60% of users say they would spend more money with a brand they trust to handle their personal data responsibly.
The Consumer Privacy Protection Act (CPPA) falls under the umbrella of the Digital Charter Implementation Act (DCIA). DCIA, introduced in June 2022, proposes legislation that intends to increase legal protections for Canadians’ personal information when collected and used for commercial purposes.
CPPA closes a number of privacy gaps that existed in the previous PIPEDA legislation and introduces stricter standards for data governance and control. It also implements a new Personal Information and Data Protection Tribunal that has much greater power to enforce rules and levy fines and other sanctions against organizations that fail to comply.
Although the proposed new rules must still work their way through the legislative process, it is likely that Canadian businesses will need to comply with stricter data protection laws in the next year or two. In this article, we’ll explain the most significant changes proposed by CPPA and how they could affect Microsoft customers that collect and use consumer data.
Under PIPEDA, organizations that contravene data protection laws can be subject to fines of up to $100,000 CAD.
CPPA significantly increases penalties for mishandling personal information. In the proposed legislation, businesses that violate CPPA would automatically be subject to fines of up to $10 million or 3% of their gross global revenue in the previous financial year, whichever is higher. More serious offences could carry fines of up to $25 million or 5% of an organization’s global revenue.
In addition, affected individuals are granted a private right-of-action, meaning they can pursue additional financial relief from the organization that mishandles their data.
Every organization that collects consumer data must develop and maintain its own privacy management program that lays out all procedures and policies that the company has put into place to ensure compliance with CPPA.
Businesses must be able to produce this information upon request. Privacy management programs must also explain how requests for information and complaints will be received and handled and provide details about employee privacy training.
Under CPPA, every organization that handles consumer data will be required to have security and compliance practices in place that proactively protect the data in their control. “Physical, organizational and technological security safeguards” are mandatory for all personal information, and the level of security required is proportionate to the sensitivity of the information being collected and stored.
Other factors used to determine overall security and compliance obligations are the methods by which data will be collected, stored, and distributed, and how much data in total an organization will have access to. All organizations that handle personal data will be required to implement identity verification measures when distributing data back to consumers (e.g. providing a customer portal to manage billing or healthcare information).
Organizations must get advance consent from individuals to collect personal information. In order for consent to be valid, businesses must inform the individual in “plain language” of the following:
Under CPPA, individuals are able to request a record of any and all personal information that an organization has about them, including how the organization uses the information and whether any of their information has ever been disclosed to a third party. Organizations must also disclose whether a person’s information has ever been used in an automated decision-making system to make a “prediction, recommendation, or decision about the individual that could have a significant impact on them.”
All informational requests under CPPA must be made in writing, but organizations will be obligated to provide assistance to individuals who need help preparing requests if asked to do so. Once a formal request is received, organizations will have 30 days to respond. The Act does have a provision for cases in which obtaining and providing information comes with a cost, but any costs passed on to individuals must be minimal and approved by the individual in advance.
Individuals also gain greater authority to instruct organizations to share data with third parties. If instructed by the person to which it pertains, organizations are required to share personal information as soon as feasible with any other organization that is also subject to data mobility regulations. For example, an individual could instruct their bank to share personal information with another financial institution, and the bank would be obligated to comply as soon as possible.
In addition to the new proposed rules around mandatory data compliance and security practices, organizations must not retain personal information for a period longer than necessary to “fulfill the purposes for which the information was collected” or to comply with the requirements of the CPPA.
Organizations must dispose of data as soon as feasible after this period. Individuals may also make written requests for organizations to dispose of their data, although they cannot dispose of any data that would be necessary to comply with the Act.
Individuals can also withdraw consent regarding the collection and use of their personal information at any time. Once reasonable notice is given to an organization with access to their personal data, that data must be properly disposed of as soon as possible.
Anytime an organization that collects personal information experiences a security breach that poses risk to their customers, they must report that breach to the Privacy Commissioner. These reports will have strict requirements around what information must be included and how it must be presented.
In cases like these, organizations will also be obligated to inform all affected individuals about the potential risk to their personal information as a result of the breach, and what steps they can take to mitigate that risk.
A common practice many organizations employ is removing personally identifying information (such as names) from data that they have collected, and then freely using that data under the assumption that they are not violating any privacy regulations.
Under CPPA, this practice could still contravene privacy laws. The new Act will clearly distinguish between anonymous data and de-identified data and will introduce clear rules for handling the latter.
CPPA will be broadly applicable to a range of Canadian organizations, including every business that collects, uses, or discloses personal information for “commercial activities”.
In addition to customer data, it also applies to data that is related to federal employees and job applicants. CPPA does not specifically mention employees in the private sector.
Even organizations with existing compliance policies might find the new rules proposed by the CPPA daunting. However, Microsoft customers have access to the essential tools required to ensure CPPA compliance.
The first step for any business that wants to prepare for the CPPA is to conduct a complete audit of its people, tools, and processes to identify any areas where it falls short of upcoming standards.
Although the Consumer Privacy Protection Act is not yet in effect, there is little doubt that stricter privacy regulations are coming for Canadian businesses. Other regions, like the US and Europe, have already introduced updated privacy legislation — Canada is lagging behind and in the process of catching up.
Once these rules are implemented, businesses could face fines in excess of $25 million for failing to meet new data compliance standards, plus open themselves up to private lawsuits brought by affected individuals. Simply put, Canadian organizations can’t afford to put off improving their data governance practices.
For businesses powered by Microsoft, the best place to start is with a Protect & Govern Sensitive Data Workshop. This workshop will assess your organization’s data risks and tell you how your practices measure up against potential CPPA regulations and other key data protection standards. You’ll receive a detailed analysis of your environment and a report on associated risks, plus recommendations and next steps to ensure your organization is fully compliant.
We're here to help solve your complex IT and security problems.
Get in touch by completing this form and we'll connect you with a Bulletproof expert.