The California Consumer Privacy Act (CCPA) will come into force in January 2020, and like other data protection laws, such as the General Data Protection Regulation (GDPR) in Europe, its application goes beyond borders and should be taken seriously by Canadian companies that have customers in California. The CCPA applies however to only those organizations doing business in California who exceed the following thresholds:
- The organization has annual gross revenues of more than $25 million;
- The organization is processing the data of 50,000 or more California residents, households, or devices annually; or
- 50% or more of the organization’s annual revenue come from selling California residents’ personal information.
Unfortunately, the CCPA is extremely wordy and complex. Duplicative provisions and clauses that sometimes conflict with other state laws, such as the California Civil Code, don’t help. There are numerous pending bills to offer clarifications and corrections to the CCPA that await consideration by the state assembly’s privacy committee. The Attorney General’s office has also conducted hearings and received numerous comments on the CCPA. It is hoped that further guidance will be received in the Fall of this year. However, we do know that the CCPA is here to stay, and this article will briefly cover those new requirements that will certainly be coming into force in 6 months.
In Canada, a great deal of importance has been placed on being transparent about one’s privacy practices. Clear policies that highlight data handling practices, and obtaining customer consent (as reasonable and expected) before sharing personal information, are critical to demonstrating accountability.
The CCPA goes even further, stating that businesses must add language to their websites to specifically address the privacy rights of Californians. The provisions of the CCPA, often referred to as ‘Shine the Light’, specifically highlight the disclosure of consumers’ personal information to third parties for direct marketing purposes.
To Sell or Not to Sell Personal Information
Organizations who share personal information for valuable consideration need to make some important decisions going forward in light of the CCPA. If one is selling the data of Californians’ a specific “Do Not Sell My Personal Information” link or opt-out page needs to be provided. Also, opt-in consent is required for 13-16 year old Californians, and parental consent is required from children under the age of 13. If someone does opt-out of the selling of their data, the organization must refrain from seeking consent to reverse this decision for 12 months from the time the Californian resident opted out.
Note also that as of January 2020, any selling of Californians data that occurred over the past year in 2019 must also be disclosed in one’s privacy notices.
Given how onerous the CCPA will make the selling of Californians’ data, many organizations will choose to avoid selling such personal information, and should also clarify in written contracts with business partners that personal information is not being communicated for consideration.
The right to access, deletion of one’s data and the right to have one’s data moved to another service provider (the right to portability) are also spelled out in the CCPA. Thus, it is important for Canadian organizations to consider at this time how they will respect these new consumer rights for Californians.
In Canada, the Federal Privacy Commissioner does not have the power to impose fines for contraventions of PIPEDA and consumers do not have a private right of action. The Commissioner can enter into a compliance agreement with an organization that requires specific changes to information-handling practices, but other than attempting to enforce such an agreement in court or identifying a PIPEDA violator and thus causing reputational harm, the regulator does not have the clout provided by other data protection laws.
California has a much stricter approach: Consumers have a private right of action, that is to say, the right to pursue an enterprise for civil or collective liability for breaches of security obligations. The CCPA also provides for penalties of up to $7,500 USD per intentional violation; and $2,500 USD for unintentional violations, if the company fails to cure such violation within 30 days of notice.
Importance of a Compliance Program
If your company handles the personal information of California residents, you could be at risk of fines or civil actions by consumers if you don’t take the necessary steps to comply with the CCPA. California resident need not prove damages to claim compensation.
As the Internet allows you to do business with consumers and businesses around the world, it’s becoming increasingly important to verify that your data management and e-marketing practices meet regulatory requirements, such as those soon to be introduced by the CCPA.
For assistance with your CCPA compliance obligations as a Canadian entity, contact PRIVATECH.