California Consumer Privacy Act — Preparing for Compliance

The California Consumer Privacy Act (CCPA) is coming into force in less than two months, on January 1, 2020. The CCPA has an extraterritorial scope, as discussed below in section 1, which means that certain Canadian organizations may be covered by the statute. In order to comply with the law, these organizations will need to observe new transparency requirements (such as by adding specific notices on their websites and revising their privacy policies), adjust their practices to respond to new consumer privacy rights and adjust their contracts with service providers.

As opposed to the Personal Information Protection and Electronic Documents Act (PIPEDA), which provides for monetary penalties only in limited circumstances¹ and does not provide a private right of action,² non-compliance with the CCPA can result in important monetary penalties:

• Penalties: The CCPA enables the Attorney General of California to launch a civil action against businesses who fail to remedy violations of the CCPA within a prescribed delay.³ The Attorney General may seek penalties up to US$2,500 per unintentional violation and up to US$7,500 per intentional violation of the CCPA;⁴ and
• Civil right of action for data breaches: The CCPA also provides consumers with a right of action to institute a civil action against businesses for data breaches. Consumers may recover damages in an amount between US$100 and US$750 per incident, or their actual damages, whichever is greater.⁵

Even with the CCPA coming into force in the near future, the California Legislature is still, to this day, adopting amendments to the statute. In addition, on October 10, 2019, the Attorney General of California released draft regulations for the CCPA, which provide further guidance with respect to the various rights and obligations of consumers and businesses under the Act.⁶

In this bulletin, we are providing key steps that Canadian organizations should follow to comply with the CCPA in its current form.

1. Determine if you are covered by the CCPA

The CCPA regulates for-profit organizations (i) doing business in California,⁷(ii) collecting personal information about California households and consumers (essentially defined as California residents) and (iii) that either:

• have annual gross revenues in excess of US$25 million;⁸
• buy, receive, sell, or share the personal information of more than 50,000 California residents yearly; or
• derive 50 per cent or more of their annual revenues from selling the personal information California residents.

The CCPA defines “selling” as a communication of a consumer’s personal information to another business or third party for a monetary value or other valuable consideration. While there are uncertainties around the scope of the notion of “sale”, many commentators have noted that it is broadly defined and that a website placing third-party advertisement cookies would be “selling” personal information. This would mean that if such website is visited by 50,000 California residents every year (an average of less than 150 per day), the organization would be subject to the CCPA, regardless of its annual revenues.

Under the CCPA, “consumers” include employees. However, the CCPA will only apply to the personal information of employees in a limited fashion prior to January 1, 2021. Until that date, with respect to employees, businesses must only comply with the Notice at Collection requirements (detailed in the Appendix) and employees do not have other rights under the CCPA,⁹ except the private right of action for data breaches.

2. Have processes in place to allow California consumers to exercise their rights under the CCPA and provide them with the required notices of these rights (including on your website)

The CCPA introduces new consumer rights that we have described in more detail in the Appendix. Below, we have summarized these rights in relation to corresponding rights under PIPEDA, if any.

Right	Consistency with PIPEDA
Right to know about the collection of personal information (PI)	On the consumer’s request, organizations must provide specific information about the personal information collected about the consumer, sold to third parties or disclosed to a service provider. This right is similar to PIPEDA’s access right, but the CCPA and the Proposed Regulations are very specific about the information that must be provided and it does not entitle an individual to obtain a copy of the actual documents (although there is an access right, as mentioned below).
Right to know about the sale of PI
Right to opt out of the sale of PI	This right is in certain ways similar to the right to withdraw consent under PIPEDA, but limited to the “sale” of personal information. Businesses must post a “Do Not Sell My Personal Information” link on the homepage of their websites.
Rights of access and portability	The right of access is similar to the right of access under PIPEDA, although the statute does not provide any exceptions. PIPEDA does not include a similar right for now, but the government of Canada’s recent Digital Charter suggests that it be amended to include a “data mobility” right.10 There is a data portability right under the European General Data Protection Regulation (GDPR).
Right to opt in to the sale of PI for children	There is no similar right under PIPEDA, but the 2018 Guidelines for obtaining meaningful consent address how organizations should obtain consent from children.
Deletion right	PIPEDA does not include a similar right for now, but the government of Canada’s recent Digital Charter suggests that PIPEDA be amended to include a deletion right.11 This right is similar do the GDPR’s right to erasure. We note that it includes many exceptions, some of them similar to the GDPR.
Right not to be discriminated against	This right may be compared to PIPEDA’s prohibition to require an individual to consent to the collection, use, or disclosure of information beyond what is required to fulfil the explicitly specified, and legitimate purposes. However, the CCPA provides more specific requirements.

3. Transparency requirements: Notice of Collection and Privacy Policy

Like PIPEDA, the CCPA requires organizations to be transparent with respect to their practices involving personal information. However, the CCPA is far more prescriptive in terms of details that organizations must provide to individuals. The CCPA refers to two similar concepts: the notice at collection¹² and the privacy policy.¹³ According to the Proposed Regulations, the notice at collection may be included in the privacy policy.¹⁴

a. Notice at Collection

The CCPA provides that at or before the point of collection, a business that collects personal information from consumers must provide them with a notice containing:

• a list of the categories of personal information to be collected; and
• the purposes for collection with respect to each category of personal information.

The business shall not collect additional categories of personal information or use personal information for additional purposes without providing the consumer with further notice.

Under the Proposed Regulations, businesses must ensure that the notice is easy to read and understandable to an average consumer. To that end, the Proposed Regulations enumerate various requirements.¹⁵ Most notably, the notice must be made visible or accessible in a place where consumers will see it before any personal information is collected, for instance by posting a link to the notice on a website’s homepage.¹⁶

It is worth noting that under the Proposed Regulations, businesses that do not collect personal information directly from consumers are not required to provide a notice at collection. However, they are subject to different requirements in the event that they decide to sell personal information of those consumers’ personal information.¹⁷ While the obligations under the CCPA are more specific and limited to particular circumstances, they are comparable to the obligations under PIPEDA for organizations who rely on the consent obtained by the third party that has the direct relationship with the individuals.

b. Privacy Policies

Businesses should review their external privacy policy to ensure that it includes all information required by the CCPA. Under the CCPA,¹⁸ privacy policies must be updated at least every 12 months and detail:

• One or more designated methods for submitting requests permitted under the CCPA.¹⁹
• A description of the following rights:²⁰
• right to know about the collection of personal information;
• right to know about the sale of personal information;
• right not to be discriminated against; and
• right to opt out of the sale of personal information and a link to the “Do Not Sell My Personal Information” webpage.
• The categories of personal information collected by the business in the preceding 12 months.²¹ Under the Proposed Regulation, privacy policies must also include the categories of sources from which these categories of personal information were collected, the purposes for which these categories of personal information will be used, instructions for submitting a request to know and relevant links to an online form or portal.²²
• A list of the categories of personal information it has sold about consumers in the preceding 12 months (if the business has not sold consumers’ personal information in the preceding 12 months, it shall disclose that fact).²³
• A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months (if the business has not disclosed consumers’ personal information for a business purpose in the last 12 months, it shall disclose that fact).²⁴

Under the Proposed Regulations, the privacy policy must detail:

• Whether the business sells the personal information of minors under 16 years of age without Affirmative Authorization²⁵and the processes for opting-in to the sale of personal information of minors under 16 years of age²⁶; and
• An explanation that the consumer has a right to request the deletion of their personal information, instructions for submitting a request and links to an online request form or portal for making the request, and a description of the process the business will use to verify the consumer request.²⁷

4. Revise Your Vendor Agreements

Businesses that engage the services of vendors to handle personal information must enter into contracts using specific language if they want to shift liability to the vendor for any violations of the CCPA caused by the vendor. This is different than under PIPEDA’s accountability principle, according to which organizations remain accountable for personal information transferred to a third party for processing, and which requires organizations to enter into contracts ensuring that service providers will adequately protect the information.²⁸

The language required to shift liability will depend on the type of vendor to whom personal information is disclosed. Indeed, there are two types of vendors under the CCPA: (i) “service providers” and (ii) “persons” excluded from the definition of “third party.” While both types of vendors have the same fundamental feature, that is they both process personal information on behalf of a business pursuant to a written contract²⁹, they differ with respect to the nature of the entity providing those services and the types of contractual limitations that must be imposed in order to shift liability onto the vendor.

Under the CCPA, “persons” are more broadly defined than “service providers.” Indeed, while the former includes a broad array of entities such as individuals and “any other organization or group of persons acting in concert,”³⁰ the latter is circumscribed to limited types of organizations.³¹

A written agreement with a “service provider” must merely prohibit the service provider from retaining, using or disclosing the personal information for a purpose unrelated to the services being rendered or as otherwise permitted by the CCPA.³²

With respect to “persons” excluded from the definition of “third party,” to validly shift liability onto these vendors, businesses must ensure that their written contracts include the following clauses:³³

• prohibition from selling the personal information;
• prohibition from retaining, using or disclosing the personal information for a purpose unrelated to the services being rendered;
• prohibition from retaining, using or disclosing the personal information outside of the direct business relationship between the parties; and
• certification by the person receiving the personal information that they understand the aforementioned restrictions, and will comply with them.

Once these conditions are met, liability for the vendor’s actions in breach of the restrictions imposed under the CCPA shifts to the vendor.³⁴ As such, the vendor is solely liable unless the disclosing party had actual knowledge or a reason to believe, at the time the personal information was disclosed, that the vendor intended to commit such violations.³⁵

Conclusion

It is likely that many Canadian organizations conducting business online will be subject to the CCPA if they collect personal information about California residents. These organizations should take note of the various requirements of the CCPA and establish a plan to reach compliance. Businesses collecting personal information from California residents must also bear in mind that the private right of action for data breaches includes statutory damages without proof of harm and that the California Attorney General has broader enforcement rights under the CCPA than the OPC has under PIPEDA.

Organizations should also keep in mind that the CCPA may still be amended before coming into force and that the Proposed Regulations are likely to change before become final, and should therefore closely follow the developments.

Appendix

Consumer right	Corresponding obligations for businesses	Methods to exercise the right / Notice requirements
Right to know about the collection of PI36	Upon a consumer’s request, a business that collects a consumer’s PI must disclose to that consumer: the categories37 and specific pieces of PI the business has collected. “Categories and specific pieces” of PI arguably refer to a summary of the PI collected rather than the underlying raw data (which is covered by the access right discussed below); the sources from which the PI is collected; the purposes for collection; and the categories of third parties with whom PI is shared (this would cover sharing (disclosure under PIPEDA’s terminology) that are not sales and not made to a vendor).38 Businesses must respond free of charge within 45 days of having received a verifiable request.	Businesses must make available at least two methods for submitting requests, including a toll-free telephone number. However, where a business operates exclusively online and has a direct relationship with consumers, it may only provide an email address instead.39 In any event, it must also provide a website address (if the business maintains a website).40
Right to know about the sale of PI or disclosure of PI for a business purpose41	Upon a consumer’s request, a business that sells PI must disclose to that consumer, for the last 12 months: the categories of PI the business sold about the consumer; and the categories of third parties to whom PI was sold (by category of PI for each third party to whom the PI was sold). Upon a consumer’s request, a business that discloses a consumer’s PI for a business purpose must disclose to that consumer, for the last 12 months: the categories of PI the business disclosed about the consumer for a business purpose (note that disclosing PI for a business purpose generally refers to vendor arrangements).	Businesses must make available at least two methods for submitting requests, including a toll-free telephone number. However, where a business operates exclusively online and has a direct relationship with consumers, it must provide an email address instead.42 In any event, it must also provide a website address (if the business maintains a website).43
Right to opt out of the sale of PI44	At a consumer’s request, a business must stop selling a consumer’s PI unless the consumer subsequently provides express authorization.	Businesses must post a clear and conspicuous “Do Not Sell My Personal Information” link on their website homepage (or on a specific webpage for California consumers) that links to a webpage enabling a consumer to opt out of the sale. Under the Proposed Regulations, this page must include a notice of the right to opt out of the sale of PI, which must include, most notably:45 a description of the right to opt out; the web form or other method by which a consumer may submit their request to opt out; and a link to the business’ privacy policy. Under the Proposed Regulations, businesses must ensure that the notice is easy to read and understandable to an average consumer. To that end, the Proposed Regulations enumerate various requirements.46 Under the Proposed Regulations, businesses will have to provide at least two methods to opt out, including an interactive web form.47 In addition, the Proposed Regulations clarify that businesses will have to treat user-enabled privacy controls signaling the consumer’s choice to opt out (e.g. browser plugins and privacy settings) as a valid request to that effect.48
Right to opt in to the sale of PI for children49	A business may not sell PI of children under the age of 16 unless opt-in consent (Affirmative Authorization) is obtained (the business must obtain opt-in consent from children between the ages of 13 and 16, or the parent or guardian if the child is under the age of 13).	The Proposed Regulations clarify that, for children under the age of 13, Affirmative Authorization may be obtained through a method that is “reasonably calculated”50 to ensure that the person providing consent is in fact the child’s parent or guardian. Once Affirmative Authorization is lawfully obtained, the business will be required, under the Proposed Regulations, to inform the person who gave consent of the right to opt out at a later date, and the process for doing so, except where a business exclusively targets consumers under the age of 16.51
Deletion right52	Businesses must delete a consumer’s PI upon request and should direct service providers to do so as well. Service providers have an obligation to delete PI. There are various exemptions to this right and to a business’ obligation to delete PI. For instance, exemptions include when the PI is necessary in order to: complete a contractual transaction; provide a good or service requested by the consumer; detect security incidents; exercise free speech; engage in research in the public interest; enable solely internal uses that are reasonably aligned with the expectations of the consumer; comply with a legal obligation; or otherwise use the consumer’s PI, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.	Businesses must make available at least two methods for submitting requests.53 Under the Proposed Regulations, at least one method offered must reflect the manner in which the business primarily interacts with the consumer, even if this requires a business to offer three methods for submitting requests.54 The Proposed Regulations clarify that, for online requests, businesses must use a two-step process whereby consumers must clearly request the deletion of their PI, and then separately confirm their choice.55
Access and portability rights56	Consumers have a right to access their PI and to data portability, and businesses that receive a request must take steps to disclose and deliver to the consumer the categories and specific pieces of PI collected about the consumer covering the 12-month period preceding the request. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, a readily usable format that allows the consumer to transmit this information to another entity without hindrance. This disclosure should be free of charge and occur within 45 days of receiving a verifiable request. There is no statutory exemption to these rights.	Businesses should make available at least two methods for submitting requests, including a toll-free telephone number and website address (if the business maintains a website).
Right not to be discriminated against for exercising CCPA rights57	Businesses may not discriminate against a consumer for exercising any of the CCPArights, such as by denying goods or services, charging different prices, providing a different level or quality of goods or services or otherwise. However, businesses may apply a different price, rate, or quality, if that difference is reasonably related to the value of the consumer’s data. In which case, the business must provide consumers with a notice of financial incentive.	Under the Proposed Regulations, if the business provides a notice of financial incentives, the notice will have to contain:58 a succinct summary of the financial incentive or price or service difference offered (Incentive); a description of the material terms of the Incentive and the categories of personal information implicated; how consumers can opt-in to the Incentive; notification of right to withdraw from the Incentive and the manner in which consumers can exercise this right; and an explanation of why the Incentive is permitted under the CCPA, including a good-faith estimate of the value of the consumer’s data and a description of the “method used”59 to calculate this value. Under the Proposed Regulations, businesses must ensure that the notice is easy to read and understandable to an average consumer. To that end, the Proposed Regulations enumerate various requirements.60 Most notably, the notice must be made available online in a location where consumers will see it before opting into the Incentive.61

---

¹ See s. 28 of PIPEDA. For instance, an organization that knowingly contravenes the recent breach reporting requirements may be found guilty of an offence of C$100,000.

² Under PIPEDA, when an individual submits a complaint to the OPC, the OPC will issue a report. The complainant can then apply to the Federal Court within one year after the OPC’s report is released for a hearing in respect of a matter that was the subject of the original complaint to the OPC or that was referred to in the OPC’s report, and that is with regards to certain obligations under PIPEDA. In such case, the Federal Court may: (a) order an organization to correct its practices to comply with PIPEDA; (b) order an organization to publish a notice of corrective action outlining any action it has taken or intends to take to correct its practices; and (c) award damages to the complainant.

³ Cal. Civ. Code § 1798.155(a).

⁴ Cal. Civ. Code § 1798.155(b). There uncertainties about what constitutes a violation.

⁵ Cal. Civ. Code § 1798.150.

⁶ While these draft regulations provide some clarity with respect to the implementation of the CCPA, they are not yet finalized. Indeed, pursuant to its statutory powers (see Cal. Civ. Code § 1798.185), the Attorney General will be holding public hearings, and accept written comments until December 6, 2019 concerning the draft regulations. Final rules are not expected until the spring, and the Attorney General will be able to enforce the rules starting July 1, 2020.

⁷ This phrase is not defined, but it could possibly apply to businesses with no physical presence doing business online in California.

⁸ It is not clear whether these revenues have to be derived from California, but the general thought is that this applies to overall revenues.

⁹ Assembly Bill 25.

¹⁰ Innovation, Science and Economic Development Canada, Strengthening Privacy for the Digital Age — Proposals to modernize the Personal Information Protection and Electronic Documents Act.

¹¹ Innovation, Science and Economic Development Canada, Strengthening Privacy for the Digital Age — Proposals to modernize the Personal Information Protection and Electronic Documents Act.

¹² Cal. Civ. Code § 1798.100(b)

¹³ Cal. Civ. Code §§ 1798.130(a)(5).

¹⁴ Proposed Regulations, § 999.305(c).

¹⁵ Proposed Regulations, § 999.305(a)(2).

¹⁶ Proposed Regulations, § 999.305(a)(2). When a business collects consumers’ personal information offline, the Proposed Regulations indicate that the business may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post prominent signage directing consumers to the web address where the notice can be found.

¹⁷ Proposed Regulations, § 999.305(d).

¹⁸ Cal. Civ. Code §§ 1798.130(a)(5).

¹⁹ Cal. Civ. Code §§ 1798.130(a)(5)(A).

²⁰ Cal. Civ. Code §§ 1798.130(a)(5)(A).

²¹ Cal. Civ. Code §§ 1798.130(a)(5)(B).

²² Proposed Regulations, § 999.308(b)(1).

²³ Cal. Civ. Code §§ 1798.130(a)(5)(C)(i).

²⁴ Cal. Civ. Code §§ 1798.130(a)(5)(C)(ii).

²⁵ Proposed Regulations, § 999.308(b)(1).

²⁶ Proposed Regulations, § 999.332(a).

²⁷ Proposed Regulations, § 999.308(b)(2).

²⁸ Recent decisions by the Office of the Privacy Commissioner of Canada detail the protections that organizations should include in their agreement with affiliated (see PIPEDA Report of Findings #2019-001, at para. 74) and with non affiliated third parties (see PIPEDA Report of Findings #2019-003, at para. 41).

²⁹ Cal. Civ. Code § 1798.140(v)(w).

³⁰ Cal. Civ. Code § 1798.140(n).

³¹ Cal. Civ. Code § 1798.140(v). Service providers may be: sole proprietorships; partnerships; limited liability companies; corporations; associations; and, other legal entities that are organized or operated for the profit or financial benefit of its shareholders or other owners.

³² Cal. Civ. Code § 1798.140(v).

³³ Cal. Civ. Code § 1798.140(w).

³⁴ Cal. Civ. Code §§ 1798.140(w), 1798.145(h).

³⁵ Cal. Civ. Code §§ 1798.140(w), 1798.145(h).

³⁶ Cal. Civ. Code §§ 1798.100(a)(b) and 1798.110(a).

³⁷ When the CCPA refers to « categories » of PI, the business must use the categories included in the CCPA’s definition of PI that most closely describe the PI in question.

³⁸ This would cover sharing (disclosure under PIPEDA’s terminology) that are not sales and not made to a vendor.

³⁹ AB-1564 § 1798.130(a).

⁴⁰ AB-1564 § 1798.130(a).

⁴¹ Cal. Civ. Code § 1798.115.

⁴² AB-1564 § 1798.130(a).

⁴³ AB-1564 § 1798.130(a).

⁴⁵ Cal. Civ. Code §§ 1798.120, 1798.135.

⁴⁵ Proposed Regulations, § 999.306(c).

⁴⁶ Proposed Regulations, § 999.306(a)(2).

⁴⁷ Proposed Regulations, § 999.315(a).

⁴⁸ Proposed Regulations, § 999.315(c).

⁴⁹ Cal. Civ. Code § 1798.120(d).

⁵⁰ For example, methods include requiring the use of a credit card, debit card or other online payment system; provide a consent form signed under the penalty of perjury; requiring a person to call a toll-free telephone number; etc. For more examples, see Proposed Regulations, § 999.330(a)(2).

⁵¹ Proposed Regulations, §§ 999.330(b), 999.331(b), 999.332(b).

⁵² Cal. Civ. Code § 1798.105.

⁵³ Proposed Regulations, § 999.312(b).

⁵⁴ Proposed Regulations, § 999.312(c).

⁵⁵ Proposed Regulations, § 999.312(d).

⁵⁶ Cal. Civ. Code §§ 1798.100(d).

⁵⁷ Cal. Civ. Code §§ 1798.125, 1798.135.

⁵⁸ Proposed Regulations, § 999.307(b).

⁵⁹ For more information about methods that can be used to calculate the value of the consumer’s data, see enumerated examples found under the Proposed Regulations, § 999.337(b).

⁶⁰ Proposed Regulations, § 999.307(a)(2).

⁶¹ Proposed Regulations, § 999.307(a)(2)(e).