BLOG | Regulatory Updates | December 04, 2020

CPPA: Canada Proposes New Data Privacy Legislation

The Canadian government recently proposed new legislation to the House of Commons, bill C-11 for the Digital Charter...

Ashlea Cartee

Product Manager

The Canadian government recently proposed new legislation to the House of Commons, bill C-11 for the Digital Charter Implementation Act, 2020 (‘DCIA’) which would enact the Consumer Privacy Protection Act (‘CPPA’) and the Personal Information and Data Protection Tribunal Act (‘PIDPTA’).

The CPPA aims to protect individuals’ personal information and regulate how organizations collect, use, and disclose personal information across their activities. Check out this video by OneTrust DataGuidance to learn more about the bill.

CPPA Requirements

As mentioned above, the CPPA aims to protect personal data while also governing how organizations collect and that data. This factsheet details key aspects of the bill, and outlines the impact that the Digital Charter Implementation Act, 2020 could have:

Consent: Organizations would need to get meaningful consent, ensuring that plain language is used, so that users can make an informed choice about the use of their personal information.
Data Mobility: The CPPA would improve the control that individuals have over the right to transfer their data from one organization to another, e.g., transferring information from their bank to another financial institution.
Deletion: Individuals would have the right to request their personal information be deleted should they withdraw their consent.
Transparency: Organizations would have to be transparent about any automated decision-making algorithms they use. Individuals would have the right to request an explanation of how a decision was made using an automated system and how the information was obtained.
De-identified information: This would require organizations to remove direct identifiers, such as names, from the personal information they hold. The legislation will also clarify the circumstances in which this information can be used without an individual’s consent.

Modernization of Consent Rules

One of the key aspects brought about by the CPPA is the modernization of consent rules. The CPPA expands PIPEDA’s definition of valid consent, and outlines that the obtaining of valid consent from individuals by organisations requires certain conditions to be met for that consent to be deemed valid. For example, while PIPEDA required consent for the collection and subsequent disclosure of personal information, its Schedule 1 principles also outlined circumstances where consent could be sought after collection but before use.

However, the CPPA modifies this and now explicitly requires consent to be obtained at or before the time of collection of the personal information or alternatively, if the information is to be used or disclosed for a purpose other than a purpose initially determined and recorded, before any use or disclosure of the information for that other purpose. Moreover, the CPPA outlines that consent must be expressly obtained, unless an organisation established that it is appropriate for implied consent to be relied upon, taking into account the individual’s reasonable expectations and the sensitivity of the personal information to be collected, used, or disclosed.

Furthermore, the CPPA provides that for consent to be deemed valid, plain language information must be provided on certain matters, such as the purpose of processing, or reasonably foreseeable consequences of processing, among others. Additionally, the CPPA expands on PIPEDA’s exceptions to consent requirements, and delineates various exceptions under main categories concerning business operations, public interest, carrying out of investigations, legal obligations, or where information is publicly available, among others.

Download this report to learn more about CPPA requirements.

What Penalties Would the CPPA Introduce?

The introduction of the CPPA would allow the OPC to make recommendations to the Personal Information and Data Protection Tribunal on the imposition of penalties. The CPPA would include a provision for fines of 5% of global revenue or CAD 25 million for the most severe circumstances.

Further CPPA reading: