What is the CPPA – Canada’s Consumer Privacy Protection Act?

This is a major change in Canadian data privacy laws and necessitates significant alterations to current company practices.

Here are the major requirements under the CPPA:

Appropriate data processing

According to the CPPA, Section 12(2), the collection, use, and disclosure of personal data is restricted to “appropriate” circumstancing, relating to:

• the sensitivity of the personal information;
• whether the purposes represent legitimate business needs of the organization;
• the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
• whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
• whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.

Meaningful consent

Like the GDPR, under the CPPA, consent obtained from an individual must be valid. That means it was obtained before data collection and discloses the manner in which the organization will collect, use, or disclose the personal data.

For consent to be considered valid, the following information should be provided in “plain language”:

• the purposes for the collection, use or disclosure of the personal information determined by the organization and recorded under subsection 12(3) or (4);
• the way in which the personal information is to be collected, used or disclosed;
• any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
• the specific type of personal information that is to be collected, used or disclosed; and
• the names of any third parties or types of third parties to which the organization may disclose the personal information.

There are some notable exemptions from consent, however.

1. Businesses need to collect consent if the data is critical to providing or delivering a product, service, system, or network security.
2. Personal data can also be collected for “reasonable purposes”, but not to influence a data subject’s behavior.
3. Certain instances of data transfer to a service provider.

Individuals are now also able to rescind their consent or opt-out of information sharing at any time. All a data subject must do is provide reasonable notice to the relevant organization, after which all collection and disclosure of personal data must cease.

Right of action

Included in the CPPA is an enhancement of the Privacy Commissioner’s powers. This includes investigations and audits of privacy-related business activities. Plus, they can also initiate inquiries into alleged CPPA violations.

That’s where the Private Right of Action is applicable. It allows data subjects to sue an organization in the Federal Court or a superior provincial court if the Privacy Commissioner upholds the violations.

Currently, the Act does not define damages. So, individuals may claim damages for loss or injury suffered as a result of the violation.

Penalties and enforcement

Any violations of the CPPA could result in significant penalties, up to 4% of a company’s total global revenue for the prior year or CA $25 million – whichever is highest. Most violations will likely only be levied at 3% of a company’s total global revenue for the prior year or CA $10 million – whichever is highest.

That’s a substantial increase from the fines under PIPEDA (a maximum of CA $100,000 per violation).

That’s why it’s critical to be compliant with the CPPA when it comes into law. It’s not too early to start preparation.

Sources:

https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading#ID0E0XB0BA
https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading#ID0ECCCA
https://www.transatlantic-lawyer.com/canadas-consumer-privacy-protection-act-what-the-changes-mean-for-you/