At the start of 2020, the California Consumer Privacy Act, or CCPA, came into effect and quickly became one of the most comprehensive and stringent privacy laws in the US to date. The main purpose of the CCPA is to provide California residents with rights and protections in respect of their personal information. As a result, the CCPA applies to certain businesses located outside of California that collect and use the personal information of Californian consumers.
What is the CCPA?
The CCPA provides California residents (also called consumers) with a variety of rights regarding any of their personal information that is held by a business. Some of these rights will be familiar to BC businesses, such as the right of an individual to request a business to disclose what personal information the business holds about them. However, some of the rights given to consumers are not requirements under BC law, including:
- the right to request a business to delete any personal information about the consumer that the business has collected from the consumer (often called the right to be forgotten);
- the right to request details about any sale of the consumer’s personal information by the business. In this context, “sale” is a very broad concept which includes selling, renting, leasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information to a third party for monetary or other valuable consideration; and
- the right to opt-out of the sale of any personal information, which requires businesses to include a “Do Not Sell My Personal Information” link on their website to assist consumers to exercise this right.
The CCPA also requires businesses to meet certain standards for its privacy policy, including content requirements, while also mandating when “just-in-time” collection notices are required.
Also, unlike BC and Canadian federal privacy laws, the CCPA provides California residents with a private right to take legal action against a business for data breaches involving their personal information where the business failed to implement and maintain reasonable security procedures. Consumers may claim between $100 and $750 per violation without proof of damages, the amount of their actual damages and/or injunctive or declaratory relief.
Does the CCPA apply to my business in BC?
The CCPA applies to any business that operates for profit, collects the personal information of California residents, does business in California, and falls within one or more of these three categories:
- has at least $25 million in annual revenue;
- buys, receives, sells or shares for commercial purposes the personal information of at least 50,000 California residents, households or devices; or
- generates at least half of its revenue from selling the personal information of California residents.
Businesses that control or are controlled by a business that falls within the above description are also subject to the CCPA.
However, there are a number of exceptions from the CCPA. For example, it does not apply to the collection or sale of a California resident’s personal information if the commercial conduct takes place wholly outside of California, such as where a hotel in BC collects personal information from a Californian guest who stays at the hotel.
So, if your business meets the above criteria and does not qualify for one of the exceptions, you may have obligations under CCPA.
Why is this important now?
Since January 1 of this year, California residents have been able to enforce their private right of action, which has led to a number of class action lawsuits against businesses. However, the private right of action is restricted to a narrow set of circumstances: a data breach resulting from a business’ failure to implement and maintain reasonable security procedures.
However, on July 1, 2020, the Attorney General of California will start enforcing the CCPA. The Attorney General’s enforcement rights extend to any violation of the CCPA, which could include a failure to provide a “Do Not Sell My Personal Information” link on a website, non-compliant privacy policies or a failure to appropriately respond to a consumer request.
The Attorney General is required to provide businesses with notice of any violation, and a period of 30 days to cure the noncompliance. Businesses that fail to cure the noncompliance may face civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation.
What should my business do to prepare?
If your BC business operates or sells goods or services to consumers in California, you will want to carefully consider whether CCPA applies, seeking the assistance of qualified privacy counsel and subject matter experts as necessary.
If the CCPA does apply to your business, one of the first steps that your business should take is to map the flow of personal information to better understand what information you collect, where it is stored and who it is shared with. Once you have an understanding of these data flows, a thorough review of your business policies and procedures should be undertaken to ensure compliance with the CCPA requirements. And while you are updating your business’ privacy policy for CCPA compliance, you may want to ensure that it still complies with local privacy laws and accurately reflects how your business handles personal information since the last time it was updated.