Oh – Canada May Be Getting A Privacy Law Update
On Nov. 17, 2020, the Canadian government announced its intention to create a new privacy law: the Canada’s Consumer Privacy Protection Act (“CPPA”). CPPA focuses on empowering consumers to control the flow of their and better understand how for-profit companies are using data collected from consumers. The CPPA would replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the existing law which governs consumer data collection, processing and storage. If Canada’s CPPA is adopted, it will be yet another privacy law with which companies need to comply. Like every major data privacy law before it, CPPA has unique nuances that require in-scope companies to revisit their privacy protocols to ensure compliance.
Who will be subject to CPPA?
Organizations collecting, processing and storing data from Canadian residents, whether or not those organizations have a physical presence in Canada, will be subject to CPPA. Similar to GDPR (and dissimilar to CCPA), at present there are no bright line thresholds (e.g. revenues, amount of consumer records processed, etc.) to exclude small companies; everybody’s in.
What rights are included in CPPA?
CPPA enumerates a number of rights for Canadian consumers, such as the right for:
- Consumers to request data deletion and withdraw consent for organizations to use data containing their personal information.
- Data mobility, providing consumers with control over how one organization transfers their personal information to another organization.
- Transparency, including updated requirements about information organizations must provide to consumers regarding consent to use personal data.
What are the primary requirements of CPPA?
CPPA provides guidelines around de-identification, expressly stating that organizations need to protect this information, and enumerating the very limited circumstances where its use is allotted in the absence of consumer consent. Additionally, CPPA outlines requirements for heightened transparency surrounding the usage of algorithm and artificial intelligence systems for decisions on data containing personal information. Further, CPPA mandates privacy management programs where organizations will need to take steps to ensure compliance under the CPPA, like employee training, updated policies, and enhanced security.
Is CPPA an “opt-in” or “opt-out” jurisdiction?
In general, CPPA would be an “opt-in”, explicit consent jurisdiction, however consent will not have to be obtained when it would not provide any meaningful privacy protection. Under the CPPA, an organization must provide individuals with certain information before the individual can consent to having his or her data collected. Specifically, the information that organizations must provide includes the purpose(s) of the collection, use, and disclosure, the “reasonably foreseeable consequences of the collection, use or disclosure,” the types of personal information involved and the third parties to whom an organization can disclose the information.
What are the penalties for violations of CPPA?
As with other jurisdictions, the fines for noncompliance can be significant, violations of CPPA can cost an organization up to 5% of its annual revenue or $25 million Canadian dollars; these fines will be levied from the Office of the Privacy Commissioner or Canada. CPPA creates the Personal Information and Data Protection Tribunal, which has the power to issue penalties and fines, as well as adjudicate appeals. Additionally, CPPA includes a private right of action the empowers citizens to sue companies who they believe are in violation of CPPA.
Key Takeaways
There’s no one-size-fits all solution to global data privacy; implementing a static solution will lead to financial penalties that could be otherwise avoided by leveraging technologies to take the kind of dynamic approach needed to comply with global regulations as they continue to be enacted, implemented and modified.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with LGPD, GDPR, CCPA and other laws, including those in the UK, as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.