What Canadian Businesses Need to Know about the California Consumer Privacy Act

Come July 1, 2020, Canadian entities caught under the California Consumer Privacy Act (CCPA) will need to comply with proposed regulations that were recently issued by the Attorney General’s office.

The draft rules clarify the intended interpretation of the CCPA and create new substantive requirements with which businesses must comply. The draft regulations are open for public comment until December 6, 2019, and final rules are not expected until the spring of 2020.

BACKGROUND TO THE CCPA

The CCPA is the first U.S. state law to incorporate GDPR-like data protection duties on certain entities conducting business in California. Set to take effect on January 1, 2020, the law grants California residents new rights to know what personal information about them businesses hold, to access and delete that information, and to opt-out of a sale by the business of their personal information.

Businesses are also prohibited from discriminating against a consumer because they exercised their rights under the CCPA. For example, a business cannot provide a lower quality of service to a consumer who has opted out of the sale of their personal information unless the difference reasonably relates to the value provided by the consumer’s personal information. Businesses may, however, provide financial incentives to individuals to provide their personal information if the incentive is disclosed and the consumer consents.

IMPACT ON CANADIAN BUSINESSES

The CCPA and its regulations apply to entities (and entities that control or are controlled by a business) that do business in California and meet at least one of the following thresholds:

  • Has annual gross revenues in excess of US$25-million
  • Holds data containing personal information of 50,000 or more Californian consumers, households, or devices
  • Derives 50 per cent or more of its annual revenues from selling consumers’ personal information.

Jurisprudence on “doing business” is well established, and the term will likely apply to companies that sell goods or services in California, even if the business is not physically located in the state. The CCPA defines “consumer” to mean a California resident. Therefore, a Canadian entity with gross revenues in excess of US$25-million that serves Californians, even if it is not physically present in the state, will be subject to the CCPA.

Canadian businesses should also note that the CCPA definition of personal information is expansive and specifically includes identifiers, such as real names and IP addresses, customer records, protected classifications, such as race or religion, purchase history, biometrics, network activity, location data, data from sensors, such as thermal recordings, employment history, education history, and inferences drawn from any of these types of information. 

NEW REQUIREMENTS IN DRAFT REGULATIONS

The draft regulations establish four types of notice that must be provided to consumers under the CCPA. Businesses must provide:

  1. Notice at or before collection of personal information
  2. Notice of the right to opt-out of the sale of personal information
  3. Notice of any financial incentives offered to consumers
  4. A privacy policy

Each of these notices is distinct and cannot be delivered through a single privacy policy. Further, all four notices must be written in plain, non-technical language, using a format that noticeably draws the users’ attention to the specific notice, be accessible to consumers with disabilities (at least by providing an alternative format), and be provided in all languages in which the business provides “contracts, disclaimers, sale announcement, and other information to consumers.” The draft regulations provide further detail on the specific content required in each notice, and examples of each. For instance, the regulations specify that if a business engages its consumers substantially offline, notice of the consumer’s right to opt-out of the sale of their personal information should be provided in print on any forms that are used to collect personal information.  

The regulations also outline the processes a business must follow when it receives a request from a consumer to know about the business’s collection practices, to access or delete their personal information, or to opt-out of the sale of their personal information. These rules include record-keeping requirements and training for employees about the requirements of the CCPA.  

TIPS ON COMPLYING WITH THE CCPA

Canadian businesses that went through a GDPR compliance program may have certain processes and procedures in place that will help with CCPA compliance. However, businesses should be careful to ensure their data protection practices specifically comply with the CCPA as there are requirements under the CCPA that are distinct from those provided for in the GDPR. A business can face a penalty of up to US$2,500 under the CCPA, with intentional violations carrying a US$7,500-fine per incident, subject to a 30-day cure period. More importantly, there is a private right of action under the CCPA, which increases the risk of class action litigation.

To prepare for the CCPA, Canadian businesses with operations in California should consider whether they meet the revenue or customer data thresholds for the CCPA to apply. If the CCPA applies, businesses should map their data flows to understand when and where personal information is collected, review contracts with service providers to ensure that any data transfer is not caught within the broad definition of “sell” under the CCPA, and ensure customer databases are structured in a way that makes it easy to access and audit personal information. Canadian businesses can also get ahead by developing the required privacy notices, processes for responding to access and deletion requests, and an employee training regime.  In some cases, Canadian business may already be “ahead of the curve” compared to their U.S. counterparts in that their compliance with Canadian privacy requirements (such as right of access, correction, consent withdrawal and notice requirements) likely gives them a strong foundation for complying with the CCPA. 

For further information, please contact:

Imran Ahmad                416-863-4329
Wendy Mee                  416-863-3161
Ellie Marshall                416-863-3053

or any other member of our Privacy group.

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue.

We would be pleased to provide additional details or advice about specific situations if desired.

For permission to reprint articles, please contact the Blakes Client Relations & Marketing Department at communications@blakes.com. © 2019 Blake, Cassels & Graydon LLP