Summary and Implications
Canada’s proposed new privacy legislation, the Consumer Privacy Protection Act (CPPA), contains a number of new requirements regarding how organisations collect, use and disclose personal information. As well, CPPA contains significant fines, up to $25 million or more, in the event an organisation breaches its privacy obligations.
CPPA now provides individuals with the right to sue organisations for damages the individual has suffered as a result of a non-compliance with the legislation.
As franchise systems continue to provide more personalized experiences for their customers through their loyalty programs, online ordering apps and their Internet platforms, they are collecting increasing amounts of personal information. As such, it is important that they ensure that their systems and programs and their privacy practises remain compliant with changing privacy law.
The Consumer Privacy Protection Act
On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.1 If passed, this Bill will implement CPPA.
The Personal Information Protection and Electronic Documents Act2 (PIPEDA) is Canada’s existing federal legislation to address the use of personal information in the private sector. The Provinces of British Columbia3, Alberta4 and Quebec5 have their own legislation directed at the use of personal information in the private sector. These provincial laws will remain in place if CPPA is enacted. It should be noted that Quebec is in the process of amending its privacy legislation.
CPPA generally maintains the role of the Privacy Commissioner created under PIPEDA but creates a new body, the Personal Information and Data Protection Tribunal.
Under CPPA, the Commissioner has new order making powers, including issuing orders requiring an organisation comply with CPPA. For certain offences, the Tribunal will have authority to impose fines of up to $10 million or 3% of the organisation’s global gross revenues, whichever is higher. For more serious offenses, the Tribunal will have the authority to impose fines of up to $25 million or 5% of the organisation’s global gross revenues, whichever is higher.
As well, CPPA introduces the right of an individual to bring an action directly against an organisation for damages from a loss or injury that the individual has suffered as a result of a contravention of CPPA.
New Privacy Obligations
CPPA requires organisations to more formalise their privacy practises by developing and implementing a privacy management program. A privacy management program is required to include the policies, practices and procedures put in place to enable an organisation to fulfil its privacy obligations under CPPA. An organisation’s privacy management program is required to address the protection of personal information, the handling of access requests and privacy complaints as well as the training and information to be provided to the organisation’s staff. The privacy management program is also to include the development of materials to explain the organisation’s policies and procedures.
In obtaining the consent of an individual to the collection, use and disclosure of their personal information, the organisation is to provide the following information to the individual, in “plain language”:
- the purposes for the collection, use and disclosure;
- the way in which the personal information is to be collected, used and disclosed;
- the reasonably foreseeable consequences of the collection, use and disclosure of the personal information;
- the specific type of personal information that is to be collected, used and disclosed; and
- the names of any third parties or types of third parties to which the organisation may disclose personal information.
This requirement could require a fairly protracted description in order to obtain the consent of the individual.
As well, CPPA introduces certain business activities that do not require the consent of the individual. These include activities that are necessary to provide a product or service to the individual, to conduct due diligence to reduce commercial risk to the organisation, to secure an organisation’s information, systems and networks and for the safety of an organisation’s products and services. CPPA also provides that consent is not required for an activity where it would be impracticable to obtain consent because the organisation does not have a direct relationship with the individual. This last exemption will likely be useful for certain types of Internet businesses.
Additional Rights of Individuals
Individuals will have the right to require that personal information in the control of an organisation be deleted. This will be subject to certain exemptions, such as where there are existing contractual requirements.
An individual will have the right to be informed if an organisation has used an automated decision system to make a prediction, recommendation or decision about the individual and to be provided with an explanation of the automated decisions that have been made and how the individual’s personal information was used to make the automated decision. This may prove challenging as more machine learning and artificial intelligence is used to make decisions and it may not be easy for an organisation to understand and describe how those decisions are being made.
An individual will also have the right to have their personal information transferred to a third-party organisation, provided both organisations “are subject to a data mobility framework.” It is anticipated that data mobility frameworks will be developed for specific industries where it is common for individuals to transfer from one service provider to another, such as with telecommunications services.
The Canadian federal government is in the process of modernizing its privacy legislation. The new legislation will provide individuals with additional rights, require organisations to comply with new obligations with respect to their handling of personal information and potentially impose significant fines on organisations that fail to comply with their privacy obligations.
As many of the changes required by CPPA represent good privacy practises, franchise systems should consider reviewing and updating their privacy practises in anticipation of the changes that are being proposed by CPPA. This is particularly important as franchise systems implement new ways to connect with their customers and drive customer conversion.
2 S.C. 2000, c. 5, http://canlii.ca/t/7vwj
3 Personal Information Protection Act, SBC 2003, c. 63, http://canlii.ca/t/84mg
4 Personal Information Protection Act, SA 2003, c P-6.5, http://canlii.ca/t/81qp
5 Act Respecting the Protection of Personal Information in the Private Sector, c. P-39.1, http://canlii.ca/t/xpm