Skip to content

Privacy practice tune-up – getting ready for the Consumer Privacy Protection Act

Rob Aske

As we wrote about earlier, Canada’s federal government has proposed a replacement to our national privacy law for commercial transactions known as the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

The new bill is the Digital Charter Implementation Act, and this bill in turn would create a new Consumer Privacy Protection Act (“CPPA”) which would replace the privacy portion of PIPEDA.

The CPPA will likely not come into force for a year or more, while consultations and the drafting of regulations proceed.

However, the proposed CPPA does restate and expand on the existing privacy law requirements of PIPEDA, and if your business needs a privacy tune-up then CPPA can provide a useful guide, with better detail than PIPEDA offers now.

Privacy management program

For example, CPPA requires all organizations (including businesses) to implement a “privacy management program” including policies, practices and procedures for protection of personal information, complaints handling, training of personnel and for explaining these practices to the public. This program must take into account the “volume and sensitivity of the personal information” under the organization’s control.

CPPA also obliges an organization to provide the federal Privacy Commissioner with access to all policies, practices and procedures of its privacy management program, merely upon request, which of course could give the Commissioner a good look into any program gaps. If the Commissioner has reasonable grounds to believe that a breach of privacy obligations has occurred, then the Commissioner may choose to “audit” these practices.

Further detail on consent

The required consent for use of personal information is also described in CPPA in greater detail, and states that consent is only valid if at or before the time that the organization seeks the individual’s consent, it provides the following information in “plain language”:

(a) the purposes for the collection, use or disclosure;

(b) the way in which the personal information is to be collected, used or disclosed;

(c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;

(d) the specific type of personal information that is to be collected, used or disclosed; and

(e) the names of any third parties or types of third parties to which the organization may disclose the personal information.

Consent must be obtained at or before collection, and must be express unless it is appropriate to rely on implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information.

Plain language privacy policies

CPPA also gives clearer guidance on privacy policies to be made available to customers and others providing personal information, which must again be in “plain language” and include at least the following:

(a) a description of the type of personal information under the organization’s control;

(b) a general account of how the organization makes use of personal information, including how the organization applies any permitted exceptions;

(c) a general account of the organization’s use of any automated decision system (e.g. AI systems) to make predictions, recommendations or decisions about individuals that could have significant impacts on them;

(d) whether or not the organization carries out any international or interprovincial transfer or disclosure of personal information that may have reasonably foreseeable privacy implications;

(e) how an individual may make a request for disposal or access; and

(f) the business contact information for your privacy officer.

While the policy requirements above about automated decision systems and international and interprovincial transfers are part of many policies now, they are new as express requirements of the law.

Therefore, all businesses that may be considering a tune-up of their privacy practices and policies should review the standards as outlined in the proposed CPPA, including those above.


This article is provided for general information only. If you have any questions about the above, please contact a member of our Privacy group.

Click here to subscribe to Stewart McKelvey Thought Leadership articles and updates.

SHARE

Archive

Search Archive


Search
Generic filters

 
 

Nova Scotia municipality plans changes to wind turbine regulations

June 27, 2022

By Nancy Rubin & Colton Smith    Wind turbine regulations in the Municipality of Cumberland are set to change.   On June 22, 2022, Cumberland Council approved a second reading of amendments relating to their…

Read More

Discovery: Atlantic Education & the Law – Issue 10

June 24, 2022

We are pleased to present the tenth issue of Discovery, our very own legal publication targeted to educational institutions in Atlantic Canada. As we settle into a summer having rounded out the end of another…

Read More

Pay Transparency: Recent Changes to PEI’s Employment Standards Act

June 10, 2022

Murray Murphy and Kate Profit Changes to Prince Edward Island’s Employment Standards Act (“ESA”) regarding pay transparency received royal assent on November 17, 2021 and has recently come into force as of June 1, 2022.…

Read More

Discovering a Denial: Recent Ontario decision sheds light on discoverability of claims against LTD insurers

June 3, 2022

Michelle Chai & Jennifer Taylor1   A recent Ontario case offers insight on when the limitation period starts to run for an action against a disability insurer. In Kumarasamy v Western Life Assurance Company, the…

Read More

Pension update – CAPSA releases consultation draft of CAP Guideline No. 3 for comment

May 30, 2022

Level Chan and Annelise Harnanan Background On May 13, 2022 the Canadian Association of Pension Supervisory Authorities (CAPSA) released and invited feedback on a Consultation Draft of revisions to CAPSA Guideline No. 3 – Guidelines…

Read More

The winds of change – Newfoundland and Labrador Government signaling major shift in energy policy

May 17, 2022

John Samms and Matthew Craig In uncertain economic times like these, “open for business” is a welcome phrase by leading Ministers in Newfoundland and Labrador. For years, Newfoundland and Labrador’s wind generation policy was, for…

Read More

Accountability and Oversight: Nova Scotia’s new Powers of Attorney Act

May 9, 2022

Richard Niedermayer, QC, TEP, Sarah Almon, TEP, and Madeleine Coats Long-awaited amendments to the Province’s currently short-and-sweet Powers of Attorney Act1 received Royal Assent on Friday, April 22, 2022.  While not yet proclaimed into effect, the…

Read More

Prince Edward Island’s new Non-Disclosure Agreements Act

May 5, 2022

Jacob Zelman and Kate Profit Prince Edward Island’s Non-Disclosure Agreements Act (“Act”) received royal assent on November 17, 2021 and is set to come into force on May 17, 2022. The purpose of the Act…

Read More

New Brunswick’s new Intimate Images Unlawful Distribution Act

April 28, 2022

Chad Sullivan and Tiffany Primmer Increasingly, employers are finding themselves faced with addressing the uncomfortable situation of an employee who has shared an intimate image of another employee. While not directly applicable to what an…

Read More

Provincial Non-Resident Deed Transfer Tax Guidelines

April 19, 2022

Brian Tabor, QC and Eyoab Begashaw On April 8, 2022, the Nova Scotia Department of Finance and Treasury Board (Provincial Tax Policy and Administration Division) released the Provincial Non-Resident Deed Transfer Tax Guidelines (“Guidelines”) with…

Read More

Search Archive


Search
Generic filters

Scroll To Top