The Consumer Privacy Protection Act (CPPA) in Canada – Is Your Business Ready?
With cyberattacks on the rise, there is a growing need to modernize Canadian privacy legislation to protect individuals and businesses. As a response, the federal government and several provinces have instituted legislation, outlined in Canada’s Digital Charter. We’ll detail these new changes in this blog and, more importantly, what they could mean for you.
Federal Privacy Changes
In November 2020, the government established Bill C-11. This bill attempted to:
- Enact the Consumer Privacy Protection Act (CPPA).
- Enact The Personal Information and Data Protection Tribunal Act.
- Make consequential and related amendments to other Acts.
The result? Intended to be passed in 2021, the legislation ‘died on the order paper’ with a dissolved parliament.
Privacy Changes in Quebec
In June 2020, Quebec introduced Bill 64, “An Act To Modernize Legislative Provisions Regarding The Protection Of Personal Information.” They adopted the bill in September 2021. The bill will come into effect next year in three phases.
Privacy Changes in Ontario
In June 2021, Ontario released a whitepaper: Modernizing Privacy in Ontario – Empowering Ontarians and Enabling the Digital Economy. The whitepaper outlines several proposals, which address gaps in Bill C-11. The paper also considers the implications of Ontario passing its own provincial privacy legislation to cover private sector businesses.
What Does This Mean?
While the CPPA initially did not pass, expect the federal government to reintroduce it and continue modernizing our federal privacy legislation. Although Quebec’s legislation, and Ontario’s initial proposals, contain several more stringent requirements than the current proposed federal bill, changes are likely coming to CPPA before the process is complete.
New Implications for Consumers And What They Mean For Your Organization
Overall, the new laws give more control to consumers over their personal information. These include:
Data Portability/Mobility: Organizations must have processes to transfer consumers’ personal information from their organization to another.
Right To Erasure: Companies will need to have processes that allow consumers to have their personal information erased or removed when requested, with some limitations.
Details And Disputes Around Automated Decision Making
Suppose an organization has automated systems or algorithms that make predictions, recommendations, or decisions about individuals that could significantly affect them. In that case, consumers may request details such as what information the system gathers and how it interprets this data.
In Quebec, the government may add this to the CPPA and allow consumers to dispute these decisions. The takeaway here is that organizations must ensure that these systems can provide the appropriate level of detail and have a mechanism for handling disputes.
Clarity Around Consent Requirement
Although the government already required consent in existing legislation, the CPPA clarifies the level of detail that organizations must provide to individuals before they can consent to have their info collected.
These details include the purpose of the information gathering, how the organization will use the data, possible sharing or disclosures, potential consequences of violation, and any third parties involved. The CPPA also clarified cases without explicit consent, such as where doing so would not provide meaningful protection or claims where information has been transferred to a service provider.
Requirement for Privacy Management Program
Organizations will need to implement a program that includes policies, procedures, and practices. These must cover how they protect personal information, deal with requests, train staff, and disseminate public materials to explain policies.
The CPPA explains that programs must consider the volume and sensitivity of personal information. Therefore, organizations should show the appropriateness of their privacy program through a Privacy Impact Assessment (PIA).
With the Quebec legislation, PIAs will need to be performed for all systems that process personal information and before communicating personal data outside of Quebec.
The new legislation also dramatically expands the previously limited enforcement powers of Privacy Commissioners. Now, they can recommend an administrative penalty on organizations for breaching CPPA. This fine has a maximum of $10,000,000 or 3% of the global revenue of the last financial year, whichever is higher. A fine not exceeding the higher of $25,000,000 or 5% of global revenue is possible for severe violations.
Also, the new legislation would establish a Personal Information and Data Privacy Tribunal to enforce these penalties.
Although it may be a while before the CPPA becomes law, organizations should prepare by reviewing current privacy-related measures. They should ensure compliance with all current legal requirements, implementing plans for improvement where needed, and begin planning for these upcoming requirements.