Is your website compliant with Canada’s privacy laws? Changes are coming with Canada’s Consumer Privacy Protection Act and companies could face hefty fines.

Canada’s Consumer Privacy Protection Act

On November 17th, 2020 Innovation, Science and Industry Minister Navdeep Bains introduced the Consumer Privacy Protection Act and Data Protection Tribunal Act (Bill C-11, the Digital Charter Implementation Act). This act threatens to impose fines that could run into the millions of dollars for private companies that violate Canadians’ privacy.

Under the new bill, companies could face a maximum penalty of up to 5% of global revenue for non-compliance. Penalties that could match or exceed those penalties in the European Union’s GDPR.

The new act will undergo significant review before being passed into law. Lawmakers must understand how the implications of the new rules will affect Canadian businesses and those it seeks to protect.  

Bains announced that they “have given the Privacy Commissioner Order-Making Powers”. This means that the Privacy Commissioner can “request companies to delete information withhold information and data if it is not properly obtained through meaningful consent.

The Consumer Privacy Protection Act covers consent in a lengthy section of the document. A few important highlights include:

  1. Required Consent: “Unless this Act provides otherwise, an organization must obtain an individual’s valid consent for the collection, use or disclosure of the individual’s personal information.”

  2. Timing of Consent: ”The individual’s consent must be obtained at or before the time of the collection of the personal information or, if the information is to be used or disclosed for a purpose other than a purpose determined and recorded under subsection 12(3), before any use or disclosure of the information for that other purpose.”

  3. Valid Consent: “The individual’s consent is valid only if, at or before the time that the organization seeks the individual’s consent, it provides the individual with the following information in plain language:
    1. the purposes for the collection, use or disclosure of the personal information determined by the organization and recorded under subsection 12(3) or (4);
    2. the way in which the personal information is to be collected, used or disclosed;
    3. any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
    4. the specific type of personal information that is to be collected, used or disclosed; and
    5. the names of any third parties or types of third parties to which the organization may disclose the personal information.”
  4. Form of Consent: “Consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.”

  5. Withdrawal of Consent: “On giving reasonable notice to an organization, an individual may, at any time, subject to this Act, to federal or provincial law or to the reasonable terms of a contract, withdraw their consent in whole or in part.” 

The act also gives Canadians the option of demanding their personal online information be “destroyed“.

There are some exceptions to the requirement for consent. This is a section of the act that we believe we will undergo many revisions.

Canada’s Privacy Laws Provide Greater Confidence and Trust

The Consumer Privacy Protection Act is not simply a means of punishing businesses. This is also an opportunity to build a greater relationship with your audience. Bains indicated that this legislation focuses on encouraging companies to comply with the law, which in turn builds confidence and trust with Canadian consumers. 

So What Does Canada’s Consumer Privacy Protection Act Mean for My Business?

At a minimum, you will have to update your privacy policy and have users opt-in to data collection. 

We speculate these changes will be similar to those outlined in the GDPR, which provides data protection and privacy in the European Union and the European Economic Area. These legal frameworks set guidelines for the collection and processing of personal information. Protections for online privacy are created by law. Simply, these rules provide your users with more control over their personal data. 

Keep Me in the Loop

We’re keeping an eye on Canada’s Privacy Laws for you! We will update this page as more information becomes available.

Follow us on LinkedIn, Facebook and Instagram to be alerted as soon as we post updates on this subject.

Subscribe to our Newsletter to receive the occasional update from the Hammerhead team.