California Consumer Privacy Act — Preparing for Compliance

The California Consumer Privacy Act (CCPA) is coming into force in less than two months, on January 1, 2020. The CCPA has an extraterritorial scope, which means that certain Canadian organizations may be covered by the statute. In order to comply with the law, these organizations will need to observe new transparency requirements (such as by adding specific notices on their websites and revising their privacy policies), adjust their practices to respond to new consumer privacy rights and adjust their contracts with service providers.

As opposed to the Personal Information Protection and Electronic Documents Act (PIPEDA), which provides for monetary penalties only in limited circumstances and does not provide a private right of action, non-compliance with the CCPA can result in important monetary penalties:

  • Penalties: The CCPA enables the Attorney General of California to launch a civil action against businesses who fail to remedy violations of the CCPA within a prescribed delay. The Attorney General may seek penalties up to US$2,500 per unintentional violation and up to US$7,500 per intentional violation of the CCPA; and
  • Civil right of action for data breaches: The CCPA also provides consumers with a right of action to institute a civil action against businesses for data breaches. Consumers may recover damages in an amount between US$100 and US$750 per incident, or their actual damages, whichever is greater.

Even with the CCPA coming into force in the near future, the California Legislature is still, to this day, adopting amendments to the statute. In addition, on October 10, 2019, the Attorney General of California released draft regulations for the CCPA, which provide further guidance with respect to the various rights and obligations of consumers and businesses under the Act.

This content has been updated on May 2, 2024 at 13 h 50 min.