( Disponible en anglais seulement )
As of January 1, 2020, organizations around the world who process personal data of California residents will be required to comply with the new provisions of the California Civil Code, as amended by the California Consumer Privacy Act of 2018 (the “Act”). The Act, which was passed on June 28, 2018, sets strict standards for the collection and processing of personal data of California residents.
Who and What Does the Act cover?
The Act covers the personal information of « consumers », which is defined as any natural person who is a California resident. The term « personal information » is broadly defined as « any information that … relates to … a particular consumer or household. » An important exception to this broad definition is « publicly available information. » However, this exception does not include de-identified consumer information, aggregate consumer information, biometric information or data that is used for a purpose not compatible with the purpose for which it is publicly maintained.
Who Must Comply with the Act?
Regardless of where it is located, an organization that does business in the State of California and collects personal data from California residents will be required to comply with the Act if it meets any of the following criteria: (i) its annual revenue exceeds US$25,000,000.00, regardless of how much of that revenue comes from California; (ii) it buys, receives, sells or shares the personal information of at least 50,000 California residents annually; or (iii) it derives 50% of its annual revenues from selling California residents’ personal information.
An organization without a physical presence or affiliate in California may not be caught under the Act if its « commercial conduct takes place wholly outside of California. » However, due to the broad definition of personal information, which includes “online identifier Internet Protocol [IP] address” and “other similar identifiers,” the net is cast very wide and could easily catch non-American companies with online traffic from California. Similarly, the broad definition of “selling”, which includes “any disclosing or making available for monetary or other valuable consideration,” could mean that many small online retailers that depend on advertisement revenue may also find themselves caught by the legislation, even if their website does not utilize visitor information. Therefore, these broad definitions could make it difficult for an organization to guarantee that none of its commercial activities take place in California.
What Privacy Rights do Individuals Have?
The Act gives the following five privacy rights to individuals: (i) the right to know; (ii) the right of access and data portability; (iii) the right to be forgotten; (iv) the right to opt out of the sale of their personal information; and (v) the right to equal service and price.
What Penalties do Companies Face for Non-compliance?
The Act provides for penalties of up to US$7,500.00 per occurrence of intentional violation. For unintentional violations that remain uncured beyond the 30-day notice period, penalties of up to US$2,500.00 per violation may be imposed under Section 17206 of the California Business and Professions Code.
In the event of a data security breach or theft giving rise to a class action, the Act provides that an organization could be ordered to pay the greater of: (i) statutory damages between US$100.00 to US$750.00 per Californian resident and per incident; or (ii) the actual damages, in addition to any other relief the court deems appropriate.
Key Recommendations for Organizations
Canadian organizations that collect or process personal information of California domiciled individuals should assess whether they are likely to be caught under the Act. If so, organizations should consider some of the following recommendations in order to ensure compliance by January 2020:
- Track and categorize all data gathered on the personal information of California residents and its usage. Then make available designated methods for submitting data access requests, including, at a minimum, a toll-free telephone number.
- Consider a California-only site and offering charges for formerly free services towards residents that reject normal forms of data monetization.
- Update privacy policies with newly required information, including a description of California residents’ rights.
- Include a clear and easily visible link on websites enabling users to opt out of the sale of their personal information.
- Implement new systems and processes in order to, among other things, verify the age, identity and authorization of persons who make requests for data access, deletion or portability and respond to requests for data access, deletion and portability within 45 days.
Many Canadian organizations may have already gone through similar steps during the drive to compliance with the EU’s General Data Protection Regulation (“GDPR”), which came into effect in May of this year. In many ways, the Act is a “light” version of the GDPR but overall follows the global trends towards more stringent privacy laws governing how organizations collect and process an individual’s data.
The authors would like to thank summer student Elsir Tawfik for his assistance with the preparation of this article.