What Does the Consumer Privacy Protection Act Mean for Microsoft Customers?

Since 2001, the collection and use of Canadian consumers’ personal information have been regulated by the Personal Information and Electronic Documents Act (PIPEDA). PIPEDA was designed to promote responsible data governance for ecommerce companies, but over the past two decades has expanded to cover highly regulated industries like banking and healthcare as they operate in increasingly digital environments. 

During this time, other regions have passed stricter data protection laws, such as the General Data Protection Regulation (GDPR) in Europe. Now, the Canadian government is working to introduce updated data regulation and private-sector privacy laws to reflect the realities of today’s digital information landscape. 

60% of users say they would spend more money with a brand they trust to handle their personal data responsibly.


What is the Consumer Privacy Protection Act?

The Consumer Privacy Protection Act (CPPA) falls under the umbrella of the Digital Charter Implementation Act (DCIA). DCIA, introduced in June 2022, proposes legislation that intends to increase legal protections for Canadians’ personal information when collected and used for commercial purposes.

CPPA closes a number of privacy gaps that existed in the previous PIPEDA legislation and introduces stricter standards for data governance and control. It also implements a new Personal Information and Data Protection Tribunal that has much greater power to enforce rules and levy fines and other sanctions against organizations that fail to comply.

Although the proposed new rules must still work their way through the legislative process, it is likely that Canadian businesses will need to comply with stricter data protection laws in the next year or two. In this article, we’ll explain the most significant changes proposed by CPPA and how they could affect Microsoft customers that collect and use consumer data.

CPPA Data Security Icon

New Penalties Under the Consumer Privacy Protection Act

Under PIPEDA, organizations that contravene data protection laws can be subject to fines of up to $100,000 CAD.

CPPA significantly increases penalties for mishandling personal information. In the proposed legislation, businesses that violate CPPA would automatically be subject to fines of up to $10 million or 3% of their gross global revenue in the previous financial year, whichever is higher. More serious offences could carry fines of up to $25 million or 5% of an organization’s global revenue.

In addition, affected individuals are granted a private right-of-action, meaning they can pursue additional financial relief from the organization that mishandles their data.

CCPA Blog Post Quote (4)


Privacy Management Program Requirements

Every organization that collects consumer data must develop and maintain its own privacy management program that lays out all procedures and policies that the company has put into place to ensure compliance with CPPA.

Businesses must be able to produce this information upon request. Privacy management programs must also explain how requests for information and complaints will be received and handled and provide details about employee privacy training.

Data Collection Icon

Mandatory Data Compliance Practices

Under CPPA, every organization that handles consumer data will be required to have security and compliance practices in place that proactively protect the data in their control. “Physical, organizational and technological security safeguards” are mandatory for all personal information, and the level of security required is proportionate to the sensitivity of the information being collected and stored.

Other factors used to determine overall security and compliance obligations are the methods by which data will be collected, stored, and distributed, and how much data in total an organization will have access to. All organizations that handle personal data will be required to implement identity verification measures when distributing data back to consumers (e.g. providing a customer portal to manage billing or healthcare information).

Conditions for Valid Consent

Organizations must get advance consent from individuals to collect personal information. In order for consent to be valid, businesses must inform the individual in “plain language” of the following:

  • The reason for collecting personal information
  • How the information will be collected, used, and/or disclosed
  • Any “reasonably foreseeable” consequences of collecting, using, or disclosing personal information
  • The specific type of information that will be collected
  • The names (or types) of any third parties that may have access to the information
Business cannot require individuals to provide consent to collect or use their personal information as a condition of purchasing or using a product or service unless the information is absolutely necessary to collect in order to provide the product or service.

CPPA will also contain stricter rules about collecting the personal information of minors, severely limiting most organizations’ ability to do so.

Data Access and Mobility

Under CPPA, individuals are able to request a record of any and all personal information that an organization has about them, including how the organization uses the information and whether any of their information has ever been disclosed to a third party. Organizations must also disclose whether a person’s information has ever been used in an automated decision-making system to make a “prediction, recommendation, or decision about the individual that could have a significant impact on them.”

All informational requests under CPPA must be made in writing, but organizations will be obligated to provide assistance to individuals who need help preparing requests if asked to do so. Once a formal request is received, organizations will have 30 days to respond. The Act does have a provision for cases in which obtaining and providing information comes with a cost, but any costs passed on to individuals must be minimal and approved by the individual in advance. 

Individuals also gain greater authority to instruct organizations to share data with third parties. If instructed by the person to which it pertains, organizations are required to share personal information as soon as feasible with any other organization that is also subject to data mobility regulations. For example, an individual could instruct their bank to share personal information with another financial institution, and the bank would be obligated to comply as soon as possible. 

Data Disposal and Withdrawl of Consent

In addition to the new proposed rules around mandatory data compliance and security practices, organizations must not retain personal information for a period longer than necessary to “fulfill the purposes for which the information was collected” or to comply with the requirements of the CPPA.

Organizations must dispose of data as soon as feasible after this period. Individuals may also make written requests for organizations to dispose of their data, although they cannot dispose of any data that would be necessary to comply with the Act.

Individuals can also withdraw consent regarding the collection and use of their personal information at any time. Once reasonable notice is given to an organization with access to their personal data, that data must be properly disposed of as soon as possible.


Security Breach Record-Keeping

Anytime an organization that collects personal information experiences a security breach that poses risk to their customers, they must report that breach to the Privacy Commissioner. These reports will have strict requirements around what information must be included and how it must be presented.

In cases like these, organizations will also be obligated to inform all affected individuals about the potential risk to their personal information as a result of the breach, and what steps they can take to mitigate that risk. 

De-Identified Information

A common practice many organizations employ is removing personally identifying information (such as names) from data that they have collected, and then freely using that data under the assumption that they are not violating any privacy regulations.

Under CPPA, this practice could still contravene privacy laws. The new Act will clearly distinguish between anonymous data and de-identified data and will introduce clear rules for handling the latter.

Who the Consumer Privacy Protection Act Applies To

CPPA will be broadly applicable to a range of Canadian organizations, including every business that collects, uses, or discloses personal information for “commercial activities”.

In addition to customer data, it also applies to data that is related to federal employees and job applicants. CPPA does not specifically mention employees in the private sector.

How to Prepare for the Consumer Privacy Protection Act

Even organizations with existing compliance policies might find the new rules proposed by the CPPA daunting. However, Microsoft customers have access to the essential tools required to ensure CPPA compliance.

The first step for any business that wants to prepare for the CPPA is to conduct a complete audit of its people, tools, and processes to identify any areas where it falls short of upcoming standards.

Data Privacy Audit Icon

Get CPPA-Ready

Although the Consumer Privacy Protection Act is not yet in effect, there is little doubt that stricter privacy regulations are coming for Canadian businesses. Other regions, like the US and Europe, have already introduced updated privacy legislation — Canada is lagging behind and in the process of catching up. 

Once these rules are implemented, businesses could face fines in excess of $25 million for failing to meet new data compliance standards, plus open themselves up to private lawsuits brought by affected individuals. Simply put, Canadian organizations can’t afford to put off improving their data governance practices. 

For businesses powered by Microsoft, the best place to start is with a Protect & Govern Sensitive Data Workshop. This workshop will assess your organization’s data risks and tell you how your practices measure up against potential CPPA regulations and other key data protection standards. You’ll receive a detailed analysis of your environment and a report on associated risks, plus recommendations and next steps to ensure your organization is fully compliant.


Protect and Govern Sensitive Data Workshop

Why Bulletproof?


Website Testimonials (19)

“Bulletproof is doing an exceptional job of listening to their customers and then going above and beyond to provide them with services to unlock all the value of their Microsoft Security investment. They are able to see the value of our Microsoft security platform and have built a managed SOC service that is driving significant customer value, allowing their customers to remain focused on their business.”

-Julie Jeffries, Modern Work & Security PMM Manager, Microsoft Canada

Call Us