Canada’s New Privacy Law: The Consumer Privacy Protection Act (CPPA)

In November 2020, Canadian legislators in the House of Commons introduced the Digital Charter Implementation Act (DCIA) or Bill C-11. The Act aims to bring an overhaul of Canada’s data privacy laws. It seeks to enact the Consumer Privacy Protection Act (CPPA) and the new Personal Information and Data Protection Tribunal Act (PIDPT). 

The CPPA aims to establish a new private-sector data privacy law, updating and effectively replacing the existing Personal Information Protection and Electronic Documents Act (PIPEDA). The PIDPT aims to establish a new administrative Personal Information and Data Protection Tribunal empowered to levy significant fines for non-compliance with the CPPA.

The aims and objectives of the DCIA align with other data privacy laws in the world like GDPR and CCPA. The Act will maintain the governing principles of PIPEDA while creating new rules around the collection, use and disclosure of personal data. It will also seek to strengthen enforcement of these rules. It will apply to any organization that collects, uses or discloses the personal information of Candian citizens for commercial purposes. 

The bill is currently under consideration and may undergo some changes before becoming final. Read the official text here.

PIPEDA came into force two decades ago in 2000. Canada has been signalling privacy law updates for some time now. The major prompts for Canada’s privacy law revamp are – the tightened data privacy rules in Europe, including the challenge to international data transfer via Schrems II, and the emerging data privacy laws in the US. 

This new Act has come about after a long legislative history. This includes the federal government’s introduction of a Digital Charter, the parliamentary report Towards Privacy by Design, and proposals and guidelines such as Strengthening Privacy for the Digital Age and Guidelines for obtaining meaningful consent.

If passed, the DCIA will usher in a new era of privacy laws in Canada. It will significantly enhance individuals’ control over their personal information and bring greater transparency regarding how companies handle it.

The key changes introduced by the DCIA will be highlighted in the following sections. Note that the Consumer Privacy Protection Act (CPPA) is part of the DCIA and both terms will be used henceforth.

The Act contains a private right of action for individuals. If the violations that are found are upheld by the Privacy Commissioner, individuals can sue in the Federal Court or a superior provincial court. They can initiate the private right of action within two years of becoming aware of the violations.

The proposed Act does not limit its definition of damages to financial harms. Individuals can claim damages for loss or injury that they may have suffered as a result of the violation. Under CPPA, an organization could be subject to the maximum administrative fines and can still face claims under the private right of action.

Meaningful Consent 

An organization should obtain an individual’s valid consent to collect, use or disclose personal information. Consent is to be obtained at or before the time of the collection of personal information. Only information necessary to provide a product or service should be collected.

For valid consent under CPPA, organizations should inform individuals about the manner in which they collect, use or disclose personal information, the specific type of personal information they collect, and any reasonably foreseeable consequences of the same. They should also inform users of the names or types of third parties they disclose user’s personal information with.

Implied consent will be acceptable in certain circumstances, depending on the sensitivity of the PI and taking into account the reasonable expectations of the individual. Organizations should also give individuals the choice to withdraw consent on a whole or in parts.

CPPA gives organizations certain exemptions from consent collection. Businesses do not have to collect consent if the information is necessary to provide or deliver a product, service or system or network security. Under CPPA, organizations can collect personal information without consent for reasonable purposes. It cannot be collected or used for the purpose of influencing the individual’s behaviour or decisions. 

The exemptions also apply to the transfer of information to a service provider. But, the Act also mandates that the organization must ensure (through a contract or otherwise) that the service provider can provide the same protection as required under this Act.

An organization can use an individual’s personal information without their knowledge or consent to de-identify the information. To de-identify means to modify personal information by using technical measures so that the information does not identify or cannot be linked together to identify an individual.‍ 

Organizations can use de-identified information without the knowledge or consent of the individual for internal research and development purposes. CPPA notes that the organization must apply appropriate technical and administrative measures to protect the de-identified information.

Individuals have the right to access and amend their personal information via requests. Organizations must inform them of whether it has any personal information about them, how it uses the information and if they have disclosed the information to any third parties. An organization should respond to a request no later than 30 days after receiving it.

If the personal information is not accurate, up-to-date or complete, the organization must amend the information upon request. Similarly, individuals can request organizations to delete their personal information.

Individuals also have the right to transfer their data from one organization to another i.e. the right to data portability. For a secure mechanism to enable this, the Act introduces the concept of “data mobility frameworks”.

Organizations should be transparent regarding their policies and practices and these should also be readily available in plain language. The privacy policy should not only include the types of personal information that a business collects, but also how they use information that is exempt from consent requirements.

Under CPPA, organizations can store and access personal information outside of Canada. So, the Act has a provision that requires businesses to make this information available to individuals. Details of any international or interprovincial data transfer or disclosure of personal information should also be made available to the individuals.

A significant provision that CPPA introduces is transparency about automated decision systems. Automated decision systems are defined as any technology that “assists or replaces the judgement of human decision-makers using techniques such as rule-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets”.

Organizations should be transparent about how they use automated decision-making systems to make predictions, recommendations, or decisions about individuals.  Individuals also have the right to request an explanation of how their personal information was used for automated decisions.

Organizations have to maintain a privacy management program and should also make it available to the Privacy Commissioner on demand. It should document the policies and procedures the organization takes to protect personal information.

It should also document the training provided to employees, and details on how the organization deals with privacy requests and complaints. While developing a program, the organization should consider the volume and sensitivity of the personal information under its control.

Codes of Practice and Certification 

The CPPA suggests that organizations develop their codes of practice or certification system to demonstrate how they propose to comply with the law. The code of conduct has to be approved by the Privacy Commissioner.

The Commissioner may approve if it meets the criteria set out in the regulations. The Act calls for accountability frameworks and self-regulation from organizations. The certification system should include a mechanism for the independent verification of an organization’s compliance with the code of practice.

The maximum fines proposed under DCIA can now surpass the GDPR fines. Administrative offences can incur fines up to 3% of global gross revenues or $10 million, whichever amount is higher. Serious violations such as obstructing an investigation by the Privacy Commissioner or failing to comply with DCIA will incur fines up to 5% of global gross revenue or $25 million CAD, whichever amount is higher. 

The Commissioner will recommend penalties, perform audits, issue binding orders, and also ensure enforcement.  The PIDPT or the Tribunal has the right to impose penalties and also hear appeals from organizations, as well as complainants, of the federal Privacy Commissioner’s decisions.

The DCIA is yet to be voted on, but the government has indicated that it is a top priority. There will be amendments as the draft legislation moves through various phases. Rest assured, DCIA is only the beginning of a fundamental change to Canada’s privacy landscape. 

While there will be a transition period, we suggest you take the following steps on the get-go:

• Inform employees about the upcoming legislation and emphasize that current privacy measures are strictly upheld.
• Evaluate the existing framework for consumer data privacy. Identify where current practices fall and where improvements can be made.
• Document policies and procedures regarding the flow of information from collection to use and its intentions and practices.  
• Prepare for clear, meaningful consent collection and user-friendly, transparent privacy policy.

A cookie consent solution like CookieYes can help you with a key aspect of compliance – meaningful consent collection. CookieYes will automatically scan your website for cookies and add it to your site’s list of cookies. 

You can then add a fully customizable cookie consent banner to your website. You can preview how the cookie banner will look on your website and make it available in over 24 languages! The consent log feature will keep a record of users’ consents and their cookie preferences. This will help you demonstrate your compliance. 

CookieYes also features a free privacy policy generator. You can create a Privacy Policy catering exclusively for your business, all in a few clicks.

Sign up to CookieYes today!