Q: Our agency specializes in high-end cruises and resorts. We maintain a database of past clients with all their contact information and preferences. A data broker has approached us and has offered to buy a copy of the database for a lot of money, since many other businesses would be interested in selling products and services to our wealthy clients. If we need clients' consent to sell the data, then we won't go forward, as I'm sure that asking for permission would offend clients. Do we need clients' consent to sell the data?
A: Remarkably, 47 states and the federal government have no laws or regulations that prevent you from selling your clients' data. Three states -- California, Colorado and Virginia -- have applicable laws, but the last two states' laws have not yet gone into effect. These three states' laws will apply to the data of their residents, regardless of your agency's location.
The new California Privacy Rights Act will go into effect on Jan. 1, supplementing the California Consumer Privacy Act that went into effect two years ago. The legislation will apply if your agency "buys, sells or receives personal information about at least 50,000 California consumers, householders or devices for commercial purposes."
In other words, you need to have at least 50,000 California clients in your database or you must have at least $25 million in annual gross revenue. Revenue would be measured by commissions, overrides, fees and markups -- not by sales.
Very few agencies meet either of these thresholds, but if you do, then you must give California clients the right to opt out of the sale of their data.
The Virginia Consumer Data Protection Act also will go into effect on Jan. 1. It applies if you target Virginians and have over 100,000 consumers in your database. Clients in that state will have the right to opt out of the sale of their data.
The new Colorado Privacy Act will not go into effect until July 1. It will apply if you target Colorado residents and either (i) process the data of more than 100,000 consumers per year or (ii) derive revenue or receive a discount on the price of goods or services from the sale of personal data of at least 25,000 consumers, regardless of their location.
So, if there are more than 25,000 people in your database, including some Coloradans, you need to obtain the Coloradans' consent to sell their data.
Taking the three laws into account, you can see that if you have fewer than 25,000 people in your agency's database, none of these laws applies, and you are legally free to sell all of your data to anyone.
It is amazing that, unlike citizens of most developed countries, most Americans have no right to keep their personal travel-related data private. However, one of the Biden administration's longer-term goals is to enact a "consumer privacy bill of rights" that would require businesses to obtain consent to the sale of any American's personal information.