Get up to speed on California’s privacy law

In 2020, the CMA posted part one and part two of a blog series covering the then newly implemented California Consumer Privacy Act (CCPA), a trail-blazing bill representing the most comprehensive privacy protections in North America. Since then, new state legislation – the California Privacy Rights Act (CPRA) – has been passed, which came into effect on January 1, 2023. The CPRA did not replace the CCPA, but amended several of its provisions and added new privacy protections. Consumer rights in California have been expanded and the responsibilities of businesses have changed, exhibiting a greater likeness to the GDPR.

The CPRA is important to Canadians because Canadian and Californian companies are heavily invested in each other’s markets. Canadian companies doing business in California must know whether the CPRA applies to them and act accordingly. Below is an overview of the key elements Canadian marketers need to know about the CPRA.

When the CPRA applies to Canadian businesses  

The CPRA applies to companies processing personal information and operating either fromCalifornia or offering products and services toCalifornians, with a few caveats. The CPRA will only apply if your business meets at least one of the below criteria:

• Annual global gross revenue of 25 million USD or more.
• At least 50% of your annual revenue comes from selling or sharing personal information.
• You buy, sell, or share with third parties the personal information of at least 100,000 California residents or households.

How it is enforced

The CPRA is enforced by the newly established California Privacy Protection Agency (CPPA). Not to be confused with Canada’s proposed privacy law which goes by the same acronym (see more on that here), the CPPA is engaged in rulemaking and regulation, and is also the agency through which Californians can file privacy complaints.

Failure to comply with the act can result in fines of up to 2,500 USD per violation and 7,500 USD per intentional violation (or violation that involves a minor that the business or entity knows is underage, defined as 16 years or younger. Each person affected by a specific case counts as a separate violation. Once businesses have been informed of a violation, they have 30 days to rectify it.

Key provisions to be aware of

Below are some of the key obligations organizations are expected to adhere to.

Collecting and sharing personal information

The CCPA established a “Do Not Sell” mandate, which offers consumers the right to opt out of the sale of their personal information. This mandate has now been expanded under the CPRA to include a “Do Not Share” provision, offering the same right when it comes to the sharing of personal information.

Where businesses intend to sell personal information, they must notify consumers and inform them of their ability to opt out. Businesses are also required to place a “Do Not Sell or Share My Personal Information” link on their homepage and on webpages that collect personal information. If a consumer decides to opt out of the sale or sharing of their data, a business cannot ask the consumer for consent again for a minimum of 12 months.

Adherence to this mandate is more complicated for businesses dealing with third-party service providers, so we recommend that you seek legal advice when navigating these activities.

Sensitive personal information

Under the CPRA, the term sensitive personal information (SPI) includes personal information that reveals a consumer’s social security number, passport number, driver's license number, state identification card, precise geolocation, account log-in or password, financial account and card information, union membership, genetic data mail, email and text message contents, racial or ethnic origin, and religious or philosophical beliefs. The data privacy protection requirements for sensitive personal information are more robust than those for protecting other personal information.

Marketers wanting to rely on implied (opt-out) consent for the use of sensitive data to influence behaviour or infer consumer characteristics can only do so under the following circumstances:

• When there is a reasonable expectation by the average consumer that it would be collected to deliver certain goods or services
• To maintain the security and integrity of a consumer’s personal information
• When there is transient usage that doesn’t build a user profile or share their information with a third-party
• When performing services on behalf of businesses
• When maintaining, improving, or ensuring the safety of the service

If you intend to collect or use SPI for a purpose other than those outlined above, or for a purpose other than that for which it was originally collected, you must notify the consumer and give them the option to opt out. An opt-out link should be included on any relevant webpages or emails, titled “Limit the Use of My Sensitive Personal Information.”

More on opt-outs, audits, and risk assessments

In addition to opting out of the sharing of personal information, the CPRA establishes a right to opt out of automated decision-making. This means that consumers can opt out of the use of automated decision-making technology, including “profiling,” in connection to their personal preferences, interests, behaviour, location, or movements, as well as their economic situation, health, and work performance.

In addition, businesses dealing with “high-risk information” are required to be more transparent. Cybersecurity audits must be conducted annually by businesses processing personal information that poses a significant risk to consumer privacy or security. These businesses are also responsible for performing risk assessments on a regular basis, which are to be submitted to the CPPA for review.

To determine whether your business processes personal information that may present a significant risk to consumers’ privacy or security, you must consider two factors: (1) the nature and scope of processing activities; and (2) the size and complexity of your business. If you’re unsure where your business stands, it is important to seek legal advice.

Keep in touch and stay informed

For information on privacy reform in Canada and other major jurisdictions, be sure to check out our privacy law reform webpage, and for more information on privacy compliance and best practices, check out our privacy protection webpage.

Author: Marlize Van Sittert, Public Policy Specialist