A new federal privacy regime should serve as a wake-up call to any Canadian private-sector businesses that have not yet implemented comprehensive protocols for the collection, use, and disclosure of consumers’ personal information.
Bill C-11, officially entitled “An Act to enact the Consumer Privacy Protection Act and to make consequential and related amendments to other Acts”, proposes the Consumer Privacy Protection Act (“CPPA”) to effectively replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The Canadian government estimates that the CPPA could become law in approximately 18 months.
If passed in its current form, the CPPA would introduce sweeping changes to Canada’s privacy protections and have significant consequences for Canadian businesses. While it will take a while (and be costly) for most small and medium-sized businesses to become compliant with CPPA, there are a few essential steps that can be taken now in preparation for what is about to become a very stringent Canadian privacy legislation.
To start, companies need to get to the foundational level of privacy protection (why are you collecting the personal information?) and then add meat to the bone by developing policies, procedures, and practices around the protection and proper use of the personal information.
Build the Foundation
As a first step, and in accordance with section 12(2), a business should identify the purpose for collecting, using, or disclosing personal information. In doing so, the business should consider whether a “reasonable person” would consider that purpose to be appropriate in the circumstances. The company must record the purposes (and additional purposes as they arise). In determining whether a purpose is appropriate, amongst other things, consider whether there is a less intrusive means of achieving that purpose, the type and sensitivity of the information collected, whether the loss of privacy is proportionate to the benefits of the purpose, and whether the purpose represents a legitimate business need.
Collect the Bricks and Mortar
Section 15(4) of the CPPA requires businesses to seek “express” consent as a default model. Businesses that previously relied on implied consent may need to re-evaluate whether express consent is now required.
Furthermore, for consent (express or implied) to be valid, it must be “meaningful”, with a high level of transparency about how information is being collected, what it is being collected for, the reasonably foreseeable consequences of the collection, use, and disclosure of personal information, as well as who that information will be disclosed to. Businesses should also review the list of consent exceptions under section 18 to identify where consent is not required. Lastly, companies should think about implementing a consent management system to demonstrate they have obtained express consent, where required.
Cut the Fat
Section 13 of the CPPA requires companies to limit the collection of personal information. Businesses will be required to consider what personal information is “required” to fulfill the purposes, and not rely, more broadly, on what information is “reasonable”. Collecting personal information that is not required to fulfil the purpose may result in hefty fines. Companies using artificial intelligence and machine learning will find this higher standard difficult to meet given the amount of data needed to accurately operate those systems.
The White Picket Fence
According to section 9, businesses are required to establish, implement, and maintain a comprehensive Privacy Management Program (“PMP”) setting out a robust set of privacy-related policies, procedures, and practices. Amongst other things, the PMP should address the business’ protection of personal information, responses to inquiries and complaints, and implement privacy training for staff. For example, businesses should develop Privacy Breach Management Plans, Access, Correction, Deletion, and Portability Procedures, Retention Policies, Privacy Training, and a Privacy Compliance Plan as some of the basics. The formalized PMP must be available on-demand for inspection by the Office of the Privacy Commissioner of Canada.
Having words on paper will not be enough. There is an expectation that businesses properly implement the policies, procedures, and practices they develop. Businesses would benefit from developing a Process Map and Data Inventory (“Process Map”), which should be kept up-to-date. A Process Map allows a business to understand the flow of its data from inception to destruction. A process map will also come in handy when businesses need to fulfill a new requirement to delete an individual’s personal information upon request and therefore identify where the personal information is located within the matrix of systems, including backups and legacy systems.
As part of the PMP, to the extent that companies rely on de-identified data, those companies should regularly evaluate the probability of re-identification. Furthermore, businesses that rely on automated decision making, such as machine learning or artificial intelligence, will need to have practices in place to ensure explainability is accounted for decision-making transactions that impacts an individual.
Opening the Blinds
The CPPA requires businesses to be more transparent about their personal information handling practices. In doing so, businesses must ensure their Privacy Notices are accessible and explain in “plain language” how personal information is being collected, used, and disclosed. Amongst other things, if a company engages in automated decision-making that has a significant impact on an individual, the company must spell this out in its Privacy Notice. The Notice must also provide transparency about data residency, whether exceptions to consent are being relied upon, any reasonably foreseeable consequences of the collection, use, or disclosure of personal information, the names or types of third parties the personal information is being disclosed to, as well as how individuals can access, delete, or port their data. Companies will need to review their Privacy Notices and update them accordingly.
Failure to comply with the CPPA may lead to significant penalties, including the greater of 3% of a company’s gross global revenue in its previous financial year, or $10,000,000. In addition, the CPPA creates a private right of action for litigants to claim damages for privacy breaches, whereas litigants must currently rely on judge-made law without clear entitlement to damages.
By Sharon Bauer
Sharon is a Privacy Lawyer and founder of Bamboo Data Consulting.