Written with Joel Sherwin. Joel Sherwin is a business lawyer who regularly advises financial technology, payments, and e-commerce companies on commercial transactions and regulatory requirements, including consumer privacy, BSA/AML and KYC compliance.

The California Consumer Privacy Act, or CCPA, took effect January 1, 2020. After spending some time with it, the first thing that becomes apparent is how broad the law is. It’s probably broader than most businesses realize. We’re starting a series that will cover some of the challenges when trying to navigate CCPA compliance especially how this might impact tournament organizers and publishers in esports.

This series will break down:

1. Which businesses fall under CCPA?
2. What does it mean to comply with CCPA?
3. What is the risk of esports tournament organizers and publishers under CCPA?

In our second installment in our series on the California Consumer Privacy Act (CCPA), I’m going to go over what compliance under the new legislation looks like. As I mentioned before, the law is very broad and leaves a lot of room for interpretation. This article is going to discuss consumer rights outlined by CCPA and pose scenarios that game publishers and esports tournament organizers should keep in mind when creating workflows to handle privacy related requests.

Based on some conversations I’ve had, I think a lot of people are complying with the disclosure requirement by updating their privacy notice and stopping there. Your privacy policy is one aspect of compliance, but the CCPA does extend significant additional rights beyond just a notice of disclosure.

When you put something in your privacy policy, you’re meeting the disclosure requirement (if it’s done correctly). However, that doesn’t mean you’re meeting the consent requirements or any of the other rights that we’ll discuss later in this article including the rights for consumers to:

• Access their personal information that a business has collected
• Have their information deleted upon request
• Know what information of theirs a business has collected or sold
• Opt out of the sale of their information
• Non-discrimination when exercising any of their rights as defined by the CCPA

Some might think that putting up a notice on their privacy policy will be enough, but actually complying with CCPA would require building a database so that you understand:

• What information is being collected
• When the information was collected
• Which individuals had data collected
• Where those individuals were located at the time the information was collected

For larger publishers that may expect a large amount of inbound CCPA requests, it will be important to create a system to respond to consumer requests. Some publishers may have to train personnel to handle these requests, depending on the size of the business. CCPA requests may not be as simple as someone calling up and saying, “Hey, I’m John Smith and I want my data.” In some instances, you may only have an email address or an internet handle to start with, possibly even less than that. The person requesting may not have rights under CCPA. You’ll have to validate that person’s identity, and there’s got to be a workflow to handle that.

Some other things to consider when creating these workflows might be, what do you do if the person requesting their personal information doesn’t have an account with you? Maybe their information was collected through a passive channel, such as a cookie or something like that. How do you validate that person’s identity? CCPA is too big and too new right now for anyone to have all the answers, but these scenarios could potentially cause problems for companies.

Since CCPA has only been in effect for a short period of time, it remains to be seen how this will impact game publishers and esports tournament organizers. However, it’s still important to analyze your risks in preparation for any number of scenarios that could play out, especially if you’re a larger company with a large number of consumers that have rights under CCPA and may exercise those rights. Compliance under CCPA reaches beyond a simple notice of disclosure, and in order to protect yourself, it’s important to set up databases and workflows to manage inbound privacy and data requests.

The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.

Need Help Navigating CCPA?

Reach out and talk to us about how to navigate CCPA and Paying Prize Money