California’s new privacy law has extra-territorial implications

After only one week of legislative debate, the California Consumer Privacy Act (CCPA) was quickly enacted on 28 June 2018, and is scheduled to come into force on 1 January 2020.

The CCPA provides California consumers with new data privacy rights, and could have severe financial consequences on organizations that are non-compliant. The legislation will apply to any organization that: (1) collects and controls personal information (PI) of California residents, (2) does business in the state of California, and (3) meets one or more of the following requirements:

• Has annual gross revenue in excess of USD $25 million;
• Annually buys, receives, sells or shares, for commercial purposes, the PI of 50,000 or more consumers, households or devices; or
• Derives 50% or more of its annual revenue from selling California residents’ PI.

The statute also extends to entities that control or are controlled by an organization meeting the above criteria. California residents have been granted numerous privacy rights under the legislation, including the right to opt out of the sale of their PI to third parties. In this regard, organizations must post a clear link entitled “Do Not Sell My Personal Information” on their webpage. Consumers, defined as natural persons who are California residents, also have the right to know what PI an organization is collecting, where it came from, why it is being collected and whether it is being transferred, and to whom. Accordingly, consumers also have the right to access and request deletion of their PI. The legislation also contains specific protections for consumers, including the right to receive equal service and pricing from an organization, even if the consumer chooses to exercise their privacy rights under the CCPA.
Organizations will have a 30-day period in which to rectify any alleged statutory violations. Penalties for non-compliance include:

• Up to USD $2500 per violation on organizations that do not cure the violation within the 30-day cure window; and/or
• Up to USD $7500 per violation for intentional violations, in addition to any penalty assessed above.

In the case of a data breach, the CCPA creates a private statutory right of action for consumers, either individually or as a class, against organizations for the unauthorized access, theft or disclosure of a consumer's “sensitive personal information” resulting from an organization's failure to “implement and maintain reasonable security procedures and practices”. A finding of liability does not require the consumer to suffer actual harm. Damages will be the higher of: (1) statutory damages ranging from USD $100-750 per customer per incident; or (2) actual damages where harm has occurred.

While there are similarities between the CCPA and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and the EU’s General Data Protection Regulation (GDPR), there are also many critical differences, such that compliance with PIPEDA or the GDPR will not necessarily result in compliance with the CCPA. Although many legal commentators expect the California legislature to amend the draft legislation prior to it coming into force, it is important for Canadian companies that do business in California, or that have clients or customers in the state, to turn their attention towards the compliance requirements that are developing under the CCPA.

As a compliment to robust internal compliance mechanisms, cyber liability insurance can help organizations looking to transfer some of the risk that can arise out of a cyber or privacy breach or non-compliance with privacy laws. A cyber policy provides coverage for the costs an organization incurs to manage a cyber or privacy breach. The policy also covers defence costs, judgments and settlements where the organization is involved in third party litigation or a regulatory proceeding. If the cyber liability insurance policy contains robust wording, coverage may be available for fines for non-compliance with the CCPA, if those fines are insurable under the law.