With its November 17, 2020 announcement to create a new privacy law, the Canadian government has joined a growing list of regulators. Stricter data privacy regulations and enforcement are no longer a new practice but a new reality.
In addition to the European Union's General Data Protection Regulation (GDPR) that came into effect in 2018, California, Brazil and, to a lesser extent, Virginia and Colorado have all enacted privacy laws applicable to the private sector. In 2021, four other states, Massachusetts, New York, North Carolina, and Pennsylvania, have serious and comprehensive consumer data privacy cases under review.
It is not surprising that Canada is working on its own bill. If passed, this would be one of the world’s most ambitious laws on personal data protection.
The Canadian Consumer Privacy Protection Act (CPPA), implemented through the broader Digital Charter Implementation Act, would aim to give consumers control over their data and promote greater transparency about how organizations use data containing personal identifiers. Read on for an overview of everything you need to know about this upcoming legislation.
- What is the Consumer Privacy Protection Act (CPPA)?
What is the Consumer Privacy Protection Act (CPPA)?
In 2020, Canada’s federal Minister of Innovation, Science and Industry submitted Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Act, more simply referred to as the Digital Charter Implementation Act, 2020, for consideration in the House of Commons.
Bill C-11 is not yet law. It must be passed by both Houses of Parliament and receive Royal Assent. It is still in the legislative process for second reading and debate.
If passed, Bill C-11 would replace the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates how the private sector handles consumer data, by introducing the CPPA. The CPPA would impact any business collecting personal data in Canada by taking the broad data privacy principles of PIPEDA and creating new guidelines and a framework for enforcement.
Under the CPPA, the federal privacy commissioner would have the power to investigate and prosecute any organization that violates the framework imposed by the CPPA. The penalties would also be more severe than those imposed by PIPEDA.
This would be one of the strictest privacy laws in the world, comparable to the GDPR or the California Consumer Privacy Act.
New Data Privacy Obligations in Canada
So, who would these new privacy obligations target? Would your business be concerned?
Any company that collects personal data would be subject to new data privacy obligations:
New requirements for user consent in relation to the collection, use or disclosure of an individual's data;
An individual would have the right to request access to their personal data held by an organization; and
Upon request, to have all personal data about the individual that has been collected by the organization deleted;
An employer should inform an individual upon request that it holds personal data about them, whether or not they have used it and if so how it has been used. It should also inform the individual if it has been disclosed. With some exceptions.
Key Components of the CPPA
Now we know who the CCPA targets are. We know that it's under advanced consideration. Put simply, it's on its way and you will most likely be affected by it.
It's best to prepare. But what exactly are you preparing for? What are the main requirements of this new data privacy regulation? And, importantly, what's the timeline?
Taking over from PIPEDA, the CPPA aims to simplify consent, while keeping it central to Canadians' data privacy rights:
The collection, use and disclosure of personal data would always require consent;
Consent would have to be obtained explicitly, unless an organization can demonstrate that implied consent was appropriate in the context;
The validity of consent would depend on the processing of the personal data collected being explained in clear terms. For example, the purpose of the data collection must be made fully explicit;
That said, the CPPA extends the exemption from consent for certain commercial activities, for research and development or for the transfer of data to service providers.
The CPPA introduces increased transparency requirements regarding the use of algorithms and artificial intelligence systems. It would require an organization to justify to an individual why a specific prediction, recommendation or decision was made by an algorithm based on the individual's personal data.
De-identification of Personal Information
It would include clearer guidelines for data de-identification, which would require, depending on the purpose of the de-identification and the sensitivity of the personal information, the use of as yet undefined "technical and administrative measures".
Under the CPPA, an individual would have the right to request the transfer of their data from one organization to another. This right to data mobility would be very similar to the right to data portability under the GDPR. Likewise, the CPPA would introduce a right of disposal, similar to the California Consumer Privacy Act's right to be forgotten or the GDPR's right to erasure.
The CPPA stipulates that it extends to "any organization" that collects, uses or discloses personal information in the course of commercial activities. It also applies to personal information that is collected, used or disclosed interprovincially or internationally by an organization.
Penalties and enforcement of CPPA
Under the CPPA, fines for administrative violations are substantial and can exceed :
3% of an organization's worldwide annual revenues or
10 million Canadian dollars.
For more serious cases, such as failing to report a breach, higher fines are possible:
5% of an organization's worldwide annual revenues or
25 million Canadian dollars.
Private Right of Action
An individual affected by an act or omission of an organization that violates the CPPA could sue for damages with a private right of action. A two-year limitation would apply and the individual would have to be able to clearly prove that the organization violated the CPPA unless the organization was fined for violating the CPPA.
When should it be effective?
Since its introduction, little discussion has occurred and there has been no significant progress to date. However, updating privacy laws appears to be an important matter for the federal government of Canada to resolve.
It appears that the legislation may be passed before the end of 2021.
How can Didomi help?
It’s fair to say this new legislation is just around the corner.
It’s all very well understanding the CPPA requirements, but how can companies implement these in an effective and fool-proof manner at every point of data collection and data classification? How can organizations’ data be managed effectively, without affecting annual gross revenue?
CPPA compliance should not be a matter of guesswork. Nor should it be left too late. This is where Didomi steps in.
Didomi allows companies to show exemplary compliance with worldwide data regulation. From the GDPR to the CCPA, we’ve got companies covered. And we’ll be sure to do the same for the CPPA.
With bespoke Didomi consent and preference management technology, companies are able to:
Build real-time, customer-friendly interfaces to inform their users about data collected, and allowing them to personalize their consent choices and preferences;
Effectively collect, store, manage and provide proof of user consent across digital assets and physical data collection points;
Prove the robustness of their data practices to users and regulators thanks to a clear data inventory that allows for CPPA consumer requests.
97% of companies have seen benefits like competitive advantage or investor appeal from investing in privacy (Cisco 2019 Consumer Privacy Survey).
Ultimately, there’s a clear reputational, ethical (and financial) incentive for every company to value user privacy. And, there's an imminent regulatory requirement.
It’s not a question of no longer collecting data. It’s a question of collecting data in a way that ensures consumer data rights and builds trust.
Contact Didomi for any CPPA compliance queries, or for more information on our solutions. We’ll ensure you achieve compliance.