Team Members ()

Publications ()

News ()

Pages ()

Services ()

  • Our Team

    Our Team

    • Lawyers & Clerks
    • Leadership Team
    • Board of Directors
    • Human Resources
    • Marketing & Business Development
    • Paraprofessional Services
  • Our Services

    Our Services

    • Service Areas
      • Aboriginal and Indigenous Law
      • Administrative Law
      • Agribusiness
      • Banking and Financial Services
      • Bankruptcy and Insolvency
      • Business Disputes
      • Business Immigration
      • Class Actions
      • Construction Law
      • Corporate and Business
      • Corporate Finance and Securities
      • Corporate Governance and Compliance
      • Cross-Border Law
      • Education Law
      • ESG (Environmental, Social, & Governance)
      • Estates and Trusts
      • Environmental Law
      • Foreign Direct Investment
      • Franchise Law
      • Health Law
      • Insurance
      • Intellectual Property
      • Labour and Employment
      • Litigation
      • Maritime Law
      • Media & Entertainment
      • Municipal Law
      • P3 and Infrastructure
      • Pensions and Benefits
      • Privacy, Data Protection and Cyber Security
      • Public Law
      • Real Estate
      • Regulation of Professions
      • SISIP LTD Allowances Class Action
      • Tax
      • Technology
      • View All
    • Industries
      • Cannabis
      • Construction & Property Development
      • Emerging & High Growth Companies
      • Energy & Natural Resources
      • Financial Services
      • Government & Institutions
      • Insurance
      • Manufacturing, Processing & Sales
      • Mining
      • Ocean Economy
      • Private Clients
      • Technology
      • View All
    • More Services
      • MC Advisory
      • MC Legal Lab
  • Our Insights
  • Our Firm

    Our Firm

    • Our Values
    • Our History
    • Our Representative Work
    • Our Global Reach
    • Our News
    • Diversity & Inclusion
    • Collective Social Responsibility
    • Pro Bono Program
  • Our Careers

    Our Careers

    • Lawyer Opportunities
    • Business Professional Opportunities
    • Paralegal & Legal Assistant Opportunities
    • Summer Student & Articling Opportunities
    • Diversity & Inclusion
    • Collective Social Responsibility
  • 1.866.439.6246
  • Contact
  • Search
  • Stay Updated
  • Contact Us
  • LexMundi World Ready
  • Privacy Policy
  • http://linkedin.com
  • http://facebook.com
  • http://twitter.com
  • 1.866.439.6246
Home > Our Insights > 10 Ways Canada’s Consumer Privacy Protection Act (CPPA) Will Impact Privacy Practices
Publication

10 Ways Canada’s Consumer Privacy Protection Act (CPPA) Will Impact Privacy Practices

Published:

November 19, 2020

Author(s):

  • Sarah Anderson Dykema, CIPP/C
  • David Fraser

Share

Print

This publication has been updated as at June 30, 2022.

NOTE: On June 16, 2022, the Government of Canada introduced Bill C-27:  Digital Charter Implementation Act, 2022 to implement a revised versions of the Consumer Privacy Protection Act (CPPA). Learn more about the latest version of the CPPA at Canada’s New Consumer Privacy Protection Act (CPPA): 12 PIPEDA Differences.

On November 17, 2020, the federal government proposed dramatic changes to how Canada will enforce privacy law, ushering in a new legal regime to protect individuals’ personal information – and to regulate organizations’ privacy practices. Bill C-11: The Digital Charter Implementation Act  creates the Consumer Privacy Protection Act (CPPA) to replace the federal Personal Information and Electronics Documents Act (PIPEDA), and codify in law organizations’ obligations respecting the collection, use and disclosure of personal information rather than merely rely on the Canadian Standard Association (CSA) Model Code. Though the Digital Charter was an important part of the current federal government’s 2019 election platform, it was not one of the key issues in its 2021 election platform. It’s not yet clear whether or when the Bill will become law. However, Quebec’s recent adoption of Bill 64 introducing new standards for individual privacy rights inspired by the EU’s General Data Protection Regulation (GDPR) helps keep top of mind the need to update Canada’s federal privacy laws.

The current consensus seems to be that it’s necessary to revise the Digital Charter, including the CPPA, before it’s passed. But the current form of the Digital Charter still gives organizations a sense of what to expect, and the necessary compliance processes they could be looking at, if the CPPA (or some form of it) passes. Here are 10 ways the Consumer Privacy Protection Act, in its present form, will impact organizations’ Canadian privacy practices.

1. Big Penalties. There will be significant penalties for non-compliance with the CPPA. It authorizes administrative monetary penalties and fines of up to 5% of global revenue or $25 million, whichever is higher, for the most serious offences. Currently, PIPEDA only authorizes penalties for breach of the Digital Privacy Act, and those are markedly lower than those under the CPPA: the maximum fine for breaching the Digital Privacy Act is $100,000 per violation (though if there were multiple violations, which would not be uncommon, the fines could add up).

2. Privacy Commissioner Powers. In a move away from the traditional ombudsman model, the CPPA gives the federal Privacy Commissioner broad power to make orders against organizations and to recommend penalties to a new “Personal Information and Data Protection Tribunal”. Under PIPEDA, the Privacy Commissioner only has the power to make recommendations to a breaching organization.

3. New Tribunal. A new “Personal Information and Data Protection Tribunal” will determine and levy any penalties – which will have the effect of a court order – and hear appeals from orders of the Privacy Commissioner.

4. Global Application. The new law takes an expansive approach to applicability, expressly applying to all personal information an organization collects, uses or discloses, including interprovincially or internationally. This reflects the increased digitization and globalization of the global economy, which knows no border, and which the COVID-19 Pandemic has accelerated.

5. New Right of Action. It creates a new privacy breach legal claim. Where the Privacy Commissioner decides an organization violated an individual’s privacy under the CPPA, and the Personal Information and Data Protection Tribunal upholds that finding, that individual can sue the organization (within 2 years) for compensation for the violation.

6. Data Portability & Deletion. It provides for new individual rights of data portability and deletion. Consumers can require an organization to transfer their data to another organization (subject to regulations that aren’t yet available), likely to be a boon to open banking. Individuals can also require that an organization delete the personal information it’s collected about them, subject to some limitations, in what appears to be a limited form of the “right to erasure”.

7. Algorithmic Transparency. It requires algorithmic transparency. Consumers would now have the right to require an organization to explain how an automated decision-making system made a prediction, recommendation or decision.

8. Consent Exceptions. It “simplifies” consent requirements for organizations by making some (potentially broad) exceptions to when an organization must obtain an individual’s consent to the collection, use or disclosure of the individual’s personal information, such as where the use of personal information is core to the delivery of a product or service. This could impact, for example, the information an organization must communicate in a privacy policy.

9. Data De-Identification. It makes new rules around the de-identification of data – including allowing for organizations to use an individual’s personal information without their consent in order to de-identify their data, but appears to limit other uses of de-identified data. Under certain circumstances, organizations can also disclose de-identified data to public entities for socially beneficial purposes.

10. Codes of Practice. It introduces the concept of “Codes of Practice”. The CPPA allows private organizations to establish a “code” and internal certification programs for complying with the law that the Privacy Commissioner will approve. Once approved, the “code” will effectively establish the organization’s legal compliance obligations.


Please contact your McInnes Cooper lawyer or any member of the Privacy, Data Protection & Cyber Security Law Team @ McInnes Cooper to discuss how we can help you prepare for the new CPPA.


McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.

© McInnes Cooper, 2020. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at [email protected] to request our consent.

Share

Print
View Related Content

Related Lawyers

  • Sarah Anderson Dykema, CIPP/C

    Sarah Anderson Dykema, CIPP/C

    Partner

  • David Fraser

    David Fraser

    Privacy Lawyer | Partner

Related Services

  • Privacy, Data Protection and Cyber Security

Related Publications

View All Publications
  • Privacy Commissioner Calls Retailer Out On Consent Requirements

    Feb 1, 2023

    On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings requiring companies using targeted…

    Read More
    Publication
  • Hacked Companies Can’t Be Tagged With “Intrusion Upon Seclusion”

    Jan 26, 2023

    In November 2022, the Ontario Court of Appeal definitively decided an organization whose information systems are breached by a malicious third…

    Read More
    Publication
  • Webinar | Preparing for Canada’s New Consumer Privacy Protection Act (CPPA)

    Jul 20, 2022

    There’s a new privacy law coming to Canada. In June, the federal government introduced a complete overhaul of the privacy law regime that both…

    Read More
    Webinar
  • Canada’s New Consumer Privacy Protection Act (CPPA): 12 PIPEDA Differences

    Jun 30, 2022

    On June 16, 2022, the federal government took a second shot at a complete overhaul of the private sector privacy law regime that both protects…

    Read More
    Webinar
  • 6 (Liability) Reasons to Mitigate Your Privacy & Data Breach Risks

    Dec 16, 2021

    We updated this publication on December 21, 2022. The name of the game is to have a plan to mitigate the risk that a data breach will happen…

    Read More
    Publication
  • 5 Key Privacy FAQs for Startups & Growing Businesses

    Jan 26, 2021

    We udpated this publication on March 4, 2022. Privacy is critical to every business in every sector, including startups and growing…

    Read More
    Publication
  • What the Privacy Commissioner’s New PIPEDA “Meaningful Consent” Guidelines Mean for Organizations

    Mar 28, 2019

    Organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – those that collect, use or…

    Read More
    Publication
  • What did you expect? Supreme Court of Canada’s highly nuanced “expectation of privacy” analysis in R. v. Jarvis

    Feb 20, 2019

    On February 14, 2019, the Supreme Court of Canada decided yet another criminal law decision that will likely have broader ramifications for…

    Read More
    Publication
  • Privacy Interest in Personal Computer Contents: Supreme Court of Canada Confirms Ownership Isn’t 9/10 of the Law in R. v. Reeves

    Dec 19, 2018

    On December 13, 2018, the Supreme Court of Canada confirmed that a third party can’t waive a person’s right to privacy or their rights under…

    Read More
    Publication
  • Digital Privacy Act Mandatory Data Breach Response Obligations: 5 Key Focus Areas For Your Compliance Plan

    Aug 20, 2018

    Every organization subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) -  every organization that…

    Read More
    Publication
  • The Digital Privacy Act: 5 FAQs About the Mandatory Data Breach Response Obligations Effective November 1, 2018

    Aug 3, 2018

    As of November 1, 2018, organizations in Canada subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) will face…

    Read More
    Publication
  • Defining the Boundaries: Protecting Privacy & Privilege of Digital Content @ the Canadian Border

    Jun 13, 2018

    Businesspeople (and their legal counsel) are on the road more than ever before: according to Statistics Canada, while Canada-U.S. traffic is…

    Read More
    Publication
  • The Legal Reality: Canadian Appeal Court decides “Virtual Presence” is enough for production order for user information against non-Canadian company in British Columbia (Attorney General) v. Brecknell

    Jan 12, 2018

    Whether a provincial court will grant police a “production order” under the Criminal Code of Canada requiring a non-Canadian company to…

    Read More
    Publication
  • Go Global @ Home: Supreme Court of Canada Confirms Global Order to Remove Internet Content in Google Inc. v. Equustek Solutions Inc.

    Jun 28, 2017

    On June 28, 2017, the Supreme Court of Canada confirmed a Canadian court can issue an interlocutory injunction (an order requiring an entity or…

    Read More
    Publication
  • Like it or Not: Supreme Court of Canada decides class action against Facebook can go ahead in B.C. – despite its terms of use in Douez v. Facebook, Inc.

    Jun 23, 2017

    On June 23, 2017, the Supreme Court of Canada decided that in a contest between the choice of forum clause in Facebook’s online terms of use…

    Read More
    Publication
  • An Early Canada (Anti Spam Legislation) Day Gift! CASL Private Right of Action Repealed

    Jun 7, 2017

    On June 7, 2017, the federal government repealed the regulations that would have brought into effect the sections of Canada’s Anti Spam…

    Read More
    Publication
  • Daniel Watt and Sara Mahaney in Gard Update: Legal privilege in the corporate context in Canada

    Apr 6, 2017

    Adding a third jurisdiction to Gard Update’s comparison between privilege in the corporate context under U.S. and English law, McInnes Cooper…

    Read More
    Publication
  • Cyber Security: A 5-Step Data Breach Risk Mitigation Plan for Corporate Boards & Directors

    Feb 24, 2017

    This publication has been updated as at January 12, 2023. Many organization (66%) store the personal information of customers. employees,…

    Read More
    Publication
  • Confidentiality Risks of Doing Business With the Public Sector Just Got Riskier: Completed NS Access to Information Requests Go Online

    Jan 25, 2017

    Doing business with the public sector creates an often overlooked – but very real – risk that the confidential information a business…

    Read More
    Publication
  • Supreme Court of Canada Says Privilege Wins Again – Twice in Lizotte v. Aviva Insurance Company of Canada & Alberta (Information and Privacy Commissioner) v. University of Calgary

    Nov 28, 2016

    On November 25, 2016, the Supreme Court of Canada decided privilege wins again - twice. In two separate decisions - Lizotte v. Aviva Insurance…

    Read More
    Publication
  • Supreme Court of Canada Warns Judgment Creditors: Implied Consent is Enough to Disclose Discharge Statement in Royal Bank of Canada v. Trang

    Nov 22, 2016

    On November 17, 2016 the Supreme Court of Canada decided a mortgagee has the mortgagor’s implied consent to disclose its discharge statement…

    Read More
    Publication
  • Doing Business With the Public Sector: Key Confidentiality Risks & 3 Risk Management Strategies

    Mar 24, 2016

    When a business responds to a public sector Request for Proposal or Expression of Interest (both of which we’ll refer to as an RFP for these…

    Read More
    Publication
  • Doe 464533 v. D.: Business Implications of the Civil Privacy Claim for “Public Disclosure of Private Facts”

    Jan 27, 2016

    On January 21, 2016, the Ontario Superior Court of Justice dramatically expanded the scope of legal privacy protection – and the liability…

    Read More
    Publication
  • Ontario Court Provides Guidelines to Balance Privacy Rights & “Tower Dumps” in R v. Rogers Communications

    Jan 18, 2016

    On January 14, 2016, the Ontario Superior Court decided that Canadians have a clear privacy interest in their records of their cellular…

    Read More
    Publication
  • Canada’s Anti-Spam Legislation (CASL): The Top 3 Lessons Businesses Can Learn from Year 1

    Sep 29, 2015

    The anti-spam sections of Canada’s Anti-spam Legislation (CASL) took effect on July 1, 2014 amidst hype, controversy and dire warnings. Were…

    Read More
    Publication
  • A Glimpse Into The Future of Privacy Law: Medical Marijuana Privacy Breach Class Action Lawsuit Can Go Ahead in John Doe and Suzie Jones v. Her Majesty the Queen

    Jul 29, 2015

    On July 27, 2015, the Federal Court of Canada decided a lawsuit by medical marijuana program participants against the Federal Government…

    Read More
    Publication
  • The New NS Missing Persons Act: 5 Privacy Implications for Businesses, Organizations & Public Bodies

    Jun 2, 2015

    Effective April 22, 2015 the NS Government enacted the NS Missing Persons Act, lowering the threshold for police to get an order to access…

    Read More
    Publication
  • Wait a Minute Mr. Postman … 3 Lessons Health Canada’s Privacy Breach Delivers to the Private Sector

    Mar 25, 2015

    On March 3, 2015 Canada’s Privacy Commissioner determined that Health Canada breached privacy laws by mailing letters to over 40,000 Marihuana…

    Read More
    Publication
  • No Messing Around – $1.1M First Penalty for Canada’s Anti-Spam Legislation (CASL) Violations by Compu-Finder

    Mar 6, 2015

    On March 5, 2015, the Canadian Radio and Television Commission (the CRTC, the main agency charged with administering and enforcing most of CASL)…

    Read More
    Publication
  • Privacy in Basic Cell Phones: SCC Continues Trend of Privacy Protection in R. v. Fearon

    Dec 11, 2014

    On December 11, 2014 the Supreme Court of Canada continued its trend to recognize privacy rights – and develop the law to protect them –…

    Read More
    Publication
  • Canada’s Anti-Spam Legislation (CASL) Software Installation Sections: 10 FAQs

    Dec 11, 2014

    On January 15, 2015, the software provisions of Canada’s Anti-Spam Legislation (CASL) will take effect.  CASL’s anti-spam sections, touted…

    Read More
    Publication
  • Complying with Canada’s Anti-Spam Legislation (CASL): A blueprint for the construction industry

    Dec 1, 2014

    The construction industry - project owners, contractors, subcontractors and trades - might be relaxing, ignoring the hype around Canada’s…

    Read More
    Publication
  • Complying With Canada’s Anti-Spam Legislation (CASL): Protecting Directors & Officers from Personal Liability

    Oct 14, 2014

    CASL’s anti-spam sections came into force on July 1, 2014. Every organization that CASL affects should now be complying with it – and their…

    Read More
    Publication
  • Complying With Canada’s Anti-Spam Law (CASL) – Foreign Organizations Doing Business in Canada Need to Pay Attention

    Aug 1, 2014

    Most Canadians have heard about Canada’s Anti-Spam Legislation (CASL): we’ve been bombarded with “CASL Compliant” emails asking us to…

    Read More
    Publication
  • SCC Protects Internet Users’ Expectation of Privacy In Online Activities in R. v. Spencer

    Jun 16, 2014

    On June 13, 2014 the Supreme Court of Canada decided that Canadians have a reasonable expectation of privacy in their online activities, and…

    Read More
    Publication
  • Counting Down to Canada’s Anti-Spam Legislation (CASL) – The Last Minute Guide to Preparing For CASL

    Jun 12, 2014

    The countdown to CASL is almost over: there are only 13 business days until the anti-spam provisions of CASL – and most of the penalties for…

    Read More
    Publication
  • Counting Down to Canada’s Anti-Spam Legislation (CASL) –10 Steps to Prepare for CASL

    May 8, 2014

    On July 1, 2014 – less than two months from now - the anti-spam sections of Canada’s Anti-Spam Legislation (CASL) take effect. Individuals…

    Read More
    Publication
  • Counting Down to Canada’s Anti-Spam Legislation (CASL) – Does CASL Make You A “Spammer”?

    Apr 15, 2014

    The countdown to CASL is on: on July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (“CASL”) take effect. Individuals…

    Read More
    Publication
  • Cloud Computing: A Privacy FAQ

    Mar 19, 2014

    As organizations turn to cloud computing services, ensuring compliance with legislation and reducing privacy risks is key. In Canada, there is…

    Read More
    Publication
  • Counting Down to Canada’s Anti-Spam Legislation (CASL): 10 Reasons Why You Should Care About The Upcoming CASL Right Now

    Feb 28, 2014

    On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) will take effect. CASL is: Broad. It applies…

    Read More
    Publication
  • Counting Down to Canada’s Anti-Spam Legislation (CASL) – What You Need to Know Now

    Feb 28, 2014

    On July 1, 2014, the anti-spam sections of Canada’s Anti-Spam Legislation (aka “CASL”) take effect. CASL will apply to just about every…

    Read More
    Publication
  • Privacy in Computer Contents: Supreme Court of Canada Picks Up Where It Left Off in R. v. Vu

    Nov 8, 2013

    On November 7, 2013, the SCC decided police require specific authorization in a search warrant to search the data in a computer because of the…

    Read More
    Publication
  • Supreme Court of Canada Confirms Employees May Have a Limited Reasonable Expectation of Privacy In Work Computer in R. v. Cole

    Nov 28, 2012

    On October 19, 2012 the Supreme Court of Canada (SCC) decided that a teacher criminally charged with possession of child pornography and…

    Read More
    Publication
  • Legal Alert: SCC Finds Limited Reasonable Expectation of Privacy In Work Computer But Evidence Still Admissible

    Oct 22, 2012

    Mr. Cole was a high school teacher with an employer owned and issued laptop computer.  He also used it for incidental personal purposes, which…

    Read More
    Publication
  • Ontario Court of Appeal Finds Reasonable Expectation of Privacy in Work Computer

    May 6, 2011

    In March 2011, the Ontario Court of Appeal found that an employee had a limited expectation of privacy in the contents of a work computer. The…

    Read More
    Publication
  • Legal Update: Cloud Computing and Privacy FAQ

    Apr 7, 2011

    Note: Click here to read an updated version of this Legal Update in Cloud Computing: A Privacy FAQ as seen in as seen in CCCA Magazine, Spring…

    Read More
    Publication

Stay Updated

Subscribe to McInnes Cooper to stay current with our leading insights on legal updates, trends, news, events, and services.

Connect With Us:
  • Follow us on Twitter @mcinnescooper
  • Like us on Facebook @mcinnescooperlaw
  • Join us on LinkedIn @mcinnes-cooper
  • 1.866.439.6246
  • Privacy Policy
  • Copyright © 2023 — McInnes Cooper
Lex Mundi Logo MC Advisory Logo