Consumer Privacy Protection Act (CPPA)
The Canadian Consumer Privacy Protection Act (CPPA) is a proposed Canadian federal privacy law that aims to strengthen individual data rights, modernize consent requirements, and hold organizations accountable for how they collect and process personal information.
What is the Consumer Privacy Protection Act (CPPA)?
The Consumer Privacy Protection Act (CPPA) is part of Canada’s Bill C-27, which seeks to replace the existing PIPEDA with updated rules that better reflect modern digital realities.
The CPPA introduces new rights for individuals—including algorithmic transparency, and the right to disposal—while requiring organizations to implement comprehensive privacy management programs.
If enacted, it will align closely with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) enhancing global interoperability across privacy frameworks.
Why the Consumer Privacy Protection Act (CPPA) matters
The CPPA modernizes Canada’s federal privacy framework to strengthen trust in the digital economy. It holds organizations accountable for responsible data practices and gives consumers greater control over their personal information.
The CPPA introduces stricter consent standards, mandatory transparency around automated decision-making, and substantial fines for non-compliance.
For multinational companies, compliance with the CPPA also supports alignment with other major privacy regimes such as the GDPR and the Digital Personal Data Protection Act (DPDPA).
How the Consumer Privacy Protection Act (CPPA) is used in practice
- Building and maintaining privacy management programs that document data use and compliance controls
- Implementing mechanisms for consent withdrawal and rights requests
- Conducting privacy impact assessments for high-risk or automated processing activities
- Disclosing how algorithms and AI systems make significant decisions about individuals
- Preparing for enforcement by the Office of the Privacy Commissioner of Canada (OPC)
- Coordinating with global teams to align CPPA compliance with GDPR and CCPA. frameworks
Related laws & standards
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Digital Personal Data Protection Act (DPDPA)
- ISO/IEC 27001 (Information Security Management)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
How OneTrust helps with Consumer Privacy Protection Act (CPPA) compliance
OneTrust enables organizations to prepare for compliance with the Consumer Privacy Protection Act (CPPA) through automated workflows, consent management tools, and data mapping capabilities. The platform centralizes compliance documentation, supports individual rights requests, and simplifies reporting for accountability and transparency.
[Explore Solutions →]
FAQs about the Consumer Privacy Protection Act (CPPA)
Unlike PIPEDA, the CPPA introduces stronger enforcement mechanisms, new data rights (like disposal and mobility), and explicit obligations around algorithmic transparency and automated decision-making.
The CPPA will be enforced by the Office of the Privacy Commissioner of Canada (OPC), with final orders and penalties adjudicated by the Personal Information and Data Protection Tribunal.
While the General Data Protection Regulation (GDPR) serves as a global benchmark, the CPPA adapts its principles for Canada’s legal environment—balancing innovation and accountability with practical compliance expectations.
