Canadian Companies Face California’s New Privacy Law

Until recently, the United States was lagging behind in the protection of personal information. So it was great surprise that on June 28, California adopted the California Consumer Privacy Act (CCPA), which will come into force in January 2020.

And like all new laws of this type, its application goes beyond borders and therefore concerns Canadian companies that have customers in California. The good news is that companies that do not meet any of the criteria below are not affected at this time.

The CCPA applies to any organization, that has personal information of California residents, and that such organisation:

• Has gross annual revenues greater than $25 million USD;

or

• Buys, receives, sells or shares the personal information of more than 50,000 California residents;

or

• Earns 50% or more of its annual revenue by selling information of California residents.

COMPARISON WITH PIPEDA

The California law is similar in many respects to Canadian law, the Personal Information Protection and Electronic Documents Act (PIPEDA), but it also distances itself from many others. Compliance with PIPEDA is therefore not sufficient to comply with the CCPA.

Here are the main differences:

Right of access: Both statutes contain the right for consumers to be informed of the existence and use of their personal information and to have access to it. However, unlike Canadian law, California law does not provide an exception to this right that would allow a business to deny access to a consumer.

Right to erasure: Under Canadian law, organizations may retain personal information as long as it is necessary for the purpose for which it was collected, which implies the right of the consumer to request the deletion of the information once the goals are fulfilled. At first glance, the California law offers a broader right to request that information be removed, period. However, it provides for several rather vague exceptions which diminish the scope of the right and thus makes it similar to that of PIPEDA.

Right to portability: unlike the Canadian law, the California law provides for the right to data portability, that is, consumers have the right to receive their information in a structured format, commonly used to transmit data to another entity without interference from the original entity.

Consent: The California law does not place much importance on consent, unlike the Canadian law that bases the lawfulness of consent collection on either implicit (opt-out) or opt-in (consumer) consent. The CCPA, however, gives Californians the right to opt-out of the sale of their personal information. This right, therefore, requires organizations to include on their website a clear link to a form for such an opt-out.

Anti-Discrimination: Both Acts contain provisions prohibiting organizations from requiring consumers to consent to the collection of their information for the purpose of obtaining goods or services or having them at a given price. The California law is more flexible because it allows organizations to offer discounts to individuals consenting to the collection or use of their information.

Applications: While the Canadian law requires organizations to have accessible and easy-to-use complaints procedures, the California law requires at least two forms of communication; a toll-free telephone number and a website.

EXPECTED FINES

In Canada, the Privacy Commissioner does not have the power to impose fines for contraventions of PIPEDA and consumers do not have a private right of action.

California, on the other hand, has been much stricter in enforcing its law: Consumers have a private right of action, that is to say, the right to pursue an enterprise for civil or collective liability for breaches of security obligations, without any prejudice.

The CCPA also provides for penalties of up to $7,500 USD per violation.

THE IMPORTANCE OF A COMPLIANCE PROGRAM

If your company collects or has personal information of California residents, you may be subject to the CCPA, which puts you at great risk of civil actions by consumers, as they do not have to prove damages to claim compensation. Even if you comply with Canadian law.

As the Internet allows you to trade with consumers and businesses around the world, it’s becoming increasingly important to verify that your data management and e-marketing practices meet regulatory requirements.

Do not hesitate to speak with a Certimail advisor to see if you are affected by this new legislation.