Canada’s privacy laws may be undergoing a major overhaul to resemble the EU’s General Data Protection Regulation (GDPR), which provides some of the strongest protections of personal information. Bill C-11, currently in its Second Reading in parliament, would establish the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act, and would replace the Personal Information Protection and Electronic Documents Act (PIPEDA).
The bill is intended to protect personal information and people’s rights to their information. Should it become law, Canadians will have more rights over their personal information held by organizations:
- You can manage what organizations can do with your personal information.
- You can see what personal information is held by an organization.
- You have the right to request the deletion of personal information.
It also sets out the obligations of an organization.
- You need to ask permission to collect, use, or disclose personal information.
- You need to have a reasonable purpose for collecting personal information and record the purpose in advance.
- You need to use plain language that a reasonable person would understand when doing so.
- You need to provide a contact for managing CPPA responsibilities.
- You cannot collect more personal information than you need.
- You need to delete information that is no longer in use.
As a technical specialist who will be on the frontline of implementing these changes, I know there is a lot of interest or concern in the CPPA. Please note that I am not a lawyer and this article should not be construed as legal advice. The bill contains specialized language that means specific things in a legal context that I am not qualified to recognize.
Bill C-11 is still early in the legislative process and may undergo changes or not even pass. The stages in the legislative process are many. Bill C-11 has already passed the first two stages – (1) the notice of a motion that alerted the House of Commons that the bill was coming; and (2) the first reading where the bill was introduced (no voting during this stage). It is currently in the second reading where the bill is being debated on for the first time and will proceed to a vote. The next five stages are as follows: (4) the committee stage which considers the bill and where every section of the bill is debated and voted upon by a committee; (5) the reporting stage where the committee reports back to the House of Commons on the results of the committee stage; (6) the third reading where another debate and vote is held in the House of Commons – if the bill passes of the third reading, then the Senate will debate and vote on the bill, essentially repeating the previous five stages; (7) if the bill passes the Senate readings, then the bill is brought before the Lieutenant General or Governor General to receive Royal Assent; and (8) after receiving Royal Assent, the bill comes into force at that time or on another specified date.
With that out of the way, let’s have a look at the CPPA.
Personal information means information about an identifiable individual.
CPPA Part 1, Interpretation 2
The definition of personal information is rather foundational to an act like this. Based on this definition, the Act would not apply if the individual is not identifiable.
Does the information that gets sent to Google Analytics fit this definition? It is against Google’s terms of service to send personal information to Google Analytics. By default, the only piece of information that might fit this definition is the client ID that is used to identify the browser although IP address only recently defaulted to anonymized IP and only on the new GA4.
Browsers are often unique to the individual using them: families often share browsers, but a significant proportion of computer users use a browser that they do not share with anyone else. Does a browser being unique to an individual make that individual identifiable? I don’t know. If the client ID doesn’t qualify as personal information, then default Google Analytics should be fine unless you have personal information leaking into URLs.
Customized installations will require more thought. Breaking the Google Analytics terms of service and sending personal information without permission is a problem but there is a wide spectrum between default installations and sending personal information that requires care.
Businesses can accidentally find themselves trafficking in personal information. A lot of data do not appear to be identifiable on the surface but actually are identifiable.
For example, some postal codes have only a single residence in them which makes postal codes alone identifiable.
Furthermore, the ease with which compositing data can identify individuals makes it easy to turn what on the surface might seem like innocuous information into personal information.
I doubt that the Commissioner’s office set up under Bill C-11 will hunt down organizations that unwittingly have information that in combination can be used to identify individuals. A more likely set of targets are organizations that try to disingenuously use information that on its own is not personal to identify people and circumvent the law. But it is still good to understand what data you have; how it can be used; and how it can be misused.
Obligations of Organizations
An organization must designate one or more individuals to be responsible for matters related to its obligations under this Act. It must provide the designated individual’s business contact information to any person who requests it.
CPPA Part 1, Obligations of Organizations 8 (1)
This strikes me as potentially onerous to small businesses.
Understanding how data is used within a business is necessary to fulfill obligations like removal requests and formulate permission requests that reflect how personal information is used in a business.
The larger a business gets, the harder it is to understand how data flows, but I would not be surprised if most solo-preneurs do not understand how they are using personal information because tools do a lot of work in the background.
A tech business with just 20 employees is likely to have some complex data flows. It is easy to plug in integrations, but it is hard to set up a data governance structure and set up data infrastructure that ensures data can be centrally managed.
This requirement in Canada’s CPPA, without any special provisions, will be good for people like me who work with data and business systems and have a passing understanding of the regulations but will be a challenge for most small businesses.
The law also allows that volume and sensitivity are to be considered when developing a privacy management program, so perhaps this protects small businesses a bit. Unless these parameters are further defined in the Act as it passes through the House, it will be left up to judges to decide what this means and provide the precedents before small business owners can be confident in their compliance. However, it will take years before the Act is passed, challenged in courts, and subject to tribunal and judicial rulings.
Likely, the government will not prosecute any but the most egregious violations of the CPPA among small businesses. For example, the CRTC lists only 11 decisions out of 24 actions under Canada’s Anti-Spam Legislation (CASL) since it was implemented in 2014. That does not mean that the CPPA enforcement will be similarly lax, but it does not support a business case for sudden, radical change by organizations trying to comply with the law either.
I do not expect that in practice small businesses will be at much risk of being subject to a decision under the CPPA in the near-to mid-term. It would still be better if the law accounted for these cases rather than leave businesses at the mercy of common sense.
California’s privacy regulations specifically exempt businesses that do not meet one of these thresholds:
- Annual gross revenues of $25 million;
- Annually buy, sell, receive, or share for commercial purposes the personal information of 50,000 or more consumers, households, or devices; or
- Derive 50 percent or more of its annual revenues from selling consumers’ personal information.
It would be nice if the CPPA were more precise in limiting the requirements of small businesses under the law unless they brokered or trafficked personal data as their business. It is not too late for Parliament to address this nor is it too late for us to bring these potential problems to their attention.
Every organization must implement a privacy management program that includes the organization’s policies, practices and procedures put in place to fulfil its obligations under this Act, including policies, practices and procedures respecting
- the protection of personal information;
- how requests for information and complaints are received and dealt with;
- the training and information provided to the organization's staff respecting its policies, practices and procedures; and
- the development of materials to explain the organization's policies and procedures put in place to fulfil its obligations under this Act.
CPPA Part 1, Obligations of Organizations 9 (1)
This is going to be an even more onerous requirement as it will require collaboration and significant effort between technical specialists, various operations functions, and human resources.
Requests for information and complaints is the simple part for small businesses: you can handle them manually through your contact form although each request will be onerous for the individual handling them if you choose this route. Larger businesses using a customer data platform (CDP) can add a good deal of automation and greatly reduce the effort for each request.
Training and information should affect every employee and that training may need to be specialized for different roles in the company and integrated into existing training efforts.
Protecting information requires an understanding of how data flows through the company which, as I have already established, is usually complex. And then you will probably want to add some privacy protections to reduce the amount of training required.
With all of this in place, you will then need to document it all.
That will be a lot of work for even small companies.
Consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.
CPPA Part 1, Consent 15(4) Form of Consent
This is a nice common-sense addition. If someone fills out their contact information in a contact form, we should not need to ask for separate permission to save that information and respond to their request.
In March 2014, the Privacy Commissioner of Canada clarified forms of consent related to PIPEDA. Principle 4.3.6 distinguished "express" and "implied" consent. Express consent is required when the information is likely to be sensitive. Implied consent is appropriate when the information is less sensitive. In cases regarding the issue of express versus implied consent, the "reasonable expectations of the individual" is always a determining factor in analyzing whether the facts point to express or implied consent. However, the standard of reasonableness will differ depending on facts, industry-standards, norms, etc. As such, this will remain an analysis that is unpredictable and will not be remedied by the CPPA. Essentially, the CPPA only imported Principle 4.3.6 without providing guidance on "reasonable expectations".
The informed consent requirements are heavily borrowed from the GDPR. Many organizations found this aspect of the GDPR to be the most cumbersome compliance requirement – how do you obtain informed consent at or before the time that the data is collected, and allow individuals to opt-out of the collection of some of their data, but not others? Which data collection purposes are reasonably foreseeable such that they must be disclosed?
In practice, this form of consent can get quite tricky without the right mix of knowledge and leadership in an organization.
The obligations under this Part (Accountability of Organizations) … do not apply to a service provider in respect of personal information that is transferred to it. However, the service provider is subject to all of the obligations under this Part if it collects, uses or discloses that information for any purpose other than the purposes for which the information was transferred. Service provider means an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor, that provides services for or on behalf of another organization to assist the organization in fulfilling its purposes.
CPPA Part 1, Same protection 11(2) Service provider obligations
This is another bit of common sense. If you want to hire someone like me to work with your data or you start using a new CRM or similar business system, I will not need to get separate permission nor would the CRM company unless we use the information for ourselves.
However, the organization will be vicariously responsible, to some extent, for what the services provider does with any personal information that they transfer to the service provider. As a result, one consequence for organizations will be the negotiation of commercial contracts with outside vendors. Do the contracts allow the vendor to collect data from the organization’s users/website visitors? If so, organizations should try to limit the permissible data collection to “aggregated data” containing “no personal information”. Another strategy is to require such vendors to represent and warrant by contract that they have adequate data protection security protocols in place. This is because the legislation would make organizations responsible for ensuring that their third-party vendors who are “service providers” will adequately protect any personal data that the organization transfers.
Renegotiating contracts is the legal remedy to these challenges, but there are also potential technical remedies for some situations.
Web-integrated SaaS providers like analytics, ad networks, marketing automation systems, and customer relationship management software often do not let their customers negotiate contracts except for the largest of enterprise organizations.
The data collected by these companies are determined by scripts downloaded to your visitors’ browsers directly from these companies initiated by the tags that you put on your site. This means that they can change what data is collected without your knowing.
The technical alternative to renegotiating commercial contracts in this situation is to switch to a server-side tag management system and run all site tags through the server-side tag management system. This will result in you having just one tag on your site that goes to a server that you control where you distribute data to service providers. If a service provider needs a change, they will have to ask you to send them the data rather than arbitrarily change a script without giving you any notice or control.
The organization must not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of their personal information beyond what is necessary to provide the product or service.
CPPA Part 1, Consent required 15 (5) Consent --- provision of product or service
There is a big deal being made about Facebook, the owners of WhatsApp, to accept new terms of service that let it combine WhatsApp data with other Facebook products. Failure to accept these terms will disable WhatsApp on your phone (note that while in editing Facebook has delayed these changes; it is still a good example).
If the CPPA were law right now, Canadian users would be protected from this behaviour just as European users are.
On a more practical level, we probably cannot ask for more than an email address for accessing white papers, webinars, and the like since an email address is usually all that is required to provide these services.
An organization must not retain personal information for a period longer than necessary to
- fulfil the purposes for which the information was collected, used or disclosed; or
- comply with the requirements of this Act, of federal or provincial law or of the reasonable terms of a contract.
The organization must dispose of the information as soon as feasible after that period.
CPPA Part 1, Period for retention and disposal 53
The Act has a lot more about data retention, but I just wanted to point out that most of the companies that I have worked with do not have processes to delete old data. A 30-year-old CRM system, for example, will almost certainly have 30-year-old contact records.
If that describes you, it is time to fix that.
This Act does not apply to
- any government institution to which the Privacy Act applies;
- any individual in respect of personal information that the individual collects, uses or discloses solely for personal or domestic purposes;
- any organization in respect of personal information that the organization collects, uses or discloses solely for journalistic, artistic or literary purposes;
- any organization in respect of an individual's personal information that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession; or
- any organization that is, under an order made under paragraph 119(2)(b), exempt from the application of this Act in respect of the collection, use or disclosure of personal information that occurs within a province in respect of which the order was made.
CPPA Part 1, Application 6 (4) Limit
What surprises me about this clause is that political parties are not exempted like they are from the Canadian Anti-Spam Law (CASL). It can only be good when politicians follow the same laws as everyone else. Exempting politicians from modernizing their marketing and promotional technology practices ensures that we perpetuate politicians incapable of change who lack a basic understanding of these technologies.
I could see the CPPA being used against political spam even with the CASL exemption. You cannot, for example, contact your MP without getting spammed afterwards. They may be exempt from CASL, but they also cannot change the purpose of collecting and using that information without consent.
I highly doubt that providing my name and email to my MP when raising an issue that concerns me would fall under the same purpose as asking to receive promotional emails.
Automated Decision Systems
Automated decision system means any technology that assists or replaces the judgement of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets. (système décisionnel automatisé)
CPPA Part 1, Interpretation 2
The CPPA goes to the effort of defining automated decision systems but does not do much more. Where it mentions them, it is confusing and unclear. I fully expect to see sensationalist articles on how the CPPA bans AI from Canadian companies.
Most AI, including most machine learning, deep learning and neural network algorithms, does not know why it comes up with an answer. This problem gets worse the more intelligent AI gets. It is a limitation on current AI systems.
The problem of traceability in AI is currently being worked on, but only the most sophisticated tech companies can even begin to provide traceable AI decisions.
And yet, the CPPA includes the following requirements under the Access to and Amendment of Personal Information section of the law:
If the organization has used an automated decision system to make a prediction, recommendation or decision about the individual, the organization must, on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.
CPPA Part 1, Access to and Amendment of Personal Information 63 (3) Automated decision system
Can a vague “we sent a mix of personal data and behavioral data into our neural network and it assigned you to group x” qualify as an explanation? Would mentioning that “we periodically test the predictions and are confident that the algorithm is right 75 percent of the time” satisfy the request?
It is not clear.
A commitment to supporting traceability as technology and budgets allow would be more helpful.
Or, alternatively, a commitment that explaining in general how personal information is used to make predictions and what personal information was sent to the algorithm would also be practical from the perspective of an organization that uses AI in some form.
This section is much too vague.
Furthermore, AI is becoming so baked into products, that you can use AI without even realizing it.
The obligations of service providers here also need to be considered. For example, I use several Google products. I cannot be expected to explain automated decisions made using these products. Even if Google documented their automated decisions sufficiently for me to explain them to my customers, I cannot really be expected to know when Google changes an algorithm.
Explaining decisions in situations like these must fall on the service provider. However, we do not have to get permission for specific service providers, just for each purpose of collection, use, and disclosure of personal information, so my customers would have no way of knowing who to ask about the reasons behind an automated decision. Presumably, my customers would ask me and I would then pass that request along to the service provider, but the law doesn’t make any special provisions for service providers having a contact for CPPA requests.
I cannot imagine any customer of mine being happy about me telling them to ask Google for the reasons behind a decision and it is even worse because Google is famously difficult to get in touch with.
The sections on automated decision making need to be thought through more thoroughly or cut.
Small Business and the CPPA
Despite some problems, I think the CPPA is an improvement. It sticks close to the EU’s GDPR which will make compliance easier for companies doing business in both jurisdictions. California’s laws that came in to force in 2020, by comparison, are also based on GDPR but diverge substantially enough that you need to use completely different permission systems in order to fulfill your obligations under the two laws.
Even though it is imperfect, it is also an improvement on which our laws can keep evolving.
Most importantly, as someone who benefits from businesses panicking about CPPA compliance, trust me when I say, “don’t panic.”
You will go a long way towards following the law by respecting your customers’ privacy and data, and your customers will appreciate this too. Usually, when the government introduces a new law like this, they will target the biggest, and worst offenders first and publicize those decisions well giving you time to understand what is allowed and what is not so that, when you have to explain an automated decision system for example, you should know what will satisfy this requirement.
However, before imposing a penalty, the tribunal would need to consider “the organization’s history of compliance with this Act”, among other things. Thus, the following low-cost steps may serve as evidence of compliance:
- Designating a responsible individual;
- Creating an internal data privacy management plan, and circulating it within the organization; and
- Renegotiating commercial contracts with vendors who are service providers.
Perfect compliance is going to be difficult—particularly as you introduce more technology into the company—so do pay attention to CPPA and its enforcement and do pay attention to personal data in your business.
The bigger you are and the more data-focused your business is, the more you are going to need to be on top of the CPPA and personal data used in your organization.
Additionally, the more profitable the organization, the greater the risk. The maximum penalty is “the higher of $10,000,000 and 3% of the organization’s gross global revenue in its financial year before the one in which the penalty is imposed.
We should be thinking about how we handle personal data and evolve our data practices, but not panic into spending big bucks on massive change to comply with a law that is not even in force, will certainly see changes, and may not even pass.
Thank you to Albert Chen, Articled Student, and Shira Zucker, lawyer, of Kornfeld LLP for generously reviewing my thoughts on CPPA and providing legal context and analysis. Nothing herein should be construed as legal advice by Kornfeld LLP to any person or entity. Should you wish to discuss how the CPPA may affect your organization, or to obtain legal advice on this or other technology and privacy matters, you may contact Kornfeld LLP at firstname.lastname@example.org or (604) 331-8317.