Following other legislators' footsteps, in November 2020, the Canadian House of Commons introduced the Digital Charter Implementation Act (DCIA), also known as Bill C-11. Like similar data privacy laws, the DCIA aims to regulate the collection, distribution, use and disclosure of consumer information used in commercial activities.
Under the DCIA, the CPPA is proposed to be updated to modernize Canada's outdated regulations and ensure robust protection over Canadian personal data.
If you process the personal data of Canadians for commercial purposes, then this law pertains to you. Therefore, it is critical to familiarize yourself with the fundamental details.
The CPPA or the Consumer Privacy Protection Act is included under the Digital Charter Implementation Act. After the EU's GDPR and California's CPPA were passed recently, the CPPA likewise updates Canada's data privacy laws, bringing them in line with new international norms.
Fundamentally, this new law will enforce greater transparency of company use of personal data and enhance individual control.
Interestingly, in its current form, Bill C-11 references "individuals" and does not specify either Canadian "citizens" or "residents." Therefore, it may apply to almost everyone residing within Canadian borders.
Primarily, it will establish a new private-sector data privacy law, as the former Personal Information Protection and Electronic Documents Act (PIPEDA) is in dire need of replacement. In addition, the Personal Information and Data Protection Tribunal Act (PIDPT) – another facet of the DCIA – aims to create a tribunal body with the power to levy significant fines for any individual or company found to be non-compliant with the CPPA.
Compared to PIPEDA, the CPPA does not change the scope of what is protected. Rather, it provides individuals with the ability to sue companies for violations (right of action). The CPPA also expands on consent requirements, which must be explicit and informed – mirror the EU's GDPR. Finally, an organization must demonstrate their data collection purposes and use. It can also only transfer data outside of Canada as per stringent new criteria.
Presently, the law has not been enacted – though it is expected to pass in late 2021. Please find the current proposal here.
This is a major change in Canadian data privacy laws and necessitates significant alterations to current company practices.
Here are the major requirements under the CPPA:
Appropriate data processing
According to the CPPA, Section 12(2), the collection, use, and disclosure of personal data is restricted to "appropriate" circumstancing, relating to:
Like the GDPR, under the CPPA, consent obtained from an individual must be valid. That means it was obtained before data collection and discloses the manner in which the organization will collect, use, or disclose the personal data.
For consent to be considered valid, the following information should be provided in "plain language":
There are some notable exemptions from consent, however.
Individuals are now also able to rescind their consent or opt-out of information sharing at any time. All a data subject must do is provide reasonable notice to the relevant organization, after which all collection and disclosure of personal data must cease.
Right of action
Included in the CPPA is an enhancement of the Privacy Commissioner's powers. This includes investigations and audits of privacy-related business activities. Plus, they can also initiate inquiries into alleged CPPA violations.
That's where the Private Right of Action is applicable. It allows data subjects to sue an organization in the Federal Court or a superior provincial court if the Privacy Commissioner upholds the violations.
Currently, the Act does not define damages. So, individuals may claim damages for loss or injury suffered as a result of the violation.
Penalties and enforcement
Any violations of the CPPA could result in significant penalties, up to 4% of a company's total global revenue for the prior year or CA $25 million – whichever is highest. Most violations will likely only be levied at 3% of a company's total global revenue for the prior year or CA $10 million – whichever is highest.
That's a substantial increase from the fines under PIPEDA (a maximum of CA $100,000 per violation).
That's why it's critical to be compliant with the CPPA when it comes into law. It's not too early to start preparation.