The proposed Consumer Privacy Protection Act (“CPPA”) is intended to replace the Personal Information and Electronic Documents Act (“PIPEDA”). The current text of the CPPA will make a number of significant changes to some of the consent requirements Canadian private sector organizations must obtain.
See our previous blog about CPPA’s proposed privacy management program requirements.
Consent Requirements in the CPPA
The CPPA includes more defined requirements for valid consent than its predecessor, PIPEDA. It is not new that organizations must obtain an individual’s consent before they can collect, use, and disclose their personal information. CPPA proposes more prescriptive requirements to obtain valid consent. In future, an organization must provide the following information:
- the purposes for the collection, use or disclosure of the personal information;
- how the personal information is to be collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the specific type of personal information that is to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
What are the important changes?
Organizations should pay attention to these changes and consider modifying their practices accordingly.
The CPPA requires that an organization provide the above noted-information to individuals in plain language. Moreover, organizations must use plain language that their typical target audience would reasonably be expected to understand. This requirement ensures that individuals fully appreciate any risk to their privacy before they interact and share information with organizations. As you prepare for the new legislation, double check the language that your organization uses when obtaining individuals’ consent and simplify it if need be.
Explaining Reasonably Foreseeable Consequences
To obtain an individual’s valid consent, organizations must flag any reasonably foreseeable consequences that could arise from their collection, use, or disclosure of the individual’s personal information. Organizations will have to assess potential risks, identify a range of possible outcomes, and communicate their conclusions.
Risk assessment may be relatively simple for organizations that use information only to fulfill orders or other straightforward requests. However, it will not necessarily be as clear cut for organizations that use information in more complex ways, such as behavioural advertising or eligibility for certain services. Your organization might need to clarify that the provision of certain information may result in a decision (positive or negative) about them, or result in some action, or a denial. While these may be reasonably implied in the circumstances, your organization may now be required to be explicit about it.
Third Party Disclosure
The CPPA imposes an obligation on organizations to list the names of any third parties, or the types of third parties, that they may disclose information to in the course of business. Many organizations operating in, or marketing to, Europe already do this as GDPR has a similar requirement.
Your organization should review and inventory its various service providers (this should be part of an information inventory or data flow record your organization has), to ensure it will be able to get consent to share the information when necessary.
If your organization has any questions about requirements for obtaining consent, other obligations under the CPPA or data privacy generally, we would be pleased to help you. Please contact a member of our Privacy & Data Management Group.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Emily is an associate in both the Labour, Employment and Human Rights Group and the Privacy and Data Management Group in Vancouver. She practices in all aspects of workplace law including occupational health and safety issues ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.