Effective date: Unknown. The act is currently in the draft stage.
What is personal information under CPPA?
The new law maintains the definition of personal information established in PIPEDA. Under CPPA, personal information is any information about an identifiable individual, living or deceased. It includes:
- Age, name, ID numbers, income, ethnic origin, or blood type
- Opinions, evaluations, comments, social status or disciplinary actions
- Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs) [source]
Who is affected by CPPA?
CPPA requirements apply to any organization that:
- Collects, uses and shares personal information for commercial purposes
- Collects, uses and shares the personal information about employees and job candidates
CPPA doesn’t apply to:
- Government organizations covered by the Privacy Act
- Personal information used for journalistic, artistic and literary purposes
- Personal information used for personal purposes
- Personal information about individuals used in relation to employment, business or profession
Your key responsibilities under CPPA
✓ Take on accountability for the collected data
✓ Collect consents
You need to acquire meaningful consents for collecting, processing and disclosing users’ personal information. Likewise, you have to write your request in plain language to make sure visitors are properly informed about their options.
The consent request can take two forms:
- Implicit – you need to inform users about the collection of their personal data and give them a way to opt out of it
- Explicit – you need to obtain users active opt-in before you start tracking their data
Your choice of implicit or explicit consent should depend on the type of personal information at stake. While more sensitive data will require active consent, in the case of less sensitive data you will be able to rely on implied consent. Keep in mind that documenting consents, which is an obligation under CPPA, is a lot easier with explicit consents than with those based on inaction.
No matter which type of consent you choose, be sure your message to the visitor includes the following information:
- The purposes and ways for which you want to collect, use and disclose personal information
- The consequences of the collection, use or disclosure of the personal information
- The types of personal information you collect, use and disclose
- The names of any third parties you share users’ personal information with
Finally, remember about users’ right to withdraw consent. You should provide them with an easy way to change their mind, e.g. through a contact form or email address on your privacy page.
If you want to read more about the grounds for processing data under CPPA, be sure to check out this guide by McCarthy.
✓ Respect user rights to data transfer and deletion
Under CPPA, users have the right to:
- Transfer their personal information between organizations, e.g. banks or insurance providers
- Request the deletion of their personal information
✓ Remember about privacy management programs and transparency
Companies have to come up with transparent processes for handling personal information. Every organization should prepare materials in which it describes:
- How it protects personal information
- How it manages requests for information and complaints
- How it meets other obligations under the legislation
- What training and information is provided to staff
If you’d like to learn more about good practices around privacy policies, be sure to read this blog post.
✓ Keep records of consents
Your organization needs to keep records of consents and the purposes for which it collects, uses and discloses data. If you decide to use data for any new purpose, you need to obtain a separate consent, document it and add it to those records.
You should keep this data in an easily accessible form. In case of an audit from data protection authorities, you’ll need to share your records with the privacy commissioner.
✓ Consider working with de-indentified data
CPPA doesn’t specify the definition of de-indentified information. Instead, it provides the description of the process of de-identifiyng data:
De-identify means to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.
According to the law, you can collect de-identified data without visitors’ consent.
CPPA: What are the penalties for non-compliance?
Fines for non-compliance with CPPA are up to $10 million or up to 3% of global revenue. The law also includes higher penalties for more serious and deliberate violations, up to $25 million or 5% of global revenue.
What’s important, under CPPA consumers have a right of private action, which means they can sue companies that have used their data in a way that violates the obligations of the act.