Of the three new privacy laws proposed under Bill C-27, the Consumer Privacy Protection Act ("CPPA") is expected to have the greatest impact on organizations that collect and process personal information. But what will that impact actually look like?

This is the first installment of a new series of articles exploring the CPPA through a practical lens. In the articles to come, we will highlight the Act's potential effects, outline what organizations can do now to prepare, and discuss points of controversy that may result in changes to the Act as Bill C-27 makes its way through Parliament.

Background

If passed, Bill C-27, the Digital Charter Implementation Act, has the potential to significantly modernize Canadian privacy law. It will accomplish this by repealing parts of the Personal Information Protection and Electronic Documents Act ("PIPEDA") and replacing them with a privacy and data legal framework rooted in three new acts:

The CPPA is intended to replace PIPEDA's "Protection of Personal Information in the Private Sector" section, while the PIDPTA would establish an administrative tribunal for appeals of certain Privacy Commissioner of Canada decisions made under the CPPA. The CPPA would also impose penalties on organizations that contravene the CPPA.

Notably, the AIDA contains a new regime regulating the use and trade in artificial intelligence systems. Read our article from October 2022 for a deeper look into what this entails.

Key elements of the Consumer Privacy Protection Act

The CPPA proposes a number of important updates to the Canadian consumer privacy protection landscape. We will explore each of these areas in greater detail in an upcoming article:

  1. Privacy management programs

    The CPPA would require every organization to implement and maintain a privacy management program. Such programs must detail the policies, practices and procedures the organization uses to satisfy its privacy-related compliance obligations.

    Organizations that adopt a strategic approach to their privacy management programs will be better equipped to anticipate risk and mitigate potential liability.
  2. Implementing "purpose" requirements

    Like PIPEDA, the CPPA would require that organizations collect, use, or disclose personal information only for appropriate purposes. Unlike PIPEDA, however, it would prescribe an array of criteria used to determine whether a purpose is appropriate.

    It will be necessary for organizations to carefully consider these criteria as they determine what is "appropriate" in their unique context.
  3. Consent requirements and exceptions

    The CPPA builds on PIPEDA by imposing various new consent requirements. It would also include exceptions to the consent requirements for specific business activities.

    Organizations must continually consider the requirements for obtaining valid consent. They must also decide when the new exceptions may be used.
  4. Children's privacy

    While implied under PIPEDA, the CPPA would explicitly designate the information of minors as sensitive. Accordingly, it would impose additional considerations and requirements for processing such information. It would also impose certain unique disposal obligations on organizations that process children's personal information.
  5. Individual privacy rights

    The CPPA would provide individuals with additional control over their personal information. Under PIPEDA, individuals have the right to access and rectify their personal information held by organizations. Individuals also have the right to withdraw their consent at any time. The CPPA would extend these rights and provide new rights to seek the disposal of and transfer of personal information between organizations.

    It would further set out a private cause of action against organizations that contravene the Act. Organizations should anticipate these changes and consider how they will enable individuals to exercise their rights.
  6. De-identification/anonymization

    The CPPA would give individuals the right to have their personal information not only deleted, but "anonymized" – a term carefully defined in the CPPA itself. The CPPA requirements do not apply to anonymized information. Organizations must evaluate their anonymization strategy based on the CPPA definition. They should also consider the implications of the CPPA for using anonymized data.

Current status of the Consumer Privacy Protection Act

Bill C-27 currently remains at second reading in the House of Commons. A vote is expected in the near future.

On November 28, 2022, the Speaker of the House of Commons decided in favour of an opposition Point of Order arguing that the vote on Bill C-27 at second reading should be split in two. The opposition contended that the AIDA should be voted on separately from the CPPA and PIDPTA.

It is important to note that the Speaker's decision does not split the Bill itself, but permits separate votes on two distinct parts of the Bill. This, in turn, allows for greater scrutiny of the Bill's distinct aspects by opposition members. It also allows opposition members to oppose one part of the Bill without voting down the entirety of Bill C-27.

If the Bill passes at second reading (whether it be one or both parts of the Bill, as decided by the split vote), it will move to the Standing Committee on Industry and Technology for consideration at committee stage.  If the AIDA, for example, is voted down at second reading, Bill C-27 would be reprinted without the AIDA before moving to the committee.

The committee is likely to consider a range of substantial amendments as signalled by opposition party members in the House of Commons. As such, the committee is expected to undertake an extensive study of the Bill.

To learn more about how Bill C-27 could impact your organization, please contact a member of our team.