Building data trust

Canadian Consumer Privacy Protection Act (CPPA) impact and readiness survey

Data is critical to our national economy and to organizations’ competitiveness. Nowhere is this clearer than when we look at the value of data.

In 2018, Canadian data assets were estimated to be worth more than $200 billion, and in that same year, Canadian businesses invested approximately $40 billion in gathering, processing and using data.1 Unlocking value from data will be critical to future Canadian innovation and will support post-pandemic economic recovery.

But we’re seeing a trust divide when it comes to the use of data: 74% of Canadians believe they have less protection of their personal information than they did ten years ago. And 71% of Canadians would be more likely to do business with a company if it were subject to strict financial penalties for the misuse of individuals’ personal information.2

In response to concerns like these, the Ministry of Innovation, Science and Economic Development Canada has proposed overhauls to our federal private sector privacy law in Canada. Called the Consumer Privacy Protection Act (CPPA), this proposed legislation aims to give more control and transparency to individuals over how companies handle their personal information.

The CPPA introduces new privacy requirements, enhances existing ones and imposes among the highest fines in the world: 5% of global annual revenue.

While CPPA died on the order paper with the Federal election, in the future we expect CPPA or a version of it to be reintroduced. This is because Canada will need to maintain its adequacy standing with the European Union’s General Data Protection Regulation (GDPR) to facilitate the free flow of trade involving data between countries.

These changes under the CPPA or any future legislation will be time-consuming to implement and should be considered now. Why? They’ll not only set a critical foundation to help organizations comply now and in the future, but more importantly, they’ll also enhance the customer experience and consumer trust that organizations will need to enable their data use objectives.

We’re at a critical juncture in Canada's data economy and customer trust in it.

While this new legislation might make it more difficult for less prepared organizations to unlock value out of data, it addresses the urgent need for organizations to build citizen and consumer trust in data so companies can innovate with it.

“From our perspective, preparing for legislation like the CPPA isn’t just about privacy: it’s a horizontal challenge for vertically structured organizations. You really need to be thinking about how you set up your governance structure so you can pull in business, privacy, legal, security, data management and IT teams—because you’ll need everyone together to respond appropriately.”

—Jordan Prokopy, Partner, Cybersecurity & Privacy, National Privacy Practice Leader, PwC Canada

About our survey

We wanted to understand levels of awareness and preliminary thoughts about the impact of the CPPA on Canadian businesses. To that end, we surveyed 100 senior decision-makers in Canada responsible for privacy and data issues across sectors and businesses of different sizes in spring 2021.

What were we interested in learning about? Our questions focused on three key areas:

Explore the key findings of our survey and recommended next steps:

Overwhelming majority of Canadian companies already preparing for the CPPA

Key takeaway

The majority of our survey respondents are aware of the CPPA, deem it a priority and are getting ready. If you haven’t started yet, think about and begin to address the upcoming changes now.

95% consider CPPA compliance a priority for their organization, with 41% indicating it’s a top priority.

Awareness levels around the CPPA are high. We found that 85% of respondents are aware of the CPPA, with 94% of those either somewhat or very familiar with the CPPA requirements. And for almost all of those who are aware of the CPPA, it’s a priority, even amid the competing demands ushered in by the pandemic.

Readiness levels are also high. While 88% of respondents who are aware of the CPPA have already conducted an internal assessment, a striking 94% already have a general high-level or detailed plan in place to prepare for the adoption of the CPPA.

Majority of Canadian companies expect significant people, revenue and operational impacts

Key takeaway

A majority of Canadian respondents expect significant effects on revenue, people and operations. Don’t underestimate the amount of work and resources you’ll need to get ready.

It’s almost unanimous: 79% of Canadian respondents feel changes will be needed to comply with the CPPA, and 44% expect these changes will be significant.

What will these changes look like? One out of every five respondents (21%) who is aware of the CPPA expects CPPA-related expenses to cost their organization $10 million or more within the next three years. And 37% of all respondents expect to hire more than ten full-time staff or contractors to their CPPA or privacy program in that same period.

Revenue impact

% of respondents who are aware of the CPPA say it will impact their revenue, with % saying they expect that impact to be negative.

The CPPA requirements assessed by the highest number of respondents as having an operational impact are data mobility (87%), consent (86%) and data deletion (83%). When we look at which requirements respondents expect to have a high impact, large fines (17%) and private right of action (16%) top the list.

21% of Canadian businesses expect to spend $10 million or more to get ready for the CPPA and 37% expect to hire 10 full-time staff
To what degree do you expect the following new CPPA requirements to have an operational impact on your organization?
To what degree do you expect the following new CPPA requirements to have an operational impact on your organization?

What are the biggest challenges to CPPA compliance? For those respondents who have already taken steps to comply, the top-ranked challenges are cost implications (12%), current state of data management (12%) and lack of knowledge (11%).

It starts at the top

% of respondents indicate that, among their leaders, their chief information officer is dedicating the most resources toward CPPA compliance, and % indicate it’s their chief data officer.

Majority of Canadian companies expect existing privacy compliance programs to help with CPPA preparation efforts—but those won’t be enough

Key takeaway

A majority of respondents plan to leverage their existing privacy compliance programs in preparation for CPPA compliance. But the new CPPA requirements are complex and broad in scope, so you’ll need involvement across functions and businesses to manage your real privacy risk exposure.

Almost three-quarters (71%) of respondents have existing privacy compliance programs. Of those, all believe their current programs will be at least somewhat helpful in complying with the CPPA, though 25% say they’ll only help minimally.

Respondents are considering a variety of tools to help them comply with the CPPA, but there’s no strong consensus on the best course of action to take. Information security is ranked as the most useful (46%), followed by strategy and governance (37%), individual rights processing, privacy by design and data life cycle management (each 32%).

Thinking of privacy management and compliance, which of the following will be useful to your organization when complying with the CPPA?
Thinking of privacy management and compliance, which of the following will be useful to your organization when complying with the CPPA?

De-identification strategies are an important method to reduce the CPPA compliance burden

% report de-identification of large or small portions of their data to support CPPA readiness.

Existing privacy policies and tools will only get organizations so far. To truly understand, protect and leverage data now and into the future, organizations will need to bring together their data strategy, privacy strategy and cybersecurity teams under a unified approach.

Next steps

Upcoming privacy changes are likely inevitable, and the CPPA includes important foundational elements Canadian businesses need to get started on now. But it’s not just about compliance—implementing these changes will improve customer trust in your use of their data, and this will mean you can innovate with data responsibly.

As we move forward, organizations should take a strategic data trust approach, which is focused on building an ecosystem that allows them to create, use, share and retire data securely and transparently. This requires an integrated approach in four key areas: data governance, data discovery, data protection and data minimization.

We’ve seen firsthand with GDPR that organizations that take a strategic data trust approach versus a compliance-first approach to privacy are able to capitalize. Investing in these areas improves customer experience and builds the trust needed to unlock data value to drive innovation and economic development. And these will be crucial to Canada's post-pandemic economic recovery.

1 “The value of data in Canada: Experimental estimates,” Statistics Canada, July 10, 2019,

2 “2016 Survey of Canadians on Privacy: Final Report,” Office of the Privacy Commissioner of Canada, December 2016,

Follow PwC Canada

Contact us

​Jordan  Prokopy

​Jordan Prokopy

National Data Trust & Privacy Practice Leader, PwC Canada

Tel: +1 416 869 2384

Sajith Nair

Sajith Nair

Managed Services Leader, PwC Canada

Jennifer Johnson

Jennifer Johnson

Strategy & Transformation Leader, PwC Canada

Tel: +1 416 947 8966

Kathleen Champagne

Kathleen Champagne

Managing Director, Privacy Lead, PwC Canada

Tel: + 1 416 388 1385

Jessica Wiseman

Jessica Wiseman

Senior Manager, Cybersecurity and Privacy, PwC Canada

Tel: +1 403 509 7357