This is Part 2 of a blog series with tips for Canadian marketers to understand and comply with the California Consumer Privacy Act (CCPA). See Part 1 to find out who the law applies to, and what penalties could be levied once enforcement begins July 1, 2020.
Audit your personal information practices relating to California residents
Canadian organizations subject to the CCPA should do an audit of their personal information practices, making sure they have a clear understanding of how they are using, collecting and sharing the personal information of California residents, including in their dealings with third parties and through web tracking and cookies. This will form the basis of a comprehensive compliance plan that addresses the CCPA's requirements.
Know the differences between Canadian and Californian law
Canadian businesses that are already in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s privacy law governing commercial activities, will have a foundation for compliance with the CCPA in some respects. However, being PIPEDA-compliant does not guarantee that you are CCPA-compliant.
Here are some of the key rights and obligations of the CCPA that Canadian organizations should be aware of, and how they stack up against Canadian law:
- Right to know: Like PIPEDA, the CCPA requires organizations to be transparent about their personal information practices. However, the CCPA is stricter about what information it requires organizations to provide to individuals at the time of collection and in their privacy policies (which the CCPA stipulates must be updated on at least an annual basis). The CCPA gives consumers the right to know:
- what personal information an organization is collecting,
- where it was sourced from,
- why it is being collected, and;
- whether (and to whom) it is being disclosed or sold.
Canadian organizations should review these requirements and update their data inventories as necessary.
- Right to access: Both laws contain the right for consumers to have access to the personal information an organization has about them. However, the CCPA provides no exceptions to this right like PIPEDA. If a request is made under the CCPA, organizations are required to provide records covering the 12-month period preceding the date of the request.
- Right to erasure: The CCPA offers the right for individuals to request that their information be deleted by an organization (and by extension, their service providers), with a few exceptions. Under Canadian law, there is no such general right, but organizations can only retain personal information as long as necessary to fulfill the original purposes for which it was collected.
- Right to portability: The CCPA offers the right to data portability through which consumers can receive their information in a structured, commonly used format to transmit it to another entity or service provider. PIPEDA does not include a similar right at this time.
- Right to equal service: PIPEDA prohibits organizations from requiring an individual to consent to the collection, use, or disclosure of information beyond what is required to fulfil specified and legitimate purposes. Under the CCPA, businesses may not generally discriminate against a consumer for exercising any of their privacy rights, such as by charging a different price, or providing a different level or quality of goods or services. However, a business may do so if the difference is "reasonably related to" the value provided by the consumer's data. If consumers are offered a financial incentive to provide personal data, they must expressly opt in to the program and be able to opt out at any time.
- Handling individual complaints and inquiries: PIPEDA requires that a simple and easy-to-use complaints procedure be in place. The CCPA takes this one step further by
requiring that two or more designated communication methods be available to consumers, such as a toll-free telephone number and a website address. Organizations must respond within 45 days of receiving a verifiable request and at no cost to the individual.
Want to know how Canada’s privacy and anti-spam laws compare with the GDPR as well as CCPA? CMA members can read and download our comparison chart here.
Develop a CCPA compliance plan
Canadian organizations should adjust their policies and practices to account for the CCPA’s new (or more prescriptive) rights and obligations. This will include updating websites and privacy policies to comply with new transparency and notice requirements, and training staff to respond to consumer enquiries and complaints.
The CCPA also has significant implications on agreements with third parties, especially
if personal information is being sold to them. Organizations should determine which vendors qualify as third parties under the CCPA, and update their contracts based on the CCPA’s specific requirements. Third parties that paid for information will need to design processes to accommodate consumer requests to opt out of selling, and provide for the deletion of that data.
Stay tuned for the final CCPA regulations
CCPA regulations are still being refined by the California Office of the Attorney General, and you can see the latest version released February 10, 2020 here. Organizations should aim to tweak their compliance plans to reflect any changes in the regulations coming this Spring. The CMA will be publishing a guide to help members comply with the final regulations.
Please note this blog provides general information. Organizations are encouraged to consult the California Office of the Attorney General’s website here and seek independent legal advice for specific questions about the law and its application.
Author: Fiona Wilson | Director, Government Relations @ CMA
Questions or comments? E-mail us – we want to hear from you.