Canada Introduces New Consumer Privacy Protection Legislation

On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced a proposed Digital Charter Implementation Act, 2020 through which the government intends to establish a new privacy law for the private sector, the Consumer Privacy Protection Act (CPPA).  Some of the key provisions of the proposed legislation include:

• Simplified consent:  The legislation will simplify consent requirements and remove the burden of having to obtain consent when it does not provide any meaningful privacy protection.
• Data mobility:  Individuals would have the right to direct the transfer of their personal information from one organization to another.
• Disposal of personal information and withdrawal of consent:  The legislation will allow individuals to request that organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
• Algorithmic transparency:  Businesses will have to disclose how they use automated decision-making systems to make significant predictions, recommendations or decisions about individuals. Individuals, in turn, will have the right to request that businesses explain how a prediction, recommendation or decision concerning them was made by an automated decision-making system.
• De-identified information: The legislation will provide that de-identified information must be protected and that it can be used without an individual’s consent only under certain circumstances.
• Recognition of codes of practice and certification systems: The legislation will allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the law applies in certain activities, sectors or business models.
• Broad Powers of Privacy Commissioner:  The Privacy Commissioner would have broad powers, including the ability to order an organization to comply with the regulatory requirements under the CPPA and to stop collecting data or using personal information. The Privacy Commissioner would also be able to recommend imposition of fines by the Personal Information and Data Protection Tribunal.
• Administrative Penalties: The legislation will provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. For certain serious violations, penalties may increase up to 5% of global revenue or $25 million.

Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653