Iubenda logo
Start generating


Table of Contents

CPPA: the new privacy Act proposed by Canada

CPPA: the new privacy Act proposed by Canada

The Canadian Government has put forward a new privacy act on November 17 2020 through the newly proposed Bill C-11.

The proposed Consumer Privacy Protection Act (CPPA) is aimed at “modernizing the framework for the protection of personal information” and the legislation is projected to include “the strongest fines among G7 for privacy laws” according to the official press release.

What is to be considered personal information under the CPPA?

Personal information is any information about an identifiable individual, living or deceased.

Who will the CPPA requirements apply to

CPPA requirements apply to any organization that :

  • collects, uses, or shares personal information in the course of commercial activities; or
  • collects, uses, or shares the personal information of employees or job applicants in connection with federal work, undertaking, or business.

ⓘ The Act specifically applies to any personal information that is used, collected or shared interprovincially (between provinces) or internationally.

ⓘ The term Organization under the CPPA includes an association, a partnership, a person or a trade union.‍

ⓘ The Act will apply to Canada at a Federal level except for Alberta, British Columbia and Quebec.

CPPA exemptions and limits

In general, the CPPA will not apply to:

  • any Government organization to which The Privacy Act already applies;
  • an individual who collects uses, or discloses personal information only for personal or domestic purposes;
  • an organization processing personal information for solely journalistic, artistic, or literary purposes; or
  • an organization processing personal information solely for communication with the individual (to whom the personal information applies) in relation to their employment, business, or profession.

Proposed CPPA requirements

According to the factsheet for the Digital Charter Implementation Act, 2020 (DCIA) under which the CPPA is proposed, the main requirements of the CPPA could include the following:

Meaningful consent. Organizations could be required to collect consent that is based on “plain-language” communication with the user – enabling the user to make properly informed choices about their personal data.

Withdrawal of consent. Under most circumstances, the CPPA will grant users the right to withdraw consent to the processing of their personal data.

Data mobility / the right of transfer. Under the CPPA users will be given the right to direct the transfer of their personal information between organizations. For example, a user can direct their bank to transfer their personal information to their insurance company.

Deletion/ disposal of personal data. Under the CPPA, individuals will be given the right to request that their personal information be deleted or “disposed of”.

Transparency. Under the CPPA, organizations will be required to be transparent about how they use automated decision-making systems to make predictions or decisions about users. Users will also have the right to request an explanation of how a decision was made using an automated decision-making system and how the information used was collected.

De-identified information. Under the CPPA, even de-identified information must be protected and can only be used under certain circumstances.

💡 You can read the full CPPA text here.

What are the proposed CPPA penalties for non-compliance?

Consequences of non-compliance with the CPPA will include fines of $10 million or up to 3% of global revenue. The Act also includes an expanded range of penalties for certain serious violations of the law which include a maximum fine of $25 million or 5% of global revenue.

Everything you need to know about
compliance in one course!

In our free Intro to Online Compliance email course you’ll learn:

  • Online Compliance basics
  • Which laws apply to you
  • How to comply

This easy-to-understand course is suitable
for all knowledge levels.

Sign up for the 7-part series below.

No strings attached. Unsubscribe anytime.
We won’t send you any emails other than the course, unless you later sign up for more.
For further details, review our Privacy Policy.

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.


See also