Coming Soon: Canada’s New Privacy Law – What You Need to Know
Stricter data privacy regulations and enforcement is no longer a new trend, it’s the known future. Living in a world of increasing data that often contains private information, lawmakers in several countries have realized the importance of bolstering measures to protect individual privacy rights and address longstanding concerns from consumers. Ranging from new laws to security recommendations, the overall goal is to ensure organizations who are collecting or processing data containing private information keep it safe and inform consumers on how the organization intend to use their data for business purposes. An emerging privacy theme is to allow consumers to have greater control over how organizations use their personal information.
After the European Union’s General Data Protection Regulation (GDPR) became effective in 2018, other regulatory bodies notably followed suit – including California, Brazil, and Australia. Now, Canada has joined the list. On Nov. 17, 2020, the Canadian government expressed their intention to create a new privacy law applicable to the private sector. Canada’s Consumer Privacy Protection Act (CPPA), implemented via the broader Digital Charter Implementation Act, would focus on giving consumers control over their data and promote improved transparency regarding how organizations use data containing personal identifiers. The CPPA would replace the Personal Information Protection and Electronic Documents Act, which currently governs how the private sector handles consumer data. The CPPA would likely still coexist with other privacy laws in Canada, like the law solely applying to the public sector and provincial laws targeted at more specific topics like health information.
If Canada’s CPPA is adopted, it will be one of the strictest privacy laws in the world and is comparable to the GDPR and California’s privacy regulation.
Key Components of this Newly Proposed Privacy Law
- Rights for consumers to request data deletion and withdraw consent for organizations to use data containing their personal information.
- Data mobility rights, granting consumers control over how one organization transmits their personal information to another organization.
- Updated requirements about information organizations must provide to consumers regarding consent to use personal data. The goal is to ensure consumers can clearly understand what they agree to in order to create greater transparency.
- Clearer guidelines around de-identification, expressly stating that organizations need to protect this information, and enumerating the very limited circumstances where its use is allotted in the absence of consumer consent.
- Requirements for amplified transparency surrounding the usage of algorithm and artificial intelligence systems for decisions on data containing personal information.
- Mandating privacy management programs where organizations will need to take steps to ensure compliance under the CPPA – like employee training, updated policies, and enhanced security.
- Severe penalties for non-compliance up to five percent of an organization’s annual revenue or $25 million Canadian dollars.
- The ability to reach organizations located in other countries, as the law would apply to any organization that collects, uses, or discloses personal information in the course of commercial activities without limitation on location. The law also extends to data collected internationally.
- Private right of action against organizations not complying with the CPPA’s requirements.
The bill is still in the early phases of development and will likely gain more traction as 2021 ensues. It is important for organizations that would become subject to Canada’s CPPA to monitor all developments going forward, including whether provisions are altered or removed. This is necessary to stay on top of future compliance obligations. While some of these responsibilities may overlap with other laws like the GDPR, there will be variances.
How to Stay Current with New Privacy Laws
With more privacy laws popping up that have an extraterritorially reach, it can become difficult to keep track of compliance obligations. Some ways to simplify this include signing up for alerts about privacy laws, designating a separate team for compliance, keeping a comprehensive log of how laws overlap and differ, creating policies clearly outlining workflows surrounding how to handle data containing personal information, ensuring the right teams (i.e. marketing, client services, etc.) are aware of how to manage data, and establishing privacy programs that promote uniformity in handling privacy matters where global laws coincide.
For more information about global data privacy laws, please read our blog on Brazil’s new data privacy measures.