What is the CPPA - Canada's Consumer Privacy Protection Act?
14 Dec 2021
Share this post
Following other legislators' footsteps, in November 2020, the Canadian House of Commons introduced the Digital Charter Implementation Act (DCIA), also known as Bill C-11. Like similar data privacy laws, the DCIA aims to regulate the collection, distribution, use and disclosure of consumer information used in commercial activities.
Under the DCIA, the CPPA is proposed to be updated to modernize Canada's outdated regulations and ensure robust protection over Canadian personal data.
If you process the personal data of Canadians for commercial purposes, then this law pertains to you. Therefore, it is critical to familiarize yourself with the fundamental details.
What is the CPPA?
The CPPA or the Consumer Privacy Protection Act is included under the Digital Charter Implementation Act. After the EU's GDPR and California's CPPA were passed recently, the CPPA likewise updates Canada's data privacy laws, bringing them in line with new international norms.
Fundamentally, this new law will enforce greater transparency of company use of personal data and enhance individual control.
Interestingly, in its current form, Bill C-11 references "individuals" and does not specify either Canadian "citizens" or "residents." Therefore, it may apply to almost everyone residing within Canadian borders.
How does the CPPA change existing legislation?
Primarily, it will establish a new private-sector data privacy law, as the former Personal Information Protection and Electronic Documents Act (PIPEDA) is in dire need of replacement. In addition, the Personal Information and Data Protection Tribunal Act (PIDPT) – another facet of the DCIA – aims to create a tribunal body with the power to levy significant fines for any individual or company found to be non-compliant with the CPPA.
Compared to PIPEDA, the CPPA does not change the scope of what is protected. Rather, it provides individuals with the ability to sue companies for violations (right of action). The CPPA also expands on consent requirements, which must be explicit and informed – mirror the EU's GDPR. Finally, an organization must demonstrate their data collection purposes and use. It can also only transfer data outside of Canada as per stringent new criteria.
Presently, the law has not been enacted – though it is expected to pass in late 2021. Please find the current proposal here.
What are the requirements under the CPPA?
This is a major change in Canadian data privacy laws and necessitates significant alterations to current company practices.
Here are the major requirements under the CPPA:
Appropriate data processing
According to the CPPA, Section 12(2), the collection, use, and disclosure of personal data is restricted to "appropriate" circumstancing, relating to:
- the sensitivity of the personal information;
- whether the purposes represent legitimate business needs of the organization;
- the effectiveness of the collection, use or disclosure in meeting the organization's legitimate business needs;
- whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
- whether the individual's loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Like the GDPR, under the CPPA, consent obtained from an individual must be valid. That means it was obtained before data collection and discloses the manner in which the organization will collect, use, or disclose the personal data.
For consent to be considered valid, the following information should be provided in "plain language":
- the purposes for the collection, use or disclosure of the personal information determined by the organization and recorded under subsection 12(3) or (4);
- the way in which the personal information is to be collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the specific type of personal information that is to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
There are some notable exemptions from consent, however.
- Businesses need to collect consent if the data is critical to providing or delivering a product, service, system, or network security.
- Personal data can also be collected for "reasonable purposes", but not to influence a data subject's behavior.
- Certain instances of data transfer to a service provider.
Individuals are now also able to rescind their consent or opt-out of information sharing at any time. All a data subject must do is provide reasonable notice to the relevant organization, after which all collection and disclosure of personal data must cease.
Right of action
Included in the CPPA is an enhancement of the Privacy Commissioner's powers. This includes investigations and audits of privacy-related business activities. Plus, they can also initiate inquiries into alleged CPPA violations.
That's where the Private Right of Action is applicable. It allows data subjects to sue an organization in the Federal Court or a superior provincial court if the Privacy Commissioner upholds the violations.
Currently, the Act does not define damages. So, individuals may claim damages for loss or injury suffered as a result of the violation.
Penalties and enforcement
Any violations of the CPPA could result in significant penalties, up to 4% of a company's total global revenue for the prior year or CA $25 million – whichever is highest. Most violations will likely only be levied at 3% of a company's total global revenue for the prior year or CA $10 million – whichever is highest.
That's a substantial increase from the fines under PIPEDA (a maximum of CA $100,000 per violation).
That's why it's critical to be compliant with the CPPA when it comes into law. It's not too early to start preparation.