Skip to main content

On-demand webinar coming soon...

Blog

Preparing for new privacy legislation in Canada: Part One

How Canadian companies should respond to the new Consumer Privacy Protection Act (Bill C-27)

Neil Saddington, Privacy Program Director, OneTrust
April 20, 2023

Abstract office building facade

I remember this headline well, and you may too: Back in 2017, the Economist published “The world’s most valuable resource is no longer oil, but data. While that article focused on antitrust issues surrounding internet giants like Meta, Amazon, and Alphabet, many believed that the gist of the piece was right: Data was increasingly becoming the key resource for the digital world. But gathering and managing data is getting more challenging. Consumers are pushing back, worried about privacy and demanding more control about how their personal information is collected and used. And governments around the world are responding, including a significant new piece of legislation in Canada: Bill C-27.

Canada has had a federal privacy law for more than two decades – the Personal Information Protection and Electronic Documents Act (PIPEDA) dates back to 2000 – but it is attempting to  considerably up the stakes for a second time with Bill C-27 which currently includes three main pillars: 

  • The Consumer Privacy Protection Act (CPPA), designed to ensure consumers have a greater degree of privacy and control over their personal information.

  • The Data Protection Tribunal Act, which creates a new enforcement organization for the CPPA – and will have the authority to levy large penalties for noncompliance.

  • The Artificial Intelligence Act creates new requirements for algorithmic transparency and automated decision-making in response to these emerging, AI-based uses of personal information.

     

The new legislation was introduced in 2022 and is currently under debate and tentatively expected to be enacted this year, pending further review in committee. This comes on the heels of changes to the private sector privacy act in Quebec, and reviews of the private sector privacy laws in Alberta and British Columbia. 

 

Canada is part of a worldwide shift to strengthening privacy and trust

The new law would effectively replace PIPEDA and demand a new level of compliance rigor by Canadian companies and companies doing business in Canada. Bill C-27 also puts Canada squarely in the mainstream in terms of contemporary data privacy, which began in 2016 with the landmark  General Data Protection Regulation (GDPR) in the European Union - considered by some to be the most rigorous privacy and security law in the world. Other statutes have followed, including regulations like the California Privacy Rights Act (CPRA), which added new privacy protections to the California Consumer Privacy Act (CCPA).

Where PIPEIDA was based on principles and guidance, Canada’s new legislation is based on more explicit and much more stringent requirements for the collection, use, and disclosure of personal information. Under Bill C-27, companies that collect personal information from Canadian consumers must be aware of several key provisions:

  • Collection, use, and disclosure of personal information generally requires explicit consent. You must tell consumers why you want the data and how it will be used, and the language used to generate consent must be clear and unambiguous.

  • Automated collection of email addresses and other information is much more restricted.

  • Data minimization will be the law of the land. Companies will be required to limit the data they collect to the absolute minimum amount required to do what they need to do.

  • Consumers will have new rights to ensure their ability to correct their personal information, to withdraw their consent to using it, and to ensure their data is deleted. 

  • Consumers also have the right to data portability – to transfer information to a new organization (for example, when switching to a new service provider).

 

Perhaps even more significantly, Bill C-27 would substantially amend the existing enforcement framework through the Data Protection Tribunal Act. The Tribunal would be empowered to issue substantial fines for administrative noncompliance: up to 3% of your worldwide annual revenue or CAN$10 million. Furthermore, failures to report a data breach and other more serious infractions you could lead to fines of up to 5% of global revenues or CAN$25 million. Plus, affected individuals can sue for damages privately. 

The third pillar of the Bill C-27, the Artificial Intelligence and Data Act, mandates “increased transparency” for algorithms and AI systems. In other words, you must be prepared to justify how your AI system delivered a recommendation or decision based on a user’s personal data. 

 

What to do now

Consumers and governments are right to be concerned about privacy and data protection, and their expectations and legal frameworks about these issues will continue to evolve. I believe that Economist headline about data as “the new oil” was essentially right, but today, building trust with the suppliers of data – consumers – has become more important than ever. 

Of course, it’s possible – perhaps even likely – that the CPPA and related components of Bill C-27 will evolve as the Canadian Parliament continues to debate the legislation. Nonetheless, now is an excellent time for companies doing business in Canada to look at the implications of this more stringent approach to privacy and the collection, use and disclosure of personal information – and not just because it would be expensive not do so. A key part of your motivation should be the desire to win the long-term trust of your consumers, and we believe that a strong focus and respect for privacy and privacy protection is the way to win that trust. 

 

How OneTrust can help

Companies doing business in Canada can leverage OneTrust to comply with Bill C-27. Our Consent & Preference Management, Privacy Rights Automation, and Digital Policy Management solutions, along with our DataGuidance Research, help companies worldwide to manage the collection, protection, and transferability of personal information. 

To see how OneTrust can help you navigate Bill C-27, request a free trial today.


You may also like

Webinar

Privacy Management

India's DPDPA: What you need to know

In this webinar, legal experts discuss India's newly enacted comprehensive privacy law, the Digital Personal Data Protection Act, 2023 ('DPDPA') 

September 12, 2023

Learn more

Webinar

Privacy Management

New states, new dates: Preparing for Indiana, Montana, Tennessee and Florida state privacy laws

Join our expert panel where we examine upcoming privacy legislation in Indiana, Montana, Tennessee, and Florida and the key requirements of each law.

June 20, 2023

Learn more

Checklist

Privacy Management

The Revised FADP: 7 steps toward preparedness

Prepare for Switzerland’s Revised Federal Act on Data Protection (Revised FADP) when it comes into force on September 1, 2023 with our free compliance checklist.

June 15, 2023

Learn more

Webinar

Privacy Management

Saudi Arabia's PDPL latest amendments: Are you ready?

Join OneTrust and Deloitte Middle East as we cover the latest changes to Saudia Arabia's Personal Data Protection Law (PDPL) and what it means for organizations in the KSA region.

May 30, 2023

Learn more

Webinar

Privacy Management

GDPR turns 5: Celebrating data protection

Northern Europe panel - Join our panel of experts as they recap the GDPR, its key concepts, and what it means for organizations and compliance. 

May 25, 2023

Learn more

Webinar

Privacy Management

5 years of GDPR: Milestones, challenges, and opportunities

Eastern European panel - Watch our webinar as we look back on 5 years of the GDPR, AI, and their impact on Europe, the world, and your organization.

May 24, 2023

Learn more

Webinar

Privacy Management

Understanding Washington's My Health My Data Act

The Washington My Health My Data Act was signed into law on April 27, 2023 and will be enacted the following year. Join OneTrust DataGuidance and a team of legal experts and get the knowledge you need for compliance.

May 18, 2023

Learn more

Infographic

Privacy Management

Comparing Canada's privacy laws infographic

Download this infographic to compare provisions in Alberta, British Colombia, and Quebec with those found at a federal level in PIPEDA and those proposed under the Consumer Privacy Protection Act.

May 18, 2023

Learn more

Blog

Privacy & Data Governance

Comparing US privacy law exemptions infographic

Learn how to navigate the new US privacy law exemptions and see how they compare.

May 01, 2023

Learn more

Webinar

Privacy & Data Governance

Iowa joins US privacy landscape with a new law

OneTrust DataGuidance’s webinar discusses Iowa’s CDPA, its similarities to other US privacy laws, its implications on organizations, and steps for compliance.

April 10, 2023

Learn more

Webinar

Privacy Automation

OneTrust and Deloitte UK - Data transfers: Assessments & safeguards

OneTrust's Center of Excellence and Deloitte UK will discuss data transfers and GDPR compliance, covering the UK stance, ICO/EDBP guidance, and more.

April 04, 2023 1 min read

Learn more

eBook

Privacy Management

The 3 Priorities for DPOs in France: Gain Visibility, Take Action, Automate eBook | Resources | OneTrust

French DPOs should take three priorities into account when building their data protection and compliance programs and processes in 2023.

February 21, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to consent and preferences in the healthcare sector

Download the guide to learn more about how to use consent and preferences to elevate patient and customer experiences in the healthcare sector.

February 15, 2023

Learn more

eBook

Privacy & Data Governance

The Ultimate Guide to PIPEDA compliance eBook

Download this eBook to understand how to meet the requirements of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

February 06, 2023

Learn more

eBook

Consent & Preferences

The ultimate guide to US opt-out requirements

Learn about the different opt-out requirements, such as a “Do Not Sell My Personal Information” in the US privacy landscape, and how to comply with them.

January 23, 2023

Learn more

Checklist

Consent & Preferences

8 steps to Quebec Law 25 compliance

Read our checklist to learn how to stay on top of Quebec Law 84, which introduces many new measures to Canada’s privacy landscape.

October 19, 2022

Learn more

Resource Kit

Consent & Preferences

Your marketer’s masterclass resource kit

OneTrust has created a range of resources to help marketing teams take a privacy-first approach that turns consumer trust into a competitive advantage.

September 06, 2022

Learn more

Resource Kit

Privacy Management

Your US privacy masterclass resource kit

These resources provide key information on US privacy law through blogs, webinars, and eBooks.

April 26, 2022

Learn more

Infographic

Privacy & Data Governance

Saudi Arabia Personal Data Protection Law (PDPL) overview

Learn more about Saudi Arabia's Personal Data Protection Law (PDPL) and what companies need to know for compliance.

February 24, 2022

Learn more

Infographic

Privacy & Data Governance

Employee rights under the CPRA

Download our infographic on employee rights under the CPRA to help prepare for the law's expansion in CPRA. 

December 07, 2021

Learn more

eBook

Privacy & Data Governance

The ultimate guide to CCPA compliance

The Ultimate Guide to CCPA Compliance eBook highlights key compliance areas of  the CCPA that you should consider when building a privacy program.

December 01, 2021

Learn more

Infographic

GDPR's 8 fundamental data subject rights

Download our GDPR's 8 Fundamental Data Subject Rights infographic and learn more about the individual rights guaranteed under the EU's major privacy law. 

August 27, 2021

Learn more

eBook

Privacy & Data Governance

10 steps to meeting the GDPR Article 30 requirement

Download this eBook and learn how to leverage data mapping for your GDPR Article 30 compliance program. 

July 22, 2021

Learn more

eBook

Privacy & Data Governance

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

Download this eBook for an overview of the Virginia Consumer Data Protection Act (CDPA) to understand what it means for organizations.

July 22, 2021

Learn more

Webinar

Privacy & Data Governance

CCPA compliance masterclass

Watch our OneTrust CCPA Masterclass Series and learn how to prepare your organization for CCPA compliance.

Learn more