Consumer Privacy Protection Act (CPPA)

17 November, 2020

Canada's federal government introduces major reforms to privacy laws

Today the Minister of Innovation, Science and Industry, Navdeep Bains, introduced the Digital Charter Implementation Act, 2020 (Bill C-11), signaling the government’s intent to create a new privacy law. Entitled the Consumer Privacy Protection Act (CPPA), its fines are among the highest in the world—upwards of 5% of companies' global revenue.

Key impacts to organizations

If passed, the CPPA will require companies to comply with the following:

  1. Meaningful consent: Provide individuals with plain-language information for them to make meaningful choices about the use of their personal information. This will ensure individuals have more transparency about how their data is collected. 
  2. Data mobility: Provide individuals with the right to transfer their personal information to another organization. The organization would be responsible for making such transfers.
  3. Disposal of personal information and withdrawal of consent: Respond to individuals’ requests to dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
  4. Algorithmic transparency: Adhere to new transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence. Businesses would have to be transparent about how they use such systems to make significant predictions, recommendations or decisions about individuals. Organizations will also have to explain, upon request, how a prediction, recommendation or decision was made by an automated decision-making system and explain how the information was obtained.

In addition, companies will be provided with the ability to:

  1. Use de-identified information without consent in certain circumstances. While many organizations already use de-identified personal information to better protect privacy, the legislation will clarify that this information can be used without an individual's consent under certain circumstances.
  2. Use data for good: The CPPA will allow businesses to disclose de-identified data to public entities (under certain circumstances) for socially beneficial purposes. The recognition that greater data sharing and access between the public and private sectors can help solve important challenges is important for businesses. PwC Canada’s Privacy team has been and continues to be very active on this front as a key participant of the Data Accountability Project led by the Information Accountability Foundation and Steering Committee member of the Canadian Anonymization Network (CANON). 
  3. Rely more on codes of practice and certification systems: To help organizations understand their obligations under the CPPA and demonstrate compliance, the legislation would allow organizations to ask the Privacy Commissioner to approve codes of practice and certification systems that set out rules for how the CPPA applies in certain activities, sectors or business models.

To ensure compliance with the law, the government has also clarified the following enforcement and oversight tools under the CPPA:

  • Greater powers for the federal Privacy Commissioner:
    • Broad order-making powers, including the ability to force an organization to comply with its requirements.
    • Ability to order a company to stop collecting data or using personal information. 
    • Ability to recommend that the (new) Personal Information and Data Protection Tribunal impose a fine
  • Significant fines:
    • Administrative monetary penalties (AMPs) of up to 3% of global revenue or $10 million for non-compliant organizations.
    • A maximum fine of 5% of global revenue or $25 million would be levied for serious contraventions of the law.

Additional information and next steps

The new framework will resemble Canada’s competition law model, which requires regulators seeking penalties to obtain approval from a quasi-judicial body. In this case, that body would be the newly created Personal Information and Data Protection Tribunal.

Canada’s federal government announced its vision of privacy as Canada’s Digital Charter in May 2019. It promised Canadians stronger privacy protections, while reassuring companies that privacy reforms will be fair, flexible and clear so that innovation continues to be supported.

The legislative process for having this bill passed can be lengthy. Bills typically go through several stages of approval within both the House of Commons and the Senate. This includes a “committee stage” where elected officials can invite government officials and other experts to comment on the impact of the law and then propose edits to the Act. This process can take several months, even years. Once Bill C-11 is passed, we expect a period of adjustment for organizations to understand their new privacy obligations before the law goes into effect. 

Where can I find more information?

At PwC, we are committed to advancing the public policy discussion and thought leadership on responsible data use, privacy and innovation. We engage with companies, policymakers and privacy professionals to develop solutions to some of the most pressing privacy and cyber issues. If you have questions, or are seeking unique solutions for your own organization, set up a consultation with one of our PwC advisors.

Key contacts

Our PwC Canada Privacy team will be actively involved in and engaged with updates relating to this process, and we’re available anytime to answer your questions:

Contact us

​Jordan  Prokopy

​Jordan Prokopy

National Data Trust & Privacy Practice Leader, PwC Canada

Tel: +1 416 869 2384

Cristina Onosé

Cristina Onosé

Lead, Privacy Advocacy and Thought Leadership, PwC Canada

Tel: +1 416 687 8104

Follow PwC Canada