Trust is the foundation on which Canada is building its digital and data-driven economy. For Canadians to continue benefitting from the latest technologies, knowing that their personal information is safe and secure and that their privacy is respected, the Government of Canada has introduced the Digital Charter Implementation Act, 2022.
This includes the proposed Consumer Protection Privacy Act (CPPA), which would replace the existing Personal Information Protection and Electronic Documents Act and establish a new Personal Information and Data Protection Tribunal. The CPPA represents the most significant change to Canada's private sector privacy law in 20 years. It would raise the bar for privacy protection in Canada by providing Canadians and businesses with clear rules for handling personal information in accordance with the principles of Canada's Digital Charter, with real consequences for organizations that do not comply with the law.
Find out more about what the new CPPA could do for you.
Enhancing Canadians' control and consent
- Organizations will have to provide you with information in plain language about the handling of your personal information and allow you to give meaningful consent.
- Data mobility will give you better control over your data by empowering you to direct the secure transfer of your information from one organization to another.
- The right to disposal will allow you to request the deletion of your information when you withdraw consent or when it is no longer necessary for an organization to handle the information.
- New rules will require transparency on the use of automated systems—such as artificial intelligence—that make decisions and predictions about Canadians.
Protecting children's information
- The personal information of minors will be automatically considered sensitive information, further enforcing children's privacy and safety.
- Express consent will be required by default for the collection, use and disclosure of children's information.
- Legal guardians and children will have stronger privacy rights for the destruction of their information.
- Organizations will be prohibited from using manipulative techniques as a means to collect children's information.
Enabling responsible innovation
- The use of codes of practice and certifications will make it easier for businesses to comply with the law.
- Greater flexibility will be allowed for the collection and use of personal information for certain business activities that are core to the delivery of a product or service and are reasonably anticipated by an individual.
- Clearer rules for the handling of de-identified information will facilitate its use for the research and development of innovative goods and services.
- Businesses will be allowed to disclose de-identified information to public entities for socially beneficial purposes, such as the improvement of the environment, public health or public infrastructure.
Strengthening enforcement and accountability
The CPPA will keep Canada aligned with the privacy laws of international trading partners and will impose fines on non-compliant organizations. These fines will be among the most serious in the G7 countries.
- Consumer Protection Privacy Act: Fines of up to 5% of revenue or $25 million, whichever is greater, and administrative monetary penalties of up to 3% of revenue or $10 million, whichever is greater
- European Union's General Data Protection Regulation: Fines of up to 4% of global revenue, up to €20 million
- United Kingdom's Data Protection Act: Fines of up to 4%, to a maximum of £17.5 million
The CPPA will empower the Privacy Commissioner of Canada to issue orders to non-compliant organizations and to recommend penalties for non-compliance.
Get the facts
How will the CPPA address unjustifiable surveillance by businesses?
Consent is a fundamental principle, meaning that businesses:
- need your consent to collect, use or disclose your personal information, with only some limited and specific exceptions
- can only use your personal information for appropriate activities
- must be transparent about the use of automated systems, such as artificial intelligence
- must notify you when your information is at risk from a data breach
Will the CPPA allow businesses to collect and use my personal information for any purpose?
Consent is required for businesses to collect, use or disclose your personal information, with only some limited and specific exceptions.
Businesses sometimes need personal information to provide a product or service you have requested. This is why, with important safeguards in place, the CPPA will provide certain exceptions to consent where such exceptions would be reasonably expected and where businesses are not trying to influence your decisions without your knowledge.
Will the CPPA hold back innovative businesses?
On the contrary, the CPPA will give businesses clear rules and greater flexibility for the collection and use of personal information. More specifically, it will:
- create a system where businesses can seek approval of industry codes of practice and certifications from the Privacy Commissioner, clarifying how they can comply with the law
- allow greater flexibility for the collection and use of personal information for certain business activities that are core to the delivery of a product or service, to enable responsible data-driven innovation
- provide clearer rules for the handling of de-identified information to facilitate the use of this information for research and development
Will the CPPA prioritize business interests over protecting the rights of individuals?
The CPPA recognizes that individuals have the right to privacy with respect to their personal information, while also addressing the need for businesses to collect, use or disclose personal information for reasonable and appropriate purposes.
The government's objective is to ensure that organizations respect Canadians' privacy rights while continuing to enable responsible data use that will support innovation and the economy, and benefit our society as a whole. To this end, the CPPA will grant the Privacy Commissioner the ability to require a business to cease or undertake an action, and to recommend non-compliance penalties of up to 3% of global revenue, or $10 million.
Will the CPPA include privacy as a fundamental right?
The CPPA recognizes the importance of privacy law in protecting human rights. It will do its part in regulating the protection of personal information specifically within the context of commercial conduct, rather than in the context of civil rights, which is a provincial responsibility.
Individuals will have their privacy rights safeguarded through the broad range of powers held by the Office of the Privacy Commissioner of Canada (OPC), which is responsible for receiving complaints, settling matters and conducting investigations. The CPPA also introduces a new Personal Information and Data Protection Tribunal, which will serve as an additional means of recourse for privacy complaints.
How will Canadians benefit from this new Personal Information and Data Protection Tribunal?
The CPPA will allow for those who are not satisfied with findings from the OPC to seek further action through an appeal to the Personal Information and Data Protection Tribunal.
The Tribunal is intended to provide a more accessible and efficient means of recourse to individuals and smaller companies. The Tribunal will also make the final decision on whether to issue an administrative monetary penalty as recommended by the Privacy Commissioner, and its amount.
It will operate in a transparent manner and will be staffed with privacy experts to help protect the rights of Canadians.