meet one of the 3 thresholds stated at top of this article, or (b) share common branding with and are “controlled by” a parent company or franchisor that satisfies one of the 3 criteria, with the definition of “control” being so broad as to include “the power to exercise a controlling influence over the management of a company.”
Better Late Than Never
If your business falls into one of these categories and you have not yet done anything to comply with the CCPA, it’s better to be late than never. You should consult privacy counsel immediately and start working on your employee and consumer notices, privacy policy, and consumer request platform. DIY’ing CCPA compliance is just as risky as relying on the internet for legal advice. Fisher Phillips has a thriving Privacy and Cyber Practice Group and experienced attorneys ready to work with you on all aspects of CCPA compliance, including all consumer, employee, and website-related requirements.
Do not be like the fancy resort I stayed at that failed to provide me my CCPA notice. For most hotel guests, this is a non-issue. But for a privacy attorney like me, this will cost you a star in my review!
For more information, contact the author at UKahf@fisherphillips.com or 949.798.2118.
Related People
-
- Usama Kahf, CIPP/US
- Partner