Canada’s CPPA (Bill C-27), is the text in discussion at the House of Commons. The Bill is not enforced yet; however, it’s best that businesses get prepared for the upcoming legislation. This new Bill aims to ensure that the privacy of Canadians will be protected and that innovative businesses can benefit from clear rules as technology continues to evolve.
Continue reading for everything you need to know about this upcoming legislation and how to prepare your business.
LAST UPDATED September, 2022
For now, the CPPA, Canada’s new privacy law, is still a draft and is currently being discussed at the House of Commons. It must be approved by both Houses of Parliament before it can be passed. If approved, the CPPA would replace Part I of the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how the private sector handles users’ data.
The CPPA would impact any business that collects, uses, or discloses personal data in Canada or internationally.
The CPPA would also apply to any processing that occurs within provinces when the province does not apply substantially similar legislation.
The Act also grants the Privacy Commissioner with extensive and effective powers to ensure businesses comply with the CPPA’s rules.
In short, the draft of Canada’s CPPA (Bill C-27) includes:
💡 Your businesses will be subject to:
Additionally, the Canadian Privacy Commissioner will have wide authority to issue orders, such as the power to direct a business to stop collecting data or utilizing personal information.
The CPPA proposes the establishment of the Personal Information and Data Protection Tribunal, a crucial aspect in Canadians’ privacy protection. The Tribunal would specifically receive recommendations made by the Canadian Privacy Commissioner to impose administrative fines for specific Act violations on companies and be competent to review the Commissioner’s decisions.
Under sections (7 to 11), your business will be held responsible for the personal information in its control and required to appoint the so-called designated individual, the reference person within your company for any Act-related matters, and uphold a privacy management program that includes information on how:
Please note that at the request of the Commissioner, you must provide the Commissioner with access to the policies, practices, and procedures included in your privacy management program.
Under sections 58 to 61, in the event of a breach, companies must report to the Privacy Commissioner and, if not prohibited, notify the interested subjects. The CPPA does not specify a deadline, it only states that notice must be made as soon as possible. Keeping records regarding occurred breaches is also requested.
Under sections (13 to 17) at or before collecting, using, and/or disclosing any user’s personal information, your business is required by the CPPA to obtain the user’s explicit and valid consent. You must give users the following information in “plain language” for consent to be deemed valid:
Suppose your business receives a request to stop collecting, using, or disclosing a user’s personal information. In that case, you must inform users of the implications of doing so and interrupt any processing activities regarding which the user has withdrawn their consent.
If the collection or use of your user’s data is done for one of the following purposes, your business may do so without the user’s knowledge or consent:
Under sections (17, 63, and 71), when it comes to using their personal information, Canadians have rights established under PIPEDA, and the CPPA makes some improvements and expands those rights. The changes now include the option to:
As a business, upon receiving a user’s request, you must:
Please note: Users are now granted the “private right of action” under the CPPA, which would allow them to raise their claims against your business in case of contraventions provided that the Privacy Commissioner or the Tribunal find a privacy infringement following an inquiry.
Users may be entitled to compensation for any loss (financial or otherwise) and/or harm they sustained as a result of the violation.
Under the CPPA, your business must:
Under section (12), you may only gather, use, or disclose personal information in those circumstances that a reasonable user would consider “appropriate”. Such evaluation includes:
Significantly high sanctions can be imposed on businesses if violations occur. Now, fines are more in line with those imposed by other international privacy regulations.
The maximum fine for the majority of offenses may vary in the maximum between CA $10 million, or 3% of the global annual revenue, and CA $25 million, or 5% of the global annual revenue.
Suppose you are suspected of violating the revised regulations. In that case, you could be subject to the Commissioner’s investigative powers and potentially receive significant penalties from the Personal Information and Data Protection Tribunal.
The Commissioner will carry out essential assessments, make legally enforceable directives, suggest penalties to the Tribunal and oversee enforcement procedures.
Compliance with the CPPA shouldn’t be based on assumptions. Instead, businesses should take the necessary steps to prepare for the entering into force of the CPPA.
Companies can demonstrate exceptional compliance with global data regulation thanks to iubenda.
We’re already helping businesses worldwide comply with the CCPA, LGPD, and GDPR. You can be assured that iubenda will adopt the CPPA to our extensive privacy model whenever the Act becomes effective.
🗣 Want to stay up to date? Make sure you’re receiving our emails.
The Office of the Privacy Commissioner (OPC) conducted its first company survey in 2019 to determine how well-versed firms are in privacy concerns, what kinds of privacy policies and practices they have in place and their level of compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA).
Between January 12 and February 18, 2022, representatives from 751 businesses participated in the 15-minute phone survey. The OPC has released the full report: 2021-22 Survey of Canadian businesses on privacy-related issues. Below you can find a summary of the facts:
Every two years, the OPC surveys businesses to learn more about business privacy protection awareness and practices. The OPC uses the survey results to improve outreach to individuals and businesses on privacy-related matters.
In terms of privacy practices, there have been changes since 2019:
⬇️ Fewer businesses now train and educate their employees about privacy, from 39% in 2019 to 34%.
⬆️ 70% of businesses now claim to provide users with easy access to their privacy policies, up from 51% in 2019.
➡️ 74% of businesses have reportedly taken steps to assure compliance with Canadian privacy regulations. The likelihood of taking actionable steps to comply rose with the size of the business. According to reports, 85% of large businesses and 82% of medium-sized enterprises had taken action, compared to 73% of small businesses.
💡 The new CPPA will enforce the obligation to comply, meaning many businesses will have to take action to improve upon their data protection compliance. Find out what legislation your business needs to comply with by taking this 2-min quiz!