On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), which replaces the California Consumer Privacy Act of 2018 (CCPA).

The CPRA expands consumers’ rights regarding protection of personal information. Companies collecting personal data should review the changes to ensure compliance. Indeed, we anticipate that enforcement of these laws will drastically increase when the CPRA comes into effect

For many companies, the CPRA may not directly apply, but companies may be contractually obligated to comply with the law if they conduct business with large tech firms.  As as a result, it will be prudent for many companies to comply in order to ensure they can continue to service their clients.

Major changes include:

  1. Enforcement

The CPRA creates the California Privacy Protection Agency, a government body tasked to make the regulations and enforce the CPRA. It is predicted that the CPRA will increase the level of enforcement because it is partially funded by the fines.

  1. No more warnings

The new law eliminates the 30-day cure period provided by the CCPA. The CCPA provided notices to businesses not complying with the law and allowed them to fix the violations within 30 days without having to pay fines. The notice and cure period no longer exist with the CPRA.

  1. Sensitive Personal Information

The CPRA creates a new subcategory of personal information, which includes information such as biometric information and contents of e-mails and texts. Collection of sensitive personal information compels additional disclosure, opt-out and use requirements.

  1. Expansion of Consumer Rights

Consumers now have the right to opt-out of businesses sharing and selling their personal information. Under the CCPA, consumers only had the right to opt-out of the sale of their personal information. Consumer also have the right to request businesses to delete their personal information and businesses must notify third parties to delete the personal information as well.

The CPRA will become effective on January 1, 2023 with a look back period of 12-months so businesses will need to comply by January 1, 2022.

The CPRA will likely be the foundation for privacy legislation in other states and on a federal level. Similar laws will pass in the near future in many states including Washing and New York and on a federal level in both the US and Canada.

In this constantly changing regulatory environment, it will be critical to review your data collection practices and Privacy Policy to ensure that your company remains compliant and to avoid enforcement actions.

We are often engaged to review Privacy Policies from a U.S. and Canadian legal perspective.  In many cases these Privacy Policies were drafted by Canadian counsel without considering the laws of the client’s major market, the U.S.  The privacy laws of Canada and the U.S. are quite different and a failure to comply with U.S. privacy law can have enormous financial implications.  Accordingly, it is critical that Canadian companies ensure that their Privacy Policies are compliant on both sides of the border.

Below we detail three common privacy law issues that Canadian companies have when entering the US market.

1. The US is far bigger and more complex than Canada

In Canada, with a couple of exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers most privacy law issues in the commercial sphere.  Conversely, in the U.S., companies must comply with several different federal privacy laws, as well as state laws, the latter playing a major role in privacy protection.  This means that companies need to worry about complying with the privacy laws of all 50 states as well as several federal laws.

2. Same words, different meanings

Although both countries write their laws in English (In Canada – en Français aussi), words can have varying meanings under the law.  In privacy law in particular, certain key concepts are very different between Canadian and U.S. privacy laws, and companies that ignore these differences open themselves up to huge liability.

For example, the term personal information, at the core of privacy law in both countries, has different meanings in both countries and in the US there is no standard definition from one law to the next, or one state to the next. This means that while you might be compliant in Canada with the current way that you collect data from customers, the exact same data collection practice may be non-compliant in the US.

Other major privacy law concepts that differ in the US include: privacy of children under 13 years old, standards for “consent” and “breach”, rules for third-party access to personal information and jurisdiction issues.

3. Fines are far greater in the US

The price to pay for not complying with US privacy laws is far greater than not complying with Canadian privacy laws. For example, the Office of the Privacy Commissioner of Canada (OPC), the Canadian privacy law enforcement body, does not have the authority to fine companies for most privacy law violations.

In the US, by contrast, recent fines imposed by the Federal Trade Commission (FTC) and sister body, the Federal Communications Commission (FCC), consistently are in the million-dollar range and even up to $25 million in some cases.  Even simple violations such as gathering temporary personal information of children prior to getting parental consent can garner fines of up to a million dollars.  And be aware, the first piece of evidence that the FTC will use to see if a company is complying with US privacy law, is its online privacy policy. If you haven’t changed your privacy policy from a Canadian law compliant privacy policy to a cross-border compliant privacy policy, you are putting your company at huge risk.

Canada’s population is 1/10 that of the U.S.  For business, this means that most Canadian companies are going to look to the U.S. for revenue generation and in the process create exposure to U.S. laws, including privacy laws.  It’s critical that companies stay on top of their exposure to U.S. laws and engage legal counsel to ensure that their operations are fully compliant.

Frequently, large technology companies face lawsuits in foreign courts over their failure to comply with foreign laws, primarily those concerning privacy, sales and consumer rights.  In Germany, WhatsApp’s Terms of Service violated consumer protection laws; in Canada, Facebook is challenging the application of Canadian privacy law; and in Australia, Valve’s no return policy allegedly violates consumer protection laws.  As your startup grows, users may come from major markets across the world and create a challenge – how to balance growth with legal compliance?

Governing law clauses (X law applies and X courts have jurisdiction) are frequently unable to prevent the application of foreign laws to your company – just ask WhatsApp, Facebook or Valve.  Therein, to comply with the laws of only one market naturally leaves your startup exposed to legal liability for non-compliance in other markets.  While I suggest considering compliance with the law of each market in which you gain traction, I also recognize that cost concerns and a startup’s focus on growth strategies means that compliance is always on the back burner.

When balancing growth with legal compliance, consider:

1.  Size of your company in each market:  the larger your company is in a market, the more likely the laws of that market will be asserted against you.

2.  General size of your company:  the larger (and wealthier) your company is, the more likely the laws of foreign markets will be asserted against you.

3.  Potential liability:  How large is your company’s exposure to liability for non-compliance in each market?  How comfortable is the company with this exposure?

4.  PR:  Does non-compliance create a substantial chance for bad PR in that market?

Small startups (and large technology companies) frequently focus on growth over legal compliance.  Indeed, at the start of your company, potential liability is low as the company is flying under the radar – here, focusing on growth makes sense.  Once you company grows, legal compliance should be weighed and constantly reevaluated as laws, and your company, change.

I often stress the need to keep your Privacy Policy up-to-date; case in point, Snapchat’s settlement with the U.S. Federal Trade Commission.  In the action, the FTC found that Snapchat deceived users with incorrect claims about privacy and misrepresented its data collection practices.  Ultimately, the FTC subjected Snapchat to 20 years of independent privacy monitoring.

A few key lessons:

1.  Don’t misrepresent.  All representations about your software must be accurate, especially those concerning privacy.  If you don’t secure the app using X methods, don’t say that it is secured that way!  As the FTC states, “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

2.  Keep the Privacy Policy up-to-date.  The development team should keep track of all information collected by the software and loop the legal team in whenever a new feature or element is added.  Often misrepresentations result from outdated privacy policies that do not keep pace with software development.  Further, if marketing wants to make claims about software privacy, make sure to run the claims by the legal team first – best not to make public claims that conflict with the privacy policy.

3.  If you have information, act!  If users point out securities flaws with your software, seriously consider them and document action taken in response.  In Snapchat’s case, numerous users pointed out security flaws that were disregarded and such conduct certainly factored into the FTC’s decision.