On June 29, 2018, California passed the California Consumer Privacy Act 2018 (the “CCPA”) which will come into effect on January 1, 2020. The CCPA is aligned with the European Union’s recent General Data Protection Regulation (the “GDPR”), showing emerging harmonization between North America and Europe.
Our analysis on the application of GDPR to Canadian businesses can be found here, and below is a summary of the CCPA’s main provisions that create further accountability for Canadian companies processing personal data while conducting business in the state of California.
Application of the CCPA
The CCPA applies to a for-profit entity that collects the personal information of California residents and that meets one or more of the following thresholds: (1) has gross annual revenue of $25 million or more; (2) annually holds the personal data of at least 50,000 consumers, including households and devices, together or separately; (3) generates at least half of its revenue from the sale of personal data (paragraph 1798.140). In addition, any entity that controls or is controlled by a business that meets one of the three criteria above will also be subject to the CCPA (paragraph 1798.140(c)(2)).
What information is owned by the consumer?
The CCPA includes an expanded definition of personal information. Paragraph 1798.140(o)(1) states that consumers own “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.
In addition to expected data identifiers like name, address, Social Security number, and driver’s license number, paragraph 1798.140(o)(1) goes on to list additional types of data that constitute personal information. Some examples in this non-exhaustive list are:
- commercial information, such as records of personal property and other products acquired or services contracted, and other consuming tendencies;
- biometric information;
- internet information, such as browsing and search history;
- geolocation data;
- inferences drawn from pre-existing data to create a consumer profile of preferences, characteristics, psychological trends, predispositions, behavior, intelligence, abilities, and aptitudes;
- professional or employment-related information;
- education information; and,
- audio, electronic, visual, thermal, olfactory, or similar information that can be reasonably linked to a particular consumer.
Other rights and protections for consumers
The CCPA sets forth several rights and protections for consumers including:
- paragraph 1798.115(a) entitles consumers to notice of the sale of their personal data to third parties or the disclosure of their personal information for business purposes.
- paragraph 1798.120(a) allows consumers the “right to opt out” of having their personal information sold to third parties. To this end, paragraph 1798.135(a) requires a company to provide a clear and obvious “Do Not Sell My Personal Information” link on its website to facilitate the opt-out.
- paragraph 1798.110(a) entitles consumers to request and obtain prompt access to their personal information in the company’s data inventory. Consumers also have the right to understand how their personal data is being used and to whom personal data has been provided.
Importantly, the CCPA also provides protections against discrimination for consumers who object to the commercialization of their personal data. In practice, this means that, to those consumers who opt-out of the sale of their personal information, a business cannot (1) refuse to provide goods or services to the consumer; (2) apply different prices or rates for goods or services by way of discounts, benefits or penalties; (3) provide lesser quality of goods or services; or (4) suggest that better prices or rates for goods or services, or better quality of goods or services will be offered to the consumer who consents to the use and disclosure of personal information (paragraph 1798.125(a)(1)).
Further, the CCPA creates special rules for minors, prohibiting the sale of personal information of consumers under 16 years old. Minors aged 13 to 16 years old must affirmatively consent to have their personal data sold to a third party. If the consumer is under 13 years old, consent must be received from the minor’s parent or guardian. In addition, entities processing data will have to put into place special opt-in systems to avoid violations (paragraph 1798.120(d)).
Paragraph 1798.145(a)(5) provides that the law does not restrict a business’s ability to “[c]ollect, use, retain, sell, or disclose consumer information that is de-identified or in the aggregate consumer information”. Similarly, the CCPA does not restrict how an entity can “[c]ollect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California”, according to paragraph 1798.145(a)(6).
Further, paragraph 1798.145(c) states that the law does not apply highly sensitive and confidential health information covered by the Confidentiality of Medical Information Act or governed by the Health Insurance Portability and Accountability Act (HIPAA). Similarly, this law does not cover personal information managed by financial institutions pursuant to the federal Gramm-Leach-Bliley Act per paragraph 1798.145(e).
Statutory Damages and Financial Penalties
Paragraph 1798.150 prescribes the right to bring a civil action for statutory damages in defined situations of security breaches as a result of businesses, such as unauthorized access or disclosure, exfiltration, or theft of data. In these instances, the CCPA does not set forth any explicit requirement as to the proof of actual injury to the consumer, allowing the consumer to seek, in addition to injunctive or declaratory relief, damages in the amount of $750 per consumer per incident or actual damages, whichever is greater.
As far as enforcement is concerned, the CCPA prescribes the following sanctions for an company deemed to be in breach of the law: (a) a financial penalty up to $2,500 per violation that the company has failed to remedy within 30 days of being notified (paragraph 1798.155(a)); and (b) up to $7,500 for each intentional violation where applicable (paragraph 1798.155(b)). The CCPA provides that 20 percent of the penalty funds collected under this rubric will form a Consumer Privacy Fund with a view “to fully offset any costs incurred by the state courts and the Attorney General in connection with this title” (paragraphs 1798.155(c) and 1798.160).
Canadian companies operating cross-borders should proactively get acquainted with the new global landscape on data privacy laws. Understanding what information in the company’s data inventory may be captured by the laws of other jurisdictions is key to managing data safely and effectively, as well as avoiding costly litigation in the future.