As state laws aimed at securing consumers’ personal information proliferate, planners need to stay abreast of legal cybersecurity requirements. In January, Virginia’s Consumer Data Protection Act (CDPA) took effect, the second such legislation in the United States (following the California Consumer Privacy Act (CCPA) in 2018) to create strict rules for collecting, storing, and processing personal data. Three additional states—Colorado, Connecticut, and Utah—are set to launch similar laws later this year. Jill Joerling Blood, lead legal counsel for Maritz Global Events and the privacy and compliance officer for Maritz Holdings in St. Louis, Mo., spoke with ConventionSouth about these new laws and what they mean for planners and attendees.
What spurred the creation of these laws? Was the European Union’s General Data Protection Regulation (GDPR) an inspiration?
I don’t think there’s any one specific thing that spurred the creation of these laws. Europe certainly set the stage with GDPR and its continued focus on data privacy. In addition, I think high-profile data incidents have caused consumers to demand greater transparency into how their personal information is used and greater control over what happens to their personal information after it is shared. I believe these laws are a reaction to those consumer demands.
What do privacy laws mean for planners, and will they change the way events are run?
GDPR, CCPA, and these new state laws are emblematic of a trend toward an increased focus on privacy in the United States. Even in locations where privacy laws have not yet been adopted, attendees increasingly expect transparency on how their data is used and want more control over that usage. For meeting planners, anticipating and accounting for that increased focus on privacy will be important. A good barometer is asking yourself, “If an attendee knew I was using their data in this way, would they be upset?” If the answer is yes, it might be worth revisiting that usage regardless of location.
What advice would you give planners to help navigate these laws?
I would say first it’s important to seek out and rely on the advice of privacy consultants and experts. These laws are complex, and compliance will look different for different businesses. While compliance with these laws is important and should be taken seriously, it doesn’t mean that you should be scared to innovate or to utilize data to design and plan better meetings and events.
How do these new laws affect attendees?
Attendees are likely to see increased transparency about how their data is used and shared. That transparency will be demonstrated in things like updated privacy policies and more robust cookie management tools.
How significant is it that Virginia recently enacted a consumer data protection law?
Virginia’s law is important because it marks the expansion of these types of privacy requirements outside California. I think we’ll see more states enact these types of laws in the coming years, and Virginia is at the cutting edge of this wave of privacy laws and regulations.
What is the reach of these laws? Does the Virginia law apply only to Virginia residents and to meetings taking place in or organized by companies in that state?
Virginia’s law has fact-specific applicability thresholds based on the number of Virginians whose data is processed annually and the percentage of revenue a business makes from the sale of data. It’s important for businesses to evaluate these thresholds and determine how the law applies to their meetings or events. That said, we are seeing a trend toward meeting planners applying similar privacy rights to all attendees regardless of location. So, in many cases, if attendees in any location would have rights under any of these laws, planners are granting those same rights (such as the right to access or request deletion of data) to everyone.
What has the industry’s reaction to these laws been so far?
GDPR really increased the industry’s focus on privacy and security when it went into effect a few years ago, and the industry did a great job with GDPR compliance. That work is a great foundation regarding these new laws, so as an industry we’re not starting from scratch. That said, I think there is some fatigue around the realization that GDPR was only the start of privacy compliance, and navigating these laws and regulations will be a reality for planners for the foreseeable future. That fatigue is compounded by the challenges the industry has faced over the last few years. It’s hard for planners to find the bandwidth to navigate these changing laws.
Note: This is not legal advice. Readers should consult an attorney for information on privacy laws.
