Canada’s Consumer Privacy Protection Act: Impact for businesses

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, or Digital Charter Implementation Act, 2020. The proposal would modernize, and in certain respects toughen, Canadian private sector privacy law by enhancing transparency and control over personal information held by businesses, and imposing new, potentially onerous sanctions for non-compliance. We have prepared a detailed analysis which focuses on the key differences between the federal government’s current privacy framework, the Personal Information Protection and Electronic Documents Act, and its replacement, the Consumer Privacy Protection Act.

What you need to know

Our article provides an overview of the key aspects of the CPPA and their impact on Canadian businesses and explains how this new privacy regime would introduce the following changes:

  • New enforcement tools:
    • The newly constituted Personal Information and Data Protection Tribunal would have powers to impose, upon recommendation by the Office of the Privacy Commissioner of Canada (Commissioner), administrative monetary penalties of C$10,000,000 or, if greater, the amount corresponding to 3 per cent of the organization’s global gross revenues in its previous fiscal year.
    • Reinforced fines in the case of penal proceedings of a maximum of C$25,000,000, or, if greater, the amount corresponding to 5 per cent of the organization’s global gross revenues in its previous fiscal year.
    • New private right of action for individuals.
    • New provisions to enable the creation of “codes of practice” and “certification programs”.
  • New individual rights inspired by European law: right to be informed of automated decision-making, right to disposal and right to mobility.
  • Reinforced accountability rules:
    • New definition of the notion of “control”.
    • New obligation to establish, implement and make available a privacy management program.
    • Clarity concerning the role and responsibilities of service providers.
  • Reinforced consent requirements, including greater clarity concerning the notion of valid consent.
  • Some less stringent rules: new consent exceptions for de-identified information, socially beneficial purposes and legitimate business practices.

Read our detailed analysis of this new bill C-11 (also available in French – and a pdf version is available).

This content has been updated on December 1, 2020 at 13 h 59 min.