Canada’s CPPA, Consumer Privacy Protection Act, is currently at second reading in the House of Commons as Bill C-27. The full text is already available. However, it might still experience significant changes.
One of the most interesting aspects of the new Canadian privacy law surely relates to individuals’ consent, which would represent the primary basis for many activities regarding the collection and processing of personal information performed by organizations.
In this short guide, we’ll go through the main requirements regarding CPPA consent, so you will be ready when the law comes into effect!
According to Canada’s Consumer Privacy Protection Act, if you’re collecting, using and/or disclosing personal information, you should obtain your users’ explicit and valid consent.
You must collect consent at or before the time of the collection of the personal information, and you should use a “plain language” that users can easily understand.
👉 what personal data you will gather, process, or disclose;
👉 the way in which the collection, use, and disclosure are performed;
👉 your purpose behind such activities;
👉 an assessment of “reasonably foreseeable” effects linked to the collection, use or disclosure;
👉 the categories or identity of any third parties to whom personal information could be disclosed.
Once you have your users’ consent, you’re allowed to use their personal information only for the purposes you described and you should also give them a way to withdraw their consent at any time.
Moreover, if you collect consent through “deceptive or misleading practices”, such as dark patterns, those consents are considered invalid.
CPPA builds on PIPEDA, which also requires organizations to obtain explicit consent prior to processing personal information.
However, with CPPA, businesses must provide individuals with more specific details about data collection and processing activities, as already mentioned above.
Moreover, CPPA deepens the concept of implicit consent and provides additional information in this regard. We explain this point in the next paragraph.
Yes, the new Canadian privacy law provides some exceptions to consent.
Here are a few cases, among others, in which you wouldn’t need your users’ consent:
The following are considered business activities under the CPPA, those:
Don’t miss the latest news, sign up for updates here
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.