Canada’s Consumer Privacy Protection Act: Impact for businesses

Éloïse Gratton November 18, 2020

On November 17, 2020, the Minister of Innovation, Science and Industry, Navdeep Bains, introduced Bill C-11, An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts, or Digital Charter Implementation Act, 2020. The proposal would modernize, and in certain respects toughen, Canadian private sector privacy law by enhancing transparency and control over personal information held by businesses, and imposing new, potentially onerous sanctions for non-compliance. We have prepared a detailed analysis which focuses on the key differences between the federal government’s current privacy framework, the Personal Information Protection and Electronic Documents Act, and its replacement, the Consumer Privacy Protection Act.

What you need to know

Our article provides an overview of the key aspects of the CPPA and their impact on Canadian businesses and explains how this new privacy regime would introduce the following changes:

New enforcement tools:
- The newly constituted Personal Information and Data Protection Tribunal would have powers to impose, upon recommendation by the Office of the Privacy Commissioner of Canada (Commissioner), administrative monetary penalties of C$10,000,000 or, if greater, the amount corresponding to 3 per cent of the organization’s global gross revenues in its previous fiscal year.
- Reinforced fines in the case of penal proceedings of a maximum of C$25,000,000, or, if greater, the amount corresponding to 5 per cent of the organization’s global gross revenues in its previous fiscal year.
- New private right of action for individuals.
- New provisions to enable the creation of “codes of practice” and “certification programs”.
New individual rights inspired by European law: right to be informed of automated decision-making, right to disposal and right to mobility.
Reinforced accountability rules:
- New definition of the notion of “control”.
- New obligation to establish, implement and make available a privacy management program.
- Clarity concerning the role and responsibilities of service providers.
Reinforced consent requirements, including greater clarity concerning the notion of valid consent.
Some less stringent rules: new consent exceptions for de-identified information, socially beneficial purposes and legitimate business practices.

Read our detailed analysis of this new bill C-11 (also available in French – and a pdf version is available).

This content has been updated on December 1, 2020 at 13 h 59 min.

Éloïse Gratton

Privacy & Data Protection Law

Canada’s Consumer Privacy Protection Act: Impact for businesses

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet