Opinion: Why Canadian businesses need to prepare for the California Consumer Protection Act (CCPA) and how they can comply

As the world becomes more digital, data security and privacy regulations are a growing concern. And as Canadian companies grow internationally, it is becoming necessary to abide by other nations' regulations. This is the case with the CCPA. The CCPA, or the California Consumer Protection Act, takes effect on January 1, 2020...

Credit: Maarten van den Heuvel/Unsplash

As the world becomes more digital, data security and privacy regulations are a growing concern. And as Canadian companies grow internationally, it is becoming necessary to abide by other nations’ regulations. This is the case with the CCPA.

The CCPA, or the California Consumer Protection Act, takes effect on January 1, 2020, and its reach goes beyond California-based businesses.

What is the CCPA?
The CCPA mandates that businesses handle California customers’ personal information both more transparently and with greater care. It also gives California customers more control over the data they provide. This is to prevent future scandals like Facebook–Cambridge Analytica, where a business shared personal information without customers’ knowledge. Generally, the CCPA requires businesses to act as honest brokers in dealing with customer data.

Why do Canadian businesses need to prepare for the CCPA?
The scope of the CCPA is not limited to California-based businesses. It applies to any business, regardless of where it’s headquartered or where it maintains operations, that engages in:

  • Collecting and/or using the personal information of California residents
  • Conducting business in the state of California
  • Exercising at least one of the following activities:
    • Making at least $25,000,000 in annual gross revenue
    • Buying, receiving, selling or sharing personal information of at least 50,000 customers
    • Deriving at least 50 percent of annual revenue from selling California residents’ personal information

For all intents and purposes, this means that any company, including those based in Canada and that serve users who may be in California, are bound by this law.

CCPA compliance can reduce costs and increase brand reputation 
To complement this obvious legal mandate, Canadian companies should bring their online services into alignment with the CCPA to reap other benefits. Because the CCPA is a new law, being an early adopter (loudly so) will help build the trust relationship with customers and prospects and demonstrate your company’s commitment to the customer. 

How to turn the challenge of CCPA compliance into an opportunity

Being CCPA compliant is more cost-effective than being non-compliant
First and foremost, being ready for the CCPA helps Canadian businesses avoid hefty fines and payouts to Californian customers. Businesses can be fined $2,500 per unintentional violation or $7,500 per intentional violation (all amounts are in USD). For example, unintentionally violating the CCPA with 50 customers can lead to fines of as much as $125,000. 

Although data breaches come with heavier costs, paying out to customers is unique to the CCPA. For instance, if a data breach occurs before customer data was encrypted or redacted, businesses may be required to pay up to US$750 per incident or per customer, whichever is greater. Even if you have only 50 California customers, this can add up to US$37,500 for a single incident. 

A study conducted by Ponemon Institute shares that complying with data protection regulations is 27-percent more cost-effective than noncompliance. Interestingly, paying fines makes up one of the lower costs for compliance. In business disruption alone, a company can lose US$5.11 million. Other costs include US$3.76 million in productivity and US$4 million in revenue. The total average cost of compliance is US$5.47 million. Meanwhile, the total cost of noncompliance averages to US$14.82 million. Violating the CCPA can be detrimental to finance alone. Canadian businesses need to take the CCPA seriously.

Complying with the CCPA boost brand integrity
Customers appreciate legal protection, proactive disclosure and control over their personal information. Therefore, Canadian businesses can expect more data privacy and security regulations to emerge. 

Some helpful trends and statistics: 

  • In 2018, the European Union enforced the General Data Protection Act (GDPR) to protect EU citizens’ personal information
  • Only 4 percent of Americans feel highly confident that companies and retailers can safely handle customers’ personal information (Pew Research Center)
  • More than 90 percent of customers believe they should have full control over their personal information (PwC
  • The need for government regulations to protect personal customer information is supported by 80 percent of customers (PwC)

Eighty-seven percent of customers are willing to take their business elsewhere if they believe that an organization isn’t handling their personal information responsibly (PwC). Therefore, it’s safe to say that Canadian businesses can risk losing customers by not complying with the CCPA—and attract them if they do.

American businesses are already demonstrating that complying with the CCPA can increase their brand reputation. To stay competitive in the American market, Canadian businesses need to also pursue compliance.

How must Canadian businesses comply with the CCPA?

Here are some key points that Canadian businesses should know about CCPA requirements. 

Be transparent with customers
Canadian companies that serve Californians must disclose the following before or during the collection of personal information:

  • The categories of personal information (e.g., demographic information, behavioural analytics)
  • The categories of sources from which the information is collected (e.g., cookies, email tracking)
  • The purpose of collecting or selling personal information (e.g., to personalize content and ads)
  • The categories of third parties with which the information will be shared (e.g., advertisers, online payment companies)
  • The specific pieces of information that are being collected from that customer (e.g., name, IP address)

Give customers control over their collected data
Canadian businesses should have a way to neatly centralize and organize customer data. Upon customer request, businesses must provide customers with all of their collected information and/or delete everything on file pertaining to that customer. 

Customers must also be presented with the ability to opt out of having their collected information shared with third parties. These opt-out requests must be easily accessible by consumers in at least two ways. Examples include a form on the company website and a toll-free number. The CCPA also demands that businesses have a conspicuous “Do Not Sell My Personal Information” button on the company’s homepage. 

Be aware when collecting consent from minors
With the CCPA, Californians under the age of 16 require a different consent form when it comes to collecting or sharing their data. For customers aged 13 to 16, businesses need to provide an opt-in form instead of an opt-out. For customers under 13 years old, they must seek opt-in consent from the child’s parent or guardian.

Do not discriminate against customers based upon their preferences
Collecting customer information is crucial to a company’s success, so it can be frustrating for Canadian businesses to face barriers to this process. Still, the CCPA prohibits companies from poorly treating customers (e.g., charging higher prices) for exercising their rights. 

The CCPA is a legal problem that can be solved with technology
A study by TrustArc found that 72 percent of surveyed American companies are investing in technology to comply with the CCPA. Canadian businesses should look to do the same. With the ongoing cost of complying with changing global regulations skyrocketing, We recommend investigating a third-party Customer Identity and Access Management (CIAM) solution. This is a type of software that manages digital identities and is excellent for meeting CCPA needs. 

Here’s how a CIAM solution can help with CCPA compliance:

  • Enable customized registration and login pages to include disclosure statements and age-appropriate consent
  • Store customer information in a centralized location for easy access upon customer request
  • Provide data encryption and world-class security features

Implementing CIAM technology unifies compliance efforts. In turn, this single solution allows businesses to save costs on lawyers, auditors, engineers and IT staff members.

Conclusion

The prospect of growing outside our borders can be enticing. With the help of CIAM software, Canadian businesses can thrive by complying with regional regulations like the CCPA, GDPR and others. Together, we can establish Canadian businesses as leaders in complying with data privacy regulations and respecting customer personal information. 

For more information about the CCPA and how it compares to other data privacy regulations, and possible solutions to compliance, check out LoginRadius’s white paper

Rakesh Soni is co-founder and CEO of Vancouver-based LoginRadius. Finding novel ways to secure digital identities is what we do. The LoginRadius Identity Platform serves more than 3,000 businesses and secures one billion digital identities worldwide. The company has been named an industry leader in the customer identity and access management space by Computer Weekly, Forrester, Gartner and KuppingerCole