Top 10 Differences Between CCPA and Canada’s PIPEDA

If your company does business in California, you’re likely familiar with—and hopefully compliant with—the California Consumer Privacy Act (CCPA). If you plan to expand your business to serve customers in Canada, you’ll need to understand how CCPA differs from Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Conversely, if you’re a Canadian firm looking to expand into California, you’ll also need to understand the differences between these two data privacy laws.

Background

While the United States has not yet adopted an overarching federal data privacy and security law, California established a leadership position within the US when it implemented the CCPA in June 2018. This groundbreaking law became effective on January 1, 2020. California raised the bar again when it passed the California Privacy Rights Act (CPRA) in November 2020. Because CPRA does not become effective until January 1, 2023, we will limit the scope of this blog post to CCPA. If you’re interested in CPRA, check out our 8 Steps to CPRA Compliance post.

PIPEDA was implemented in April 2000 and amended in June 2015. While it was enacted much earlier than CCPA, PIPEDA’s privacy provisions are not as stringent. However, Canada’s federal government has introduced new legislation that would, if approved, strengthen Canada’s privacy laws. Because this new legislation has not yet been approved, we’ll exclude it from the scope of this post.

Top 10 Differences

In this section, we’ll cover what we feel are the ten most significant differences between CCPA and PIPEDA.

  1. Who does it apply to?

CCPA

CCPA applies to for-profit businesses that collect personal information from California residents and meet at least one of these criteria:

  • Gross annual revenue is greater than $25 million.
  • Buy, receive, or sell the personal information of 50,000 or more California consumers, households, or devices.
  • Derive 50% or more of revenue from selling consumers’ personal information.

CCPA covers organizations that control or are controlled by a covered business. It also covers businesses that share common branding with a covered business, such as a shared name, service mark, or trademark.

Some CCPA provisions apply to service providers and third parties that user personal information provided by a covered business.

PIPEDA

PIPEDA applies to Canadian private sector organizations that collect, use, or disclose personal information during the course of commercial activity. “Commercial activity” is defined as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

Covered organizations include:

  • Organizations located outside of Canada if the organization’s activity has a real and substantial connection to Canada.
  • Small businesses, non-profits, and charities that are conducting commercial activity.
  • Businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities.

PIPEDA applies across Canada, except in provinces where a substantially similar data protection law already exists.

  1. Right to data portability

CCPA

In response to a consumer’s disclosure request, businesses must provide personal information in a readily useable format to enable the consumer to transmit the information from one entity to another without hindrance.

PIPEDA

Consumers do not have an equivalent data portability right under PIPEDA.

  1. Right to deletion (a.k.a. “right to be forgotten”)

CCPA

CCPA gives consumers the right to instruct a business to delete personal information the business has collected about them (some exceptions apply). When receiving such a request, Businesses must also have their service providers delete the data.

PIPEDA

Consumers do not have an equivalent right to deletion under PIPEDA.

  1. Right to correction

CCPA

Under CCPA, there is no provision that gives consumers a right to correct inaccurate or incomplete personal information a business has collected about them.

PIPEDA

PIPEDA gives Individuals the right to have their personal information amended (by the correction, deletion, or addition of information) when an individual successfully demonstrates the inaccuracy or incompleteness of their personal information.

  1. Minors

CCPA

CCPA prohibits selling the personal information of a person under the age of 16 without consent. Children aged 13 – 16 can provide consent. Parents must provide consent for children under 13.

PIPEDA

Under PIPEDA, parents must provide consent for the collection, use, and disclosure of personal information of children under the age of 13.

  1. Non-discrimination

CCPA

Businesses must not discriminate against consumers that exercise their data privacy rights. However, businesses may charge consumers differently to the extent that the difference reasonably relates to the value provided by the consumers’ data.

PIPEDA

Individuals are not given an equivalent non-discrimination right under PIPEDA.

  1. Obligation to respond to rights requests

CCPA

A business must comply with a verifiable consumer rights request within 45 days of the request. This may be extended by 45 or 90 days in certain circumstances. Businesses must inform consumers of reasons for not taking action.

PIPEDA

Under PIPEDA, organizations must respond to rights requests within 30 days of the request.

  1. Purpose limitation

CCPA

There is no purpose limitation provision in CCPA.

PIPEDA

When collecting, using, and disclosing personal information, organizations must identify the purposes for which personal information is collected at or before the time of collection. They must also limit the collection and use of personal information to that which is necessary for the identified purposes.

  1. Storage limitation

CCPA

There is no storage limitation provision in CCPA.

PIPEDA

Personal information must only be retained for as long as is necessary for the fulfillment of those purposes behind data processing.

  1. Penalties/fines

CCPA

CCPA provides for fines of $2,500 per unintentional violation and up to $7,500 per intentional violation. Businesses have a 30-day cure period for identified violations before being fined.

PIPEDA

Under PIPEDA, penalties can be up to 100,000 Canadian Dollars, depending on the severity of the violation.

We hope this has given you a good feeling for some of the most significant differences between CCPA and PIPEDA. However, these are by no means the only differences. If you plan to bring your organization into compliance with one or both of these laws, you’ll need to do a deeper dive or engage a third party that understands the laws in detail.

Additional Materials

Here are additional Tevora materials that can help you gain a deeper understanding of CCPA and PIPEDA:

We Can Help

If you have questions about CCPA or PIPEDA or would like help implementing changes in your environment to ensure compliance with these laws, Tevora’s team of data privacy and security specialists can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.

About the Authors

Christina Whiting is a Principal | Privacy, Enterprise Risk & Compliance at Tevora.

Adoriel Bethishou is an Associate Manager | Privacy at Tevora.