Consumer Privacy Protection Act
- The new Consumer Privacy Protection Act gives Canadians more control and greater transparency over how companies handle their personal information. Canadians will have the freedom to move their information from one organization to another and be able to demand that their information is destroyed. The CPPA offers world-leading privacy and data protection and the strongest fines among G7 privacy laws – with fines of up to 5% of revenue or $25 million, whichever is greater, for the most serious offences.
- The CPPA provides a clear framework of rules that allow Canadian businesses to innovate while protecting Canadians’ privacy. Greater trust and certainty in the digital marketplace will empower small businesses and entrepreneurs to create new jobs, expand their operations and better access the global marketplace.
- As the COVID-19 pandemic continues to increase our reliance on the digital economy, the CPPA will help Canadians embrace this new world, knowing that their personal information is safe.
General
- Our government brought forward the Digital Charter in 2019 because we recognize that Canadians are increasingly reliant on digital technologies to connect with each other, buy goods and services, access information, and live in our communities and cities. This transformation has only accelerated as a result of the ongoing global pandemic.
- To be productive, competitive, and innovative—and to recover from the economic effects of the pandemic—we must harness the power of this data and digital economy.
- For Canadians to prosper and benefit from the digital economy, we need to ensure that Canadians can have confidence that their data is safe, and trust that their privacy is being respected.
- Our government is strengthening trust by ensuring that Canadians have world-leading privacy and data protection and that companies that break the rules face severe consequences.
What does the Digital Charter Implementation Act, 2020 mean for me?
- Meaningful consent: Modernized consent rules would ensure that individuals have the plain-language information they need to make meaningful choices about the use of their personal information.
- Data mobility: To further improve their control, individuals would have the right to direct the transfer of their personal information from one organization to another. For example, individuals could direct their bank to share their personal information with another financial institution.
- Disposal of personal information and withdrawal of consent: The accessibility of information online makes it hard for individuals to control their online identity. The legislation would allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
- Algorithmic transparency: The CPPA contains new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about how they use such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.
- De-identified information: The practice of removing direct identifiers (such as a name) from personal information is becoming increasingly common, but the rules that govern how this information is then used are not clear. The legislation will clarify that this information must be protected and that it can be used without an individual’s consent only under certain circumstances.
What does the Digital Charter Implementation Act, 2020 mean for me?
- Meaningful consent: Modernized consent rules would ensure that individuals have the plain-language information they need to make meaningful choices about the use of their personal information.
- Data mobility: To further improve their control, individuals would have the right to direct the transfer of their personal information from one organization to another. For example, individuals could direct their bank to share their personal information with another financial institution.
- Disposal of personal information and withdrawal of consent: The accessibility of information online makes it hard for individuals to control their online identity. The legislation would allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
- Algorithmic transparency: The CPPA contains new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about how they use such systems to make significant predictions, recommendations or decisions about individuals. Individuals would also have the right to request that businesses explain how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.
- De-identified information: The practice of removing direct identifiers (such as a name) from personal information is becoming increasingly common, but the rules that govern how this information is then used are not clear. The legislation will clarify that this information must be protected and that it can be used without an individual’s consent only under certain circumstances.
Will this new legislation limit innovation?
Canada needs to keep pace with other countries that are taking aggressive action to support trust and privacy. For example, the European Union and the United States have new privacy and e-protection laws. The proposed CPPA is an important step in ensuring Canadians can trust that their data is safe and their privacy is respected, while allowing innovation that promotes a strong economy. Changes that support business innovation include:
- Simplifying consent: In the digital economy, the use of personal information is often core to the delivery of a product or service, and consumers can reasonably expect that their information will be used for this purpose. Currently, organizations are required to seek consent for such uses, making privacy policies longer and less accessible and creating burden. The legislation would remove the burden of having to obtain consent when that consent does not provide any meaningful privacy protection.
- Data for good: Greater data sharing and access between the public and private sectors can help to solve some of our most important challenges in fields such as public health, infrastructure and environmental protection. The legislation would allow businesses to disclose de-identified data to public entities (under certain circumstances) for socially beneficial purposes.
- Recognition of codes of practice and certification systems: To help organizations understand their obligations under the CPPA and demonstrate compliance, the legislation would allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors or business models.
Strengthened enforcement and oversight
Comprehensive and accessible enforcement model: Under the CPPA, the Privacy Commissioner would have broad order-making powers, including the ability to force an organization to comply with its requirements under the CPPA and the ability to order a company to stop collecting data or using personal information. In addition, the Privacy Commissioner would also be able to recommend that the Personal Information and Data Protection Tribunal impose a fine. The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. It also contains an expanded range of offences for certain serious contraventions of the law, subject to a maximum fine of 5% of global revenue or $25 million.
What about social media?
Social media platforms are already subject to the same laws as other organizations operating in the Canadian marketplace. The CPPA would ensure that Canadians have the ability to demand that their information on these platforms be permanently deleted. When consent is withdrawn or information is no longer necessary, Canadians can demand that their information be destroyed. To reinforce this, the Privacy Commissioner will have the ability to order a social media company to comply, including order it to stop collecting data or using personal information.