Iubenda logo
Start generating


Table of Contents

CPPA consent: what are the main requirements?

Canada’s CPPA, Consumer Privacy Protection Act, is currently at second reading in the House of Commons as Bill C-27. The full text is already available. However, it might still experience significant changes. 

One of the most interesting aspects of the new Canadian privacy law surely relates to individuals’ consent, which would represent the primary basis for many activities regarding the collection and processing of personal information performed by organizations. 

In this short guide, we’ll go through the main requirements regarding CPPA consent, so you will be ready when the law comes into effect!

CPPA consent Canada

Consent under the Consumer Privacy Protection Act

According to Canada’s Consumer Privacy Protection Act, if you’re collecting, using and/or disclosing personal information, you should obtain your users’ explicit and valid consent.

You must collect consent at or before the time of the collection of the personal information, and you should use a “plain language” that users can easily understand. 

For consent to be valid, users should be informed about:

👉 what personal data you will gather, process, or disclose;
👉 the way in which the collection, use, and disclosure are performed;
👉 your purpose behind such activities;
👉 an assessment of “reasonably foreseeable” effects linked to the collection, use or disclosure;
👉 the categories or identity of any third parties to whom personal information could be disclosed.

Once you have your users’ consent, you’re allowed to use their personal information only for the purposes you described and you should also give them a way to withdraw their consent at any time.  

Moreover, if you collect consent through “deceptive or misleading practices”, such as dark patterns, those consents are considered invalid.

Consent under CPPA vs PIPEDA

CPPA builds on PIPEDA, which also requires organizations to obtain explicit consent prior to processing personal information.

However, with CPPA, businesses must provide individuals with more specific details about data collection and processing activities, as already mentioned above.

Moreover, CPPA deepens the concept of implicit consent and provides additional information in this regard. We explain this point in the next paragraph.

Are there exceptions to consent under CPRA (CCPA amendment)? 

Yes, the new Canadian privacy law provides some exceptions to consent. 

Here are a few cases, among others, in which you wouldn’t need your users’ consent

  • the collection or use is made for the purpose of a business activity and:
    • users would expect their data to be collected or used in the context of such business activity; and
    • personal information is not collected or used for the purpose of influencing the individual’s behavior or decisions;
  • the collection or use is made under your business’ legitimate interest, that outweighs potential impacts on the individual.

The following are considered business activities under the CPPA, those:

  • necessary to provide a product or service that the users have requested from your business;
  • necessary for your business information, system, or network security;
  • necessary for the safety of a product or service that your business provides.
At iubenda, we’re constantly monitoring the developments of CPPA.

Don’t miss the latest news, sign up for updates here

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.