Skip to content

Privacy practice tune-up – getting ready for the Consumer Privacy Protection Act

Rob Aske

As we wrote about earlier, Canada’s federal government has proposed a replacement to our national privacy law for commercial transactions known as the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

The new bill is the Digital Charter Implementation Act, and this bill in turn would create a new Consumer Privacy Protection Act (“CPPA”) which would replace the privacy portion of PIPEDA.

The CPPA will likely not come into force for a year or more, while consultations and the drafting of regulations proceed.

However, the proposed CPPA does restate and expand on the existing privacy law requirements of PIPEDA, and if your business needs a privacy tune-up then CPPA can provide a useful guide, with better detail than PIPEDA offers now.

Privacy management program

For example, CPPA requires all organizations (including businesses) to implement a “privacy management program” including policies, practices and procedures for protection of personal information, complaints handling, training of personnel and for explaining these practices to the public. This program must take into account the “volume and sensitivity of the personal information” under the organization’s control.

CPPA also obliges an organization to provide the federal Privacy Commissioner with access to all policies, practices and procedures of its privacy management program, merely upon request, which of course could give the Commissioner a good look into any program gaps. If the Commissioner has reasonable grounds to believe that a breach of privacy obligations has occurred, then the Commissioner may choose to “audit” these practices.

Further detail on consent

The required consent for use of personal information is also described in CPPA in greater detail, and states that consent is only valid if at or before the time that the organization seeks the individual’s consent, it provides the following information in “plain language”:

(a) the purposes for the collection, use or disclosure;

(b) the way in which the personal information is to be collected, used or disclosed;

(c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;

(d) the specific type of personal information that is to be collected, used or disclosed; and

(e) the names of any third parties or types of third parties to which the organization may disclose the personal information.

Consent must be obtained at or before collection, and must be express unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information.

Plain language privacy policies

CPPA also gives clearer guidance on privacy policies to be made available to customers and others providing personal information, which must again be in “plain language” and include at least the following:

(a) a description of the type of personal information under the organization’s control;

(b) a general account of how the organization makes use of personal information, including how the organization applies any permitted exceptions;

(c) a general account of the organization’s use of any automated decision system (e.g. AI systems) to make predictions, recommendations or decisions about individuals that could have significant impacts on them;

(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;

(e) how an individual may make a request for disposal or access; and

(f) the business contact information for your privacy officer.

While the policy requirements above about automated decision systems and international and interprovincial transfers are part of many policies now, they are new as express requirements of the law.

Therefore, all businesses that may be considering a tune-up of their privacy practices and policies should review the standards as outlined in the proposed CPPA, including those above.


This article is provided for general information only. If you have any questions about the above, please contact a member of our Privacy group.

Click here to subscribe to Stewart McKelvey Thought Leadership articles and updates.

SHARE

Archive

Search Archive


Search
Generic filters

 
 

Changes to job classifications and immigration impacts

November 23, 2022

By Brittany Trafford and Michiko Gartshore On November 16th, 2022 the Federal Government switched to the 2021 National Occupational Classification (NOC) structure from the prior 2016 version. The NOC is Canada’s national system used to…

Read More

Nova Scotia: Canada’s emerging immigration hub

November 17, 2022

As part our presenting sponsorship of the Halifax Chamber of Commerce’s Annual Fall Dinner, we are pleased to present a series of thought leadership articles highlighting the dinner’s themes of immigration, recruitment, and labour market…

Read More

Bill C-27 – Canada’s proposed Artificial Intelligence and Data Act

November 16, 2022

Kevin Landry, Charlotte Henderson, and James Pinchak The governance of Artificial Intelligence (AI) is entering a new era since the Canadian Government first announced a digital charter in 2019 as part of a larger-scale overhaul…

Read More

Discovery: Atlantic Education & the Law – Issue 11

November 14, 2022

We are pleased to present the eleventh issue of Discovery, our very own legal publication targeted to educational institutions in Atlantic Canada. With a new academic year well underway, the Atlantic Region is finally seeing…

Read More

The Winds of Change (Part 5): Atlantic Canada poised to benefit from clean energy tax credits

November 10, 2022

By Jim Cruikshank, Graham Haynes, and Dave Randell On November 3, 2022, the Honourable Chrystia Freeland delivered the Federal Government’s Fall Economic Statement (“FES”).  The FES included a number of tax related announcements, including further…

Read More

“Constructive Taking”: Consequences for municipalities from the Supreme Court of Canada decision in Annapolis Group Inc. v. Halifax Regional Municipality

November 10, 2022

By Stephen Penney, Joe Thorne, and Giles Ayers A new decision from the Supreme Court of Canada, Annapolis Group Inc. v. Halifax Regional Municipality, 2022 SCC 36 (“Annapolis”), has changed the law of constructive expropriation across the…

Read More

Attract & Retain: Nova Scotia taps foreign healthcare workers to fill labour shortages

November 10, 2022

As part our presenting sponsorship of the Halifax Chamber of Commerce’s Annual Fall Dinner, we are pleased to present a series of thought leadership articles highlighting the dinner’s themes of immigration, recruitment, and labour market…

Read More

The rise of remote work and Canadian immigration considerations

November 3, 2022

As part our presenting sponsorship of the Halifax Chamber of Commerce’s Annual Fall Dinner, we are pleased to present a series of thought leadership articles highlighting the dinner’s themes of immigration, recruitment, and labour market…

Read More

The future of express entry: Targeted draws to meet Canada’s economic needs

November 2, 2022

By Sara Espinal Henao Since its initial launch in January 2015, Express Entry has been a pillar of Canada’s immigration system. Recently passed amendments to the Immigration and Refugee Protection Act (IRPA) promise to drive…

Read More

Filling labour gaps with foreign workers: What Canadian employers need to know

October 28, 2022

By Brittany Trafford It is no secret that employers in Atlantic Canada are struggling to fill labour gaps. In June 2019 the Atlantic Canada Opportunities Agency (ACOA) published a report[1] indicating that the overall labour…

Read More

Search Archive


Search
Generic filters

Scroll To Top