You probably know that Canada’s new Consumer Privacy Protection Act (CPPA) is in the process of being passed under Bill C-27. It aims to replace the current, 24-year-old PIPEDA legislation (Personal Information Protection and Electronic Documents Act). If you’re wondering what’s new and how the changes will affect you, we’ll tell you here.
Background:
The CPPA is Canada’s attempt at next-generation privacy legislation. It is designed to replace PIPEDA.
In addition to the Canada Privacy Act, Bill C-27 includes two other pieces of legislation:
- Personal Information and Data Protection Tribunal Act (PIDPTA)
The Tribunal Act (PIDPTA) provides an administrative tribunal for appealing decisions made under the Canada Privacy Act to the Privacy Commissioner of Canada (that sounds fun, eh!).
- Artificial Intelligence and Data Act (AIDA)
The AI Act (AIDA) attempts to regulate how artificial intelligence systems may be used (wish them luck on this front!).
Our focus here is on the Canada Privacy Act. It’s most impactful to Cleanlist’s clients who collect and store personal information on Canadians.
How will Canada’s Privacy Act affect my organization?
1. You will need a privacy management program.
Every organization will be required to have a “privacy management program” that sets out specific policies and procedures to comply with the rules.
In addition to policies and procedures, the plan must define what personal information is collected, and for what purpose. Only specific purposes are allowed, and those purposes will be set out in the rules.
2. Be prepared to answer tough consumer questions.
A big focus of the new Act is to empower consumers to understand and control their personal information. You’ll need to be prepared to answer consumer questions about what you collect, what you use it for, and how long you keep it.
3. You’ll need to ensure you have proper consumer consent.
The new Privacy Act has a heightened focus on obtaining, recording, and having proof of consent (when consent is required). It’s not yet clear how consent requirements will be different from what’s required today.
4. Consumer’s can request that their data is deleted.
Your organization must honor consumer requests to have their personal information deleted (or anonymized). In case of an audit, you must be able to prove that deletion requests are tracked and executed in a timely manner.
5. Consumer’s can request “data transfers”.
Your customers can request their data be transferred to a competitor, before you delete it. (This won’t be easy to do, but then “easy” wasn’t part of the mandate.)
6. If you collect data on children, the rules are greatly expanded.
The new Act will include especially-rigourous consent, use, and disclosure rules around data collected on minors (anyone under 18) as it will be considered ‘sensitive’ personal information. If this applies to you, you will need plenty of expert advice to comply.
7. Huge penalties for violations.
The Canadian government wants organizations to take their new rules seriously and they’re doing that by imposing fines that are among the most spectacular across G7 countries.
The proposed fines are of up to 5% of revenue or $25 million (whichever is greater), plus administrative monetary penalties of up to 3% of revenue or $10 million (whichever is greater). This will get plenty of attention in the boardroom!
When is Canada’s Privacy Act effective?
These new rules are still just proposals (not laws). No one knows when Bill C-27 will pass into law. We hear from several experts who are close to what’s happening, and most think it will happen — sometime. Bill C-27 is being actively debated in the Canadian House of Commons, and there’s a lot invested in the process. What we do know is that the wheels of the government move very slowly, so we likely have many months before this passes and then many more months before it becomes real.
Key Take-Aways:
1. Canada already has very strict privacy laws, especially compared to the United States. And they’re only going to get tougher.
2. Bill C-27 has been in the works for almost 3 years and still has a long way to go before becoming law.
3. Implementing Canada’s new privacy act will be a huge project for many organizations. It will require an extensive review of how your organization collects, stores, and uses personal information on consumers. Expect to require expert advice and a lot of system and process modifications, many of which will require extensive I.T. resources.
4. Expect the Canadian government to enforce these new laws with lots of audit resources and the threat of very large fines (in the millions of dollars!).
What Are the Next Steps?
Proactive organizations should focus on examining and documenting their current processes around collecting, storing, and using personal information on Canadian consumers in anticipation of the new Privacy Act becoming law. Cleanlist will keep you informed through these articles as more information becomes available.
To learn more about Canada’s Privacy Act see this detailed article at Canada.ca.