Canada Introduces the Consumer Privacy Protection Act
On November 17, 2020, the Canadian House of Commons introduced the Digital Charter Implementation Act, 2020 (“DCIA”), which includes the Consumer Privacy Protection Act (“CPPA”), a privacy focused arm of the legislation. The full text of the Bill can be found here. The CPPA would act as an update and expansion to the pre-existing federal, privacy law.
The CPPA was introduced in an effort to significantly increase protections for Canadians’ personal information by giving Canadians more control over how companies handle their personal information. The CPPA’s legislative foundation is anchored by five core pillars:
Providing plain-language information for consumers so they can fully understand and meaningfully consent to the ways in which their data will, or will not, be used;
Providing the ability for consumers to transfer their private data between multiple private entities;
Providing the ability for consumers to be able to withdraw their data-usage consent and have their personal information be properly and permanently disposed of;
Providing increased algorithmic transparency requirements, with an emphasis on any systems relying on artificial intelligence or implicated in automated decision-making; and
Providing the ability for consumers to have personally identifiable information about themselves removed in certain circumstances.
The CPPA proposes significant fines for potential violations. The CPPA’s upper ceiling allows for up to C$25 million (~$19.5 USD) or 5% of the company’s revenue, whichever is more. Along with hefty potential fines, the CPPA gives the Privacy Commissioner of Canada order-making powers, which the Commissioner could enforce through compliance requirements.
Another significant enforcement tool introduced in the CPPA is the introduction of a private right of action for Canadian citizens. However, the private right of action is only triggered if Canada’s Office of the Privacy Commissioner determines that a privacy violation has occurred.