Privacy practice tune-up – getting ready for the Consumer Privacy Protection Act
As we wrote about earlier, Canada’s federal government has proposed a replacement to our national privacy law for commercial transactions known as the Personal Information Protection and Electronic Documents Act (“PIPEDA”).
The new bill is the Digital Charter Implementation Act, and this bill in turn would create a new Consumer Privacy Protection Act (“CPPA”) which would replace the privacy portion of PIPEDA.
The CPPA will likely not come into force for a year or more, while consultations and the drafting of regulations proceed.
However, the proposed CPPA does restate and expand on the existing privacy law requirements of PIPEDA, and if your business needs a privacy tune-up then CPPA can provide a useful guide, with better detail than PIPEDA offers now.
Privacy management program
For example, CPPA requires all organizations (including businesses) to implement a “privacy management program” including policies, practices and procedures for protection of personal information, complaints handling, training of personnel and for explaining these practices to the public. This program must take into account the “volume and sensitivity of the personal information” under the organization’s control.
CPPA also obliges an organization to provide the federal Privacy Commissioner with access to all policies, practices and procedures of its privacy management program, merely upon request, which of course could give the Commissioner a good look into any program gaps. If the Commissioner has reasonable grounds to believe that a breach of privacy obligations has occurred, then the Commissioner may choose to “audit” these practices.
Further detail on consent
The required consent for use of personal information is also described in CPPA in greater detail, and states that consent is only valid if at or before the time that the organization seeks the individual’s consent, it provides the following information in “plain language”:
(a) the purposes for the collection, use or disclosure;
(b) the way in which the personal information is to be collected, used or disclosed;
(c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
(d) the specific type of personal information that is to be collected, used or disclosed; and
(e) the names of any third parties or types of third parties to which the organization may disclose the personal information.
Consent must be obtained at or before collection, and must be express unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information.
Plain language privacy policies
CPPA also gives clearer guidance on privacy policies to be made available to customers and others providing personal information, which must again be in “plain language” and include at least the following:
(a) a description of the type of personal information under the organization’s control;
(b) a general account of how the organization makes use of personal information, including how the organization applies any permitted exceptions;
(c) a general account of the organization’s use of any automated decision system (e.g. AI systems) to make predictions, recommendations or decisions about individuals that could have significant impacts on them;
(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;
(e) how an individual may make a request for disposal or access; and
(f) the business contact information for your privacy officer.
While the policy requirements above about automated decision systems and international and interprovincial transfers are part of many policies now, they are new as express requirements of the law.
Therefore, all businesses that may be considering a tune-up of their privacy practices and policies should review the standards as outlined in the proposed CPPA, including those above.
This article is provided for general information only. If you have any questions about the above, please contact a member of our Privacy group.
Click here to subscribe to Stewart McKelvey Thought Leadership articles and updates.
By Kimberly Bungay On April 1, 2023, the Nova Scotia government will proclaim into force Bill 226, which amends the Companies Act (the “Act”) to require companies formed under the Act to create and maintain…Read More
Abuse of sick leave / failure of employee to participate in accommodation process: Vail v. Oromocto (Town), 2022 CanLII 129486
By Chad Sullivan and Kathleen Starke Background A recent decision, Vail v. Oromocto (Town), 2022 CanLII 129486, involved several grievances including an unjust dismissal claim by a firefighter as well as a grievance filed by…Read More
By Stuart Wallace and Kim Walsh On January 1, 2022, the Underused Housing Tax Act (the Act) took effect. The Underused Housing Tax (the UHT) is an annual 1% tax on the value of vacant or…Read More
Parlez-Vous Francais? Recent amendments to Quebec’s Charter of the French Language may impact Atlantic Canadian businesses
By: David F. Slipp and Levi Parsche In May 2022, Bill 96 was adopted by Quebec’s National Assembly, significantly amending the Charter of the French Language (the “Charter“). The amendments create new requirements for using…Read More
The Winds of Change (Part 7): Paying the Piper: New Newfoundland and Labrador Fiscal Framework expects billions in revenues from wind to hydrogen projects
By Dave Randell, G. John Samms, and Stuart Wallace With the deadline for bids on crown lands available for wind energy projects extended to noon on March 23rd, the latest development in our Winds of…Read More
By Kevin Landry and Colton Smith The Retail Payment Activities Regulations have been released in the Canada Gazette Part 1 for comment. Interested persons may make representations concerning the proposed regulations for a period of 45…Read More
By Andrew Burke, Colleen Keyes, Gavin Stuttard and David Slipp With proxy season once again approaching, many public companies are in the midst of preparing their annual disclosure documents and shareholder materials for their annual…Read More
By Brittany Trafford and Sean Corscadden In response to the nationwide labour shortage, the Federal government is allowing select family members of foreign workers to apply for open work permits. This temporary policy came into…Read More
Mark Tector and Ben Currie Effective January 1, 2023, amendments to Ontario’s Employment Standards Act, 2000 (“ESA”) took effect, excluding “business consultants” and “information technology consultants” from the application of the ESA. This is a…Read More
By Perlene Morrison, K.C. and Curtis Doyle Once again, the time has come to review the year that was and to chart the course for the year ahead. For municipalities and planning professionals in Prince…Read More