Iubenda logo
Start generating


Table of Contents

Canada’s CPPA – Is Your Business Prepared?

Canada's CPPA

Canada’s CPPA (Bill C-27), is the text in discussion at the House of Commons. The Bill is not enforced yet; however, it’s best that businesses get prepared for the upcoming legislation. This new Bill aims to ensure that the privacy of Canadians will be protected and that innovative businesses can benefit from clear rules as technology continues to evolve. 

Continue reading for everything you need to know about this upcoming legislation and how to prepare your business.

LAST UPDATED September, 2022

What is the CPPA?

For now, the CPPA, Canada’s new privacy law, is still a draft and is currently being discussed at the House of Commons. It must be approved by both Houses of Parliament before it can be passed. If approved, the CPPA would replace Part I of the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how the private sector handles users’ data. 

The CPPA applies to personal data, and information about identifiable individuals, giving users greater control over how businesses collect, use and disclose their data and strengthening their right to privacy. The CPPA is also encouraging businesses’ transparency when handling personal data.

The CPPA would impact any business that collects, uses, or discloses personal data in Canada or internationally.

The CPPA would also apply to any processing that occurs within provinces when the province does not apply substantially similar legislation.

The Act also grants the Privacy Commissioner with extensive and effective powers to ensure businesses comply with the CPPA’s rules.

What does Canada’s CPPA include? 

In short, the draft of Canada’s CPPA (Bill C-27) includes: 

  1. higher control and transparency about the handling of personal data;
  2. a clear indication of users’ rights and businesses’ obligations;
  3. the users’ freedom to transfer their personal data safely from one business to another; and
  4. users will have the option to request the deletion of their information when it is no longer needed.

💡 Your businesses will be subject to: 

  1. strengthening protections for children by restricting your ability to collect or use information about children and holding you to a ‘higher standard’ for handling children’s data; and
  2. hefty fines for any non-compliance, with the most serious offenses subject to a penalty of up to 5% of global revenue or $25 million, whichever is greater.

Additionally, the Canadian Privacy Commissioner will have wide authority to issue orders, such as the power to direct a business to stop collecting data or utilizing personal information. 

The CPPA proposes the establishment of the Personal Information and Data Protection Tribunal, a crucial aspect in Canadians’ privacy protection. The Tribunal would specifically receive recommendations made by the Canadian Privacy Commissioner to impose administrative fines for specific Act violations on companies and be competent to review the Commissioner’s decisions. 

📌 Accountability

Under sections (7 to 11), your business will be held responsible for the personal information in its control and required to appoint the so-called designated individual, the reference person within your company for any Act-related matters, and uphold a privacy management program that includes information on how:

  1. personal information is protected;
  2. your business receives and responds to requests for information and complaints;
  3. your employees are trained and informed, respecting policies, practices, and procedures; and
  4. materials to explain your policies and procedures are developed.

Please note that at the request of the Commissioner, you must provide the Commissioner with access to the policies, practices, and procedures included in your privacy management program.

📌 Data Breaches

Under sections 58 to 61, in the event of a breach, companies must report to the Privacy Commissioner and, if not prohibited, notify the interested subjects. The CPPA does not specify a deadline, it only states that notice must be made as soon as possibleKeeping records regarding occurred breaches is also requested.

📌 Definitions of valid consent

Under sections (13 to 17) at or before collecting, using, and/or disclosing any user’s personal information, your business is required by the CPPA to obtain the user’s explicit and valid consent. You must give users the following information in “plain language” for consent to be deemed valid:

  1. the kinds of personal data that will be gathered, processed, or disclosed;
  2. the way in which the collection, use, and disclosure are performed;
  3. the purpose behind data gathering, use, and disclosure;
  4. an assessment of “reasonably foreseeable” effects;
  5. the categories or identities of any third parties to whom the information may be provided.

Suppose your business receives a request to stop collecting, using, or disclosing a user’s personal information. In that case, you must inform users of the implications of doing so and interrupt any processing activities regarding which the user has withdrawn their consent.

If the collection or use of your user’s data is done for one of the following purposes, your business may do so without the user’s knowledge or consent:

  • a reasonable user would expect the collection or use for such an activity;
  • personal information is not collected or used for the purpose of influencing the individual’s behavior or decisions;
  • it is necessary to provide a product or service that the users have requested from your business;
  • it is necessary for your business information, system, or network security;
  • it is necessary for the safety of a product or service that your business provides; and
  • any other prescribed activity.

📌 Rights of your Users Under the CPPA

Under sections (17, 63, and 71), when it comes to using their personal information, Canadians have rights established under PIPEDA, and the CPPA makes some improvements and expands those rights. The changes now include the option to:

  • revoke previously given consent, and
  • have a right to access their personal information and ask for changes if the information is incomplete or inaccurate.

As a business, upon receiving a user’s request, you must:

  1. stop collecting the user’s data in question if consent is withdrawn; or 
  2. grant access to the user’s information;
  3. update any out-of-date, incomplete, or unreliable data;
  4. address requests no later than 30 days from receipt; and
  5. write in plain language.

Please note: Users are now granted the “private right of action” under the CPPA, which would allow them to raise their claims against your business in case of contraventions provided that the Privacy Commissioner or the Tribunal find a privacy infringement following an inquiry.

Users may be entitled to compensation for any loss (financial or otherwise) and/or harm they sustained as a result of the violation.

📌 Business obligations under the CPPA

Under the CPPA, your business must:

  • be clear and specific when obtaining consent for data processing, making sure it is informed and explicit and that it can be supported by proof;
  • provide details on how users can contact you with requests;
  • ensure the accuracy of personal information;
  • implement effective safety safeguards.

📌 Purposes for data processing

Under section (12), you may only gather, use, or disclose personal information in those circumstances that a reasonable user would consider “appropriate”. Such evaluation includes:

  1. the sensitivity of personal data;
  2. whether the goals correspond to the business’s legitimate commercial needs;
  3. the effectiveness of the gathering, using, or disclosing the data in achieving the businesses’ legitimate business needs;
  4. whether there are less invasive methods that would accomplish those goals at a comparable cost and benefit; and
  5. if the benefits outweigh the user’s loss of privacy in light of any technical or non-technical safeguards put in place by the business to lessen the effects on the individual.

📌 Penalties and legal action

Significantly high sanctions can be imposed on businesses if violations occur. Now, fines are more in line with those imposed by other international privacy regulations. 

The maximum fine for the majority of offenses may vary in the maximum between CA $10 million, or 3% of the global annual revenue, and CA $25 million, or 5% of the global annual revenue.

Suppose you are suspected of violating the revised regulations. In that case, you could be subject to the Commissioner’s investigative powers and potentially receive significant penalties from the Personal Information and Data Protection Tribunal.

The Commissioner will carry out essential assessments, make legally enforceable directives, suggest penalties to the Tribunal and oversee enforcement procedures.

How to prepare for Canada’s CPPA

Compliance with the CPPA shouldn’t be based on assumptions. Instead, businesses should take the necessary steps to prepare for the entering into force of the CPPA.

Companies can demonstrate exceptional compliance with global data regulation thanks to iubenda.

We’re already helping businesses worldwide comply with the CCPA, LGPD, and GDPR. You can be assured that iubenda will adopt the CPPA to our extensive privacy model whenever the Act becomes effective.

🗣 Want to stay up to date? Make sure you’re receiving our emails.

🗳 Survey on business privacy-related issues 2022  

The Office of the Privacy Commissioner (OPC) conducted its first company survey in 2019 to determine how well-versed firms are in privacy concerns, what kinds of privacy policies and practices they have in place and their level of compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA).

Between January 12 and February 18, 2022, representatives from 751 businesses participated in the 15-minute phone survey. The OPC has released the full report: 2021-22 Survey of Canadian businesses on privacy-related issues. Below you can find a summary of the facts:

Every two years, the OPC surveys businesses to learn more about business privacy protection awareness and practices. The OPC uses the survey results to improve outreach to individuals and businesses on privacy-related matters.

In terms of privacy practices, there have been changes since 2019:

  1. ⬇️ 57% of businesses now have a privacy officer in place, down from 62% in the previous year; 
  2. ⬇️ 51% have internal policies in place for staff to address their privacy obligations, down from 55%; and
  3. ⬇️ 51% report having procedures in place to respond to user requests for their personal data, from 60% in the previous year.

⬇️ Fewer businesses now train and educate their employees about privacy, from 39% in 2019 to 34%.

  1. Fewer businesses (59%) than in the previous survey (65%) say they have a privacy policy. Similar to earlier surveys, larger businesses were more likely to have such policies: 79% of large enterprises, compared to 66% of medium-sized and 58% of small businesses.
  2. Companies in Western Canada (64%) are more likely to have a privacy policy in place than in Quebec (39%).

  1. 43% of companies with a privacy policy are now required to notify users when changes are made, up from 36% in 2019. 
  2. ⬆️ When implementing modifications to their company’s privacy practices, 43% get customer agreement, up from 34% in 2019.

⬆️ 70% of businesses now claim to provide users with easy access to their privacy policies, up from 51% in 2019.

  1. ➡️ In 2019, 94% of businesses reported not having had a privacy breach; today, the result is the same.
  2. ⬇️ Concerns regarding privacy breaches have dropped from 37% in 2019 to 28% today.

➡️ 74% of businesses have reportedly taken steps to assure compliance with Canadian privacy regulations. The likelihood of taking actionable steps to comply rose with the size of the business. According to reports, 85% of large businesses and 82% of medium-sized enterprises had taken action, compared to 73% of small businesses.

💡 The new CPPA will enforce the obligation to comply, meaning many businesses will have to take action to improve upon their data protection compliance. Find out what legislation your business needs to comply with by taking this 2-min quiz

See also