Don’t Risk Millions of Dollars in Fines by Disregarding Canada’s New Consumer Privacy Protection Act
On November 17, 2020, the Canadian Digital Charter Implementation Act was introduced, consisting of two parts. One enacts the new Consumer Privacy Protection Act (CPPA), and the second enacts legislation to establish a Personal Information and Data Protection Tribunal. This legislation is aimed at protecting consumers and redefines obligations and expectations for organizations that manage many consumers’ Personal Information (PI).
The legislation would provide for administrative monetary penalties of up to 3% of global revenue or $10 million for non-compliant organizations. Serious contraventions are subject to a maximum fine of 5% of global revenue or $25 million.
In addition to oversight directed by the Office of the Privacy Commissioner of Canada, companies such as telecoms may also be subject to privacy rules mandated by provincial regulations, as well as the Internet Code and the Wireless Code issued by the Canadian Radio-television and Telecommunications Commission (CRTC). That’s a lot of rules!
While you can anticipate changes to CPPA arising from the ensuing consultation period, it’s likely many of the key principles in the law may remain intact such as:
- Meaningful consent: Modernized consent rules, plain-language information to make meaningful choices in the use of personal information.
- Right to data mobility/portability: The right to direct transfer of personal information from one organization to another.
- Right to disposal of personal information and withdrawal of consent: Accessibility to allow individuals to request organizations dispose of personal information and, in most cases, permit individuals to withdraw consent for the use of their information.
- Algorithmic transparency: New transparency requirements that apply to automated decision-making systems like algorithms and artificial intelligence.
- De-identified information: Clarifications on how this information is protected and used without an individual’s consent under certain circumstances.
- Cross-border transfers: Clarifications on transparency obligations.
Many Canadian companies already make substantive investments in privacy program leadership, data discovery tools, and exercises and incorporate related ethics into their governance model. However, pending Canadian privacy legislation introduces a new set of regulations and a formal bureaucracy that requires companies to understand and address the delta between their existing maturity and the new landscape.
CAPP helps organization’s meet these types of regulatory obligations by:
- Supporting your Privacy Officer or sponsor in the initiation, planning, and execution of a comprehensive project plan that addresses and prioritizes compliance with each functional requirement outlined in Canada’s proposed privacy regulation.
- Ensuring your privacy compliance goals are aligned with your company’s overarching privacy program charter, company culture, and customer experience expectations.
- Producing accessible resources, guidance/advisement, reporting, and documentation throughout our engagement and ongoing support to your Privacy Officer and team.
The new Canadian Consumer Privacy Protection Act regulations governing the use of consumer’s personally identifiable information (PII) needn’t be burdensome! In fact, they can help protect your organization, reduce operating expenses, and identify opportunities for better governance that ensure you avoid fines, litigation exposure, and foster trust that enhances customer experiences.
Let Compliance & Privacy Partners helps Canadian companies like yours comply with these regulations by:
- Knowing your data – Compliance starts with understanding what data you retain and what you do with it. We help organizations efficiently complete their data mapping exercises to visually understand what personal information is collected, how it’s stored, how it’s accessed, and whom it’s made accessible or shared with.
- Responding to consumer requests – We help you set up a consumer-facing and backend system to allow, verify and process data subject requests to access, delete, or correct information and to help a consumer opt-out of the sale of their information.
- Updating policies and procedures – Privacy policies must be updated regularly and we make sure your data collection forms and disclosures accurately describe your data collection processes and comply with the regulations. We help you to use plain language and alert customers of any updates.
- Working with your data processing vendors – Ensuring vendors and business partners are working towards compliance is critical. We help you identify and update vendor contracts with the appropriate roles and responsibilities and limit your organization’s liability in the event of non-compliance.
- Providing education and training – We help you train consumer-facing staff so they are prepared to inform consumers about how the company is complying with regulations like the CPPA and in processing requests. Compliance, legal, IT, operations, and marketing teams should all be aware of how compliance with this law works around the organization.
- Monitoring and compliance – Establishing governance with clearly defined roles and responsibilities within your organizations is key to sustaining compliance. We help organizations like yours formalize their compliance programs and perform privacy impact assessments.
Take charge of your information governance challenges by contacting us today for a free consultation about your obligations under privacy regulations such as PIPEDA and the Canadian Consumer Privacy Protection Act.