Comparing the Data Privacy Laws of California and Canada
With the adoption of the California Consumer Protection Act only months ago, CaCPA has joined Canada’s Personal Information Protection and Electronic Documents Act, Europe’s General Data Protection Regulation and other legislation designed to protect the data privacy of consumers in their jurisdiction.
As home to the head offices of many of the world’s largest technology companies (Apple, Microsoft, and Facebook, to name a few), as well as more than 12 per cent of the total population of the United States, California’s state-level law will still have a far-reaching impact on business around the world. This includes any foreign company that does business in California, or with Californians.
Canadian companies looking at these new rules will have an advantage, as we already follow PIPEDA (the Personal Information Protection and Electronic Documents Act), Canada’s national data privacy law for businesses. The PIPEDA framework provides a solid foundation for good privacy practices that can be applied to the new California law. But although both the Canadian and Californian laws have the same goal – protecting the privacy of consumers – there are some important differences to identify. Let’s take a look:
Scope
The first, and most obvious difference in these pieces of legislation is in their scope — who do they apply to? The CaCPA applies to businesses that collect personal information, and which do business in the state of California. The law applies to businesses that meet at least one of the following three criteria: (1) having more than $25 million in annual revenue, (2) having the personal information of more than 50,000 “consumers, households, or devices”, or (3) earning more than half of its revenue through the sale of personal information. This limits the law to only those companies that are large enough, or who deal heavily in personal data use.
Meanwhile, the Canadian privacy law has a broader application, pertaining to any commercial activity where the personal information of a Canadian citizen is collected or used. This means that every commercial business in Canada will be subject to PIPEDA with no exceptions for size or earnings. In other words, if you do business in Canada, PIPEDA applies.
Definition of Personal Information
In Canada, personal information is defined as “factual or subjective information, recorded or not, about an identifiable individual.” This covers anything from age, name, income, ethnic origin, medical records, credit records, evaluations, and more. An individual becomes identifiable when a piece of information – on its own or combined with other pieces of information – can distinctly identify a particular individual.
California’s definition of personal information is even more expansive than Canada’s. While it still covers information related to an identifiable individual, it also includes any information that could identify a household, not just a single consumer. The law provides additional examples of the types of information it covers, which outline a few new categories of data, including “education information, audio, electronic, visual, thermal, olfactory, or similar information, and internet or other electronic network activity information,” which includes browsing and search histories on web-based applications. These additional examples of data create a larger application for the definition of personal data in California, and helps to protect more of the information that businesses are collecting. It also makes the law more far-reaching.
Consent
Canada and California have differing opinions of how to properly gather consent from consumers. California, like the rest of the United States, uses an opt-out method of consent, where a consumer can ask to stop receiving electronic messages, but permission does not have to be given to begin receiving communication. In Canada, an opt-in system is used, where positive consent must be obtained before any communication is sent.
Child Consent
The CaCPA has some very clear rules on obtaining consent from children, which are different from the rules used for adult consumers. In order to sell the personal information of a child, the company must obtain an express opt-in action from a child between the ages of 13 and 16, or from the parent if they are younger than 13.
Canada’s law does not differentiate children from adults, instead applying the same privacy rules to everyone. Though some additional guidance is provided by the Canadian Privacy Commissioner to businesses that deal with the data of children, the law itself offers no additional protections for children.
Information Requests
A California resident is afforded, by law, certain rights in regard to their personal data. They can request a list of what types of information a company is holding, as well as what is being done with it, including whether it is being sold to a third-party. Upon request, the third parties can be named. They can also ask that their information be erased (known as the right of erasure) where the company in question is obligated to remove any trace of a person’s personal data from their system.
Canadians are also afforded rights under PIPEDA. Similar to the Californian law, PIPEDA gives individuals the right to access the personal information a company stores for them, and requires a company to share what is being done with the information, and any organizations it is being shared with. Canadian companies are also required to correct any inaccurate information when notified by the individual. Canada does not, however, have an equivalent to the right of erasure, but if consent is revoked by the individual, the personal information in question may not be used by the company.
Private Right of Action
A private right of action refers to the right that can be afforded through a particular law that allows individuals to sue other individuals or organizations directly when they violate the law. In the case of a privacy law, a private right of action would allow an affected individual to sue a company if a data breach involving their data occurs, or if they send inappropriate electronic communication. A private right of action allows for both individual and class action lawsuits to take place.
California has included the private right of action in regard to its Consumer Protection Act. Any Californian who is affected by a violation of their rights under this act is allowed to sue the company that committed the violation.
Canada’s PIPEDA and the related Canada’s Anti-Spam Legislation went in to force without the private right of action. This element of both of these pieces of legislation was later scheduled to be implemented on July 1, 2017. As of June 7, 2017, the private right of action was suspended indefinitely amid industry and business concerns.
Fines
No other element of privacy-related legislation gets businesses talking more than the fines related to a violation of the legislation. With the GDPR, the biggest buzz was around its potential fines of 20 million Euros or four per cent of annual revenue, which forced businesses to step back and evaluate the importance of the legislation.
The CaCPA also carries fines. Unlike the GDPR’s flat rate fines, the CaCPA charges a fine per number of violations. In the case of a data breach, for example, an affected individual that sues the company in question could receive up to $750 per violation. The state can also sue a company on behalf of the people of California, in which case the company could face a fine of up to $7,500 per violation. Under the CaCPA ,a large-scale data breach that affects thousands or millions of clients could bring about devastating monetary penalties for a business.
On the other hand, Canadian privacy legislation carries no monetary fines for violations. The Privacy Commissioner of Canada is granted the power to investigate complaints and can use certain enforcement tools including the federal court, public interest disclosures, audits, compliance agreements, and reporting offences. The commissioner cannot impose any monetary fines at this time.
The Digital Privacy Act, which introduced amendments to PIPEDA, is scheduled to take effect in November 2018. It provides additional requirements related to breach reporting and included is a maximum $100,000 fine for any business that does not properly record and communicate data breaches under the law.
Overall, because both the CaCPA and PIPEDA serve the same purpose, good privacy practices apply to both laws. Once a Canadian company has considered the few differences listed above, it shouldn’t be difficult to adjust a privacy plan to meet California’s new rules.
Luke Henderson is privacy officer at Velsoft Training Materials.