Gone are days of unregulated and untethered data gathering. With the rolling out of the California Consumer Privacy Act, Canadian businesses are now finding themselves navigating a sea awash with a patchwork of extraterritorial legislation. The laws are sometimes inconsistent, often vague, and certainly confusing. It has therefore become critical that companies understand their obligations under each of these major regimes, and to delineate the nuanced details between them. Failure to do so may result is severe fines.
In light of this, I have created a quick reference guide for companies looking to better understand their legal obligations under GDPR, CCPA, and PIPEPA.
Issue |
PIPEDA |
GDPR |
CCPA |
Does each law apply to my business? |
PIPEDA applies to private sector
organizations that collect, use, or disclosure personal information
during the course of commercial activity. Notably, this applies to
small businesses, and some non profits and charities that may be
considered as conducting "commercial activity". |
Applies to processing of personal data by
all organizations (Canadian ones too) that are established in the
EU, regardless of where data processing occurs. Equally, to
organizations that control or processes data with regard to the
offering of goods or services, or monitoring the behaviour of EU
residents for advertising. |
For-profit companies engaging consumers and
households in California. The for-profit companies must have at
least $25 million in annual revenue must comply with the law. And
companies of any size that have personal data on at least 50,000
people or that collect more than half of their revenues from the
sale of personal data. |
Who is protected by the legislation? |
A natural person. Does not have to be a
citizen, or a resident of a specific province. |
Natural persons resident in the EU, or EU
citizens. |
Consumers resident in California, if they
are natural persons. |
Are employees protected? |
Generally, yes. |
Generally, yes. |
Limited application, however this may
change. |
What kind of information is protected? |
Personal information may be factual,
subjective, recorded or not, about an identifiable individual. This
could include employee files, loan records, or blood type. |
Personal information may be factual,
subjective, recorded or not, about an identifiable individual. This
could include employee files, loan records, or blood type. |
Personal information that could identify a
consumer or household. |
In what ways is information safeguarded? |
Information must be protected in accordance
its sensitivity, and in light of developing risks. |
Taking into account current day
technologies, risks, and severities, appropriate technical and
organisational measures. |
No explicit requirements, however, expect
to take appropriate measures. |
Notification requirements in event of a breach |
In the event that a real risk of
significant harm is posed to the individual(RROSH test) as soon as
feasible. |
Where possible, within 72 hours, unless of
an unlikely risk to the rights and freedoms of natural
persons. |
There are different requirements based on
the nature of the businesses. Generally breach individuals must be
notified very quickly. |
Potential Penalties |
Up to 100,000 Canadian Dollars. |
Up to 20,000,000 euro, or up to 4% of
annual worldwide turnover of the preceding financial year. |
$100 to $750 per consumer per incident, or
actual damages, whichever is greater. |
As this chart demonstrates, there are several differences between PIPEDA, GDPR and CCPA. Some differences are slight, while others are more obvious. In any case, businesses need not only be aware of their privacy obligations but also take proactive measures to ensure compliance. This means working hand in hand with your IT team to understand where your servers are, what kind of information your business is processing, and what kind of security measures are put in place. It also means making sure your business is working together with competent legal counsel that understands the peculiarities of each law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.