With its extraterritorial reach and potential for hefty fines, the California Consumer Privacy Act (CCPA), which came into effect on January 1, 2020, will have a significant impact on some Canadian organizations.
In Part 1 of this two-part series, we provide an overview of who the law applies to, and the consequences of the law. Part 2, which will be published in two weeks, will provide an overview of the CCPA’s rights and obligations, and tips for compliance.
Who does the law apply to?
To be subject to the CCPA, you must be a for-profit organization doing business in California or collecting the personal information of California residents.
Even if you have no presence in California, if you’re a Canadian organization conducting business online and collecting the personal information of California residents, you might fall within the law.
Your business must comply with the CCPA if one or more of the following criteria is met:
- generates more than US$25M in gross annual revenues,
- buys, receives, sells or shares the personal information of more than 50,000 California residents annually, or;
- derives at least 50% of its annual revenues from selling the personal information of California residents (defined as households or individuals).
Note that the CCPA also applies to any entity that "controls or is controlled by" a covered organization.
What are the consequences of non-compliance?
Enforcement of the CCPA is set to begin July 1, 2020 by the California Attorney General, which may issue fines of up to $2,500 USD per violation (if an organization does not cure that violation within 30 days of notice), or up to $7,500 USD per violation for intentional violations (in addition to the original $2,500 USD penalty).
In the case of data breaches, consumers in California have a private right of action, either individually or as a class. This means they’re able to sue an organization for the unauthorized access, theft or disclosure of their sensitive personal information as a result of an organization's failure to implement and maintain the required reasonable security measures.
The law allows for statutory damages of $100 to $750 USD per individual per incident or actual damages, whichever is higher. Since consumers do not have to prove damages to claim compensation, this could have substantial impact on organizations.
This differs quite significantly from the enforcement of Canada’s privacy law (PIPEDA) in that the Privacy Commissioner of Canada cannot issue binding orders or fines without taking the case to the Federal Court, and there is no private right of action.
Final regulations are expected this spring, and enforcement is slated to begin July 1, 2020. If the CCPA applies to your organization, you should review how you are using, collecting, and sharing the personal information of California residents. Once final regulations are released, you should work with your legal or regulatory teams to finalize a compliance plan as early as possible.
Please note this blog provides general information. Organizations are encouraged to consult the California Office of the Attorney General’s website here and seek independent legal advice for specific questions about the law and its application.
Visit us in two weeks for Part 2 of this blog series, with an overview of the CCPA’s rights and obligations, and tips for compliance.
Author: Fiona Wilson | Director, Government Relations @ CMA
Questions or comments? E-mail us – we want to hear from you.