www.calodging.com May/June 2019 17 about them (i.e., what categories and specific pieces of personal information the business has collected. 2. A consumer shall have the right to request that a business delete any personal information about the consumer that the business has collected from the consumer. 3. The right of Californians to know whether their personal information is sold or disclosed and to whom. 4. The right of Californians to say no to the sale of personal information. 5. The right of Californians to access their personal information. 6. The right of Californians to equal service and price, even if they exercise their privacy rights. 7. The right to request that a business that collects a consumer’s personal information disclose. 8. A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: a. The categories of personal information it has collected about that consumer. b. The categories of sources from which the personal information is collected. c. The business or commercial purpose for collecting or selling personal information. d.The categories of third parties with whom the business shares personal information. e. The specific pieces of personal information it has collected about that consumer. 9. A consumer shall have the right to request deletion of personal information. 10. A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out. 11. A business is prohibited from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to opt in. 12. A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the CPPA. What Businesses are Covered by the CPPA? The CCPA will apply to many businesses, including hotels and other lodging operations: “Business” means: 1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that … collects consumers’ personal information, or on the behalf of which such information is collected and that alone, and that satisfies one or more of the following thresholds: a. Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)… b. Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices. c. Derives 50% or more of its annual revenues from selling consumers’ personal information. 2. Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding (i.e., shared name, servicemark, or trademark) with the business. What Must Businesses Covered by the CPPA Do to Comply? In order to comply with the CPPA, covered businesses are required to, in a form that is reasonably accessible to consumers: 1. Make available to consumers two or more designated methods for submitting requests for information, including, at a minimum, a toll-free telephone number, and if the business maintains a website, a website address. 2. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. 3. Provide a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer to opt out of the sale of the consumer’s personal information. What Happens if a Business Violates the CPPA? The CPPA allows any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: a. To recover damages in an amount not less than one hundred dollars ($100) and not greater than $750 per consumer per incident or actual damages, whichever is greater. b. Injunctive or declaratory relief. c. Any other relief the court deems proper. In addition, any person, business, or service provider that intentionally violates the CPPA may be liable for a civil penalty of up to $7,500 for each violation. Local Ordinances The CPPA supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business. Members with questions on this important and urgent topic are free to contact CHLA’s Member Legal Advisor, Jim Abrams (
[email protected] ).