Data Privacy Protection in the Americas: CCPA, PIPEDA, LGPD
America may seem far away, but come on — there are no online borders. And this is precisely where the potential need to be in compliance with local personal data protection regulations arises. Today — about CCPA (California), PIPEDA (Canada), and LGPD (Brazil).
Let’s go!
Do These Acts Apply to My Company and Activities?
a note on wording: the terminology for personal data differs in each act: CCPA — personal information, PIPEDA — personal information, LGPD — personal data. In this article we will use the abbreviation PI (personal information) for all acts.
How do I understand that the data I collect and process constitutes personal information?
Oh, do I need to be in compliance?
What should I do?
Below we will walk through the main requirements for the collection and processing of users’ PI in accordance with the acts being analyzed today.
Let’s Start with Obtaining Consent
CCPA
The general rule is that a user’s consent to the collection, processing, and sale of PI does not need to be obtained separately. However, do not be too quick to celebrate. In any case, users must be notified of the categories of PI being collected, the sources of PI, the purposes of PI collection, the sale of PI (if any), and information about third parties to whom PI is transferred. In addition, users must be informed of what rights they have regarding their PI.
How to notify? Notices, which may be contained in the privacy policy. The Act contains no requirements as to a specific form of notification — the main thing is that it is noticeable and understandable (for example, a link on a landing page (for a marketplace), on the download page and in settings (for applications), and so on).
The following rule also applies: a new collection purpose/category of PI — a new notice.
It is worth noting that obtaining direct consent from users is considered good practice to reduce the risk of claims and limit liability.
In addition, regarding the sale of PI, users may exercise the right to opt-out and prohibit such a sale. Interestingly, after 12 months from the prohibition you may “knock on the door” again and ask whether the user has perhaps changed their mind. In that case you may obtain consent to the sale of PI, and the user thereby exercises the right to opt-in.
The right to opt-in is also exercised by a user under the age of 16 (or a parent/guardian if the user is under 13), who gives consent to the sale of their PI. Therefore, selling the PI of users under 16 is prohibited without the direct permission of such persons (or their parents or guardians).
By the way, depending on the value of PI, companies may offer certain compensation for the sale of users’ PI (for example, receiving certain services for free or at a discount).
PIPEDA
The Canadian act establishes a requirement under which, as a general rule, consent must be obtained for the collection and use of users’ PI. Consent is valid if the person is aware of the PI being collected, the purposes of collection, use, and disclosure of PI, and the transfer of information to third parties. There are no requirements as to the form of notification; in practice such information is included in the privacy policy.
Consent may be obtained in the form that corresponds to the mechanics of your interaction with users (a separate application form, a corresponding checkbox field). New purpose/category of PI — new consent; do not forget this.
An interesting point — depending on the sensitivity of the data (which, by the way, is mentioned but the substance of the category is not elaborated upon), consent may be express or implied.
But this rule should not be abused. If a person, ordering some product/service through a marketplace, ticks “receive newsletter,” they expect and understand that their data — for example, their email and purchase history — will be used for that purpose. However, this information cannot be used for other purposes.
And of course, consent may be withdrawn at any time.
Failure to provide consent cannot be an obstacle to the provision of services/goods (except in cases where certain actions are impossible without such consent, for example, issuing invoices).
Without consent, PI may be collected and processed only for purposes defined by law (they are listed in the act — for example, criminal investigations, as well as artistic, journalistic, and literary purposes, and so on).
LGPD
Consent to the processing of personal data is the primary basis that grants the right to process a data subject’s PI. Consent must be given in a form that demonstrates the data subject’s desire to provide such consent, and for specific purposes only. If a person’s PI was publicly disclosed by them, there is no obligation to obtain consent, but all principles of PI collection and processing established in the act must be observed.
The rule “new purpose/category of PI/form or duration of processing — new consent” applies here as well.
A data subject may withdraw consent to the processing of PI at any time.
Other legal bases for data processing include, among others, legitimate interest, performance of a contract to which the data subject is a party, and so on.
What Other Obligations Arise?
In addition to informing users and obtaining consent, a company that collects and processes PI also incurs other obligations that correspond to users’ rights (it is no surprise that the acts being analyzed focus most heavily on users’ rights).
CCPA
Users’ rights to submit requests for access to PI, to receive information about what PI is collected and for what purpose, to delete PI, to demand that PI not be sold, and to non-discrimination give rise to corresponding obligations for the company.
P.S. Some provisions below are reflected taking into account the provisions of the CCPA Regulations, which are currently at the final stage of review.
The company must:
- ensure the possibility of submitting requests by providing an email address, placing a corresponding form for appeals on the website or in the application, and so on;
- place a link to the “Do not sell my personal information” page, upon navigating to which users receive information about how they can exercise the right to opt-out;
- respond to user requests within 45 days (as a general rule) and provide the relevant information (a 15-day timeframe is established for responding to requests to opt out of the sale of PI);
- not discriminate against users for exercising their rights (for example, not offer goods/services at a higher price). For instance, if only users who pay for a premium account in an application can exercise their right to delete PI, such a practice would be considered discriminatory. However, if after a request to delete a marketplace user’s browsing history and email address, that user no longer receives curated special relevant offers, such actions will not be recognized as discrimination.
PIPEDA
In accordance with the 10 fair information principles, companies that collect and process PI of Canadian users are subject to the following obligations:
- appoint a person or department responsible for compliance with the principles of PIPEDA; users must know who to contact with requests or complaints;
- clearly define and communicate to users the purposes of PI collection and processing;
- protect PI in accordance with its sensitivity (as already noted, the concept of data sensitivity is not elaborated upon);
- publish in a format accessible to users detailed information about their policies and practices regarding PI (including in an accessible format for persons with special needs);
- upon user requests, provide access to information about PI and its use, and make changes to PI at the user’s request;
- cease the collection and processing of PI upon withdrawal of consent by the user.
Interestingly, PIPEDA does not directly provide users with the right to submit a request for deletion of their PI, and only in the Guidelines for obtaining meaningful consent indicates that in some cases PI must be deleted. For example, if a user deletes their account, the company must delete all PI about them as well.
LGPD
The LGPD includes a broad list of data subjects’ rights that correspond to obligations of the company collecting and processing PI. Such obligations include, in particular:
- responding to user requests regarding confirmation of the existence of PI processing, access to their PI, correction of PI, deletion of PI, and receiving information about what third parties receive their PI;
- implementing technical and administrative measures to protect PI from unauthorized access and from accidental or unlawful destruction, loss, leakage, or alteration;
- appointing a data protection officer (for companies acting as data controllers), responsible for receiving complaints and notifications from data subjects.
Violations: What Are the Consequences?
In summary, each of the analyzed acts places fairly similar obligations on companies that collect, process, and distribute users’ personal data, and grants the latter a broad range of rights. Therefore, if your company or activities fall under CCPA, PIPEDA, or LGPD (remember, registration of companies in the relevant jurisdiction is not required), it is worth thinking about compliance. And we will be happy to help with that 😉
Now that you know everything (or almost everything) about CCPA, PIPEDA, and LGPD, you can review our previous posts about GDPR and compare which one is more demanding.
