Top 5 Differences Between CCPA & PIPEDA—A Breakdown

The California Consumer Privacy Act (CCPA) is a state law that regulates how businesses handle personal information. While the United States has yet to implement a national data privacy and security law, California paved the way for states to create their own consumer privacy regulations when it enacted the CCPA in 2018.

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s national data privacy law. PIPEDA lists the ground rules for how businesses must handle personal information in the course of commercial activities.

While it precedes CCPA, PIPEDA’s provisions on privacy aren’t as stringent and clear-cut. However, if approved, new legislation introduced by Canada’s federal government would fortify the country’s privacy laws.

Both CCPA and PIPEDA are designed to protect consumers by giving them control over their personal data, but there are some key differences. We discuss the top 5 differences below to help act as a guide to e-commerce data privacy.

1. Scope of Obligation

CCPA

CCPA covers for-profit businesses that collect personal information from California residents and fulfill at least one of the following criteria:

• Gross annual revenue greater than $25 million
• Buys, sells, or shares personal information of 50,000 or more consumers, devices, or households annually
• 50% or more of their revenue is accrued from selling consumer information

Bulleted List

CCPA compliance applies to the following:

• Businesses that control or are controlled by a covered business
• Businesses with the same name, service mark, branding, or trademark as a covered business
• Service providers and third parties that use personal information provided by a covered business

Bulleted List

PIPEDA

PIPEDA applies to commercial enterprises in the Canadian private sector that collect, use, or disclose personal information during commercial activity. Under PIPEDA, commercial activity refers to “any particular transaction, act, or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

PIPEDA applies to the entire country, with a few exceptions for provinces where another data protection law exists.

PIPEDA is also applicable:

• If the organization’s operations have a connection to Canada. Such organizations can be considered Canadian even if they’re located outside of Canada.
• To nonprofits, small businesses, and charities that may also be engaged in commercial activities
• To businesses located in Canada that handle personal information from other provinces or countries as part of their commercial activities

Bulleted List

2. Consumer Rights

Right to Data Portability

CCPA

If a consumer asks for their personal information that’s available with a business, the business must provide it in an accessible format so they can easily move it to another entity if needed.

PIPEDA

Unlike CCPA, PIPEDA does not give consumers the right to transfer their data.

Right to Deletion

CCPA

The CCPA gives consumers the right to instruct a business to delete any personal information collected about them (with some exceptions). When receiving such a request, businesses must ensure their service providers also delete the relevant data.

PIPEDA

Under PIPEDA, consumers do not have the same right to erasure as they do under CCPA.

Right to Correction

CCPA

Consumers don’t have a legal right to edit incorrect or incomplete personal information collected about them.

PIPEDA

Under PIPEDA, individuals have the authority to request that information about them be corrected if they can show that it’s inaccurate or incomplete.

3. Data Processing & Storage

CCPA

There’s no limit to the amount of data businesses can store under CCPA.

PIPEDA

PIPEDA dictates that personal information should only be kept for as long as it’s needed to complete the task for which it was collected.

4. Enforcement of Penalties

CCPA

CCPA enforces fines of $2,500 per unintentional violation and up to $7,500 per intentional violation. Businesses have a 30-day grace period in which they can fix any identified violations before being fined.

PIPEDA

The maximum penalty for a PIPEDA violation is 100,000 Canadian dollars.

5. Obligation to Respond to Rights Requests

CCPA

If a consumer rights complaint is delivered to the business, it must respond within 45 days with a verifiable consumer rights request. In certain circumstances, this period may be extended by 45 or 90 days. In case of non-compliance, businesses must inform customers of the reasons for their inaction.

PIPEDA

Under PIPEDA, organizations must respond to rights requests within 30 days of receiving them.

Conclusion

This article isn’t a comprehensive account of the differences between CCPA and PIPEDA, but rather acts as a guide. Additional research and consultation with a third-party expert are advised, because you want to avoid any violations and penalties. More information will also elaborate on other regions’ data privacy laws, such as CCPA vs LGPD and CCPA and CPRA vs GDPR, which are just as important to understand.