In November 2020, the new act was introduced by the Canadian legislators and its name was set to be the Consumer Privacy Protection Act (CPPA). This Canadian data law was created with an aim to provide maximum data protection to consumers working with merchants and other small and large businesses.
It is considered as one of the most comprehensive data laws because it regulates the use of both new personal data and the information covered under the Data Protection Regulation Act (DPRA).
The CPPA's main goal is to function similarly to the GDPR and govern the privacy principles of PIPEDA. This law has strengthened the enforcement of privacy protection and applies to any organization that is responsible for the safeguarding of personal information of consumers, especially Canadian citizens, used for commercial purposes.
The Background: CPPA
As we know, PIPEDA was implemented in 2000, which was more than two decades ago.
At that time, Canada was going through various changes and amendments of their privacy laws. When we compare the Canadian data privacy laws with the privacy regulations of the U.S. and Europe, there are stricter privacy regulations in Canada imposed with a goal to ensure maximum data safety in the digital age.
After the enforcment of PIPEDA, to guarantee further control of personal consumer information as well as greater transparency involving the business use of consumer information, a new law was introduced, named Canadian Consumer Privacy Protection Act (CPPA).
It is relevant to mention that the term Debt Collection Improvement Act (DCIA) is also used when discussing Canadian privacy protection laws. In other words, it is one of the many privacy rules that made the overall Canada's privacy policy very strict.
Here are the key CPPA principles:
1. The private action
This act aims to provide the private right of action to every individual. In any case where a violation occurs that disrupts privacy rights of an individual, they can go to the privacy commissioner and ask for justice in the federal court. There is no defined limit as to what types of privacy violations a person can sue for, which means a wide variety of privacy violation cases are seen in court. According to CPPA, all violations against the private rights of a person must be solved within the period of 2 years of their discovery.
2. Taking individual’s valid consent to use their personal information
According to the CPPA, all organizations, businesses, or companies must take the valid consent of an individual and only collect personal information when it is necessary and relevant.
Under this law, all organizations are bound to conduct business in the legitimate way in terms of the collection, usage or disclosure of their customers' personal information. Moreover, businesses should also provide detailed acknowledgement of how the information will be used to avoid any negative foreseeable consequences.
The CPPA also clarifies that organizationst must offer individuals the right to withdraw their consent.
3. Exemptions from consent collection
CPPA provides organizations with certain exemptions from consent collection. In particular cases where the use of information is necessary for the delivery or provision of a product or service, a business is required to receive consent from the consumer before using their information. The exemption of this rule is mainly used for security purposes, such as when the government organizations collect personal information without a person's consent for legal purposes.
If a company wants to utilize the exemption from consent of the individuals, the company’s reason must include one of the exemption rules elaborated under this act.
4. De-identification of personal information
De-identification is the process in which personal information is modified in a certain manner. Here, the various technical processes are used to make personal information unidentifiable for an organization in the way it cannot be linked to a person with any digital tool.
Once the information is de-identified, any organization can make use of it without letting the individual know about it. Sometimes it is important to use de-identified information, especially for internal research and development purposes. However, it is very important to adopt all administrative measures and technical names to ensure the protection of the de-identified or anonymized information and prevent the data malpractices.
The rights of individuals under CPPA
As discussed earlier, individuals have the right to revoke their consent and ask for amendments in the permission of personal information usage. They can do this by notifying the organization using certain requests or procedures. The individual should inform the business about their reason for concern regarding the uses of their personal information and how to disclose that information to third parties.
Additionally, organizations are bound to respond within 30 days after receiving the request from the individuals.
It is important to be familiar with the reasons that an individual can note regardihr their right to request an amendment. There are a few cases in which a person can ask for a change in the previous permission that allows access to and use of personal information by the organization.
- If an individual does not want to remain connected with the particular organization, the individual can inform the organization about it and request them to stop using their personal information.
- In some cases, if the information of the individual is not accurate or up-to-date and the individual wants to let the organization know about it, they can use the right of amendment of the personal information.
Here it is worth mentioning that individuals also have the right to transfer information or data from one organization to another, along with the transfer of permission of the information usage.
1. Transparency
Under the CPPA, all organizations must be clear in focusing on improvement of their privacy policies as well as other practices that can ensure personal information security. It is important to present the privacy policy rules to customers using a plain language because it needs to be understandable to the target group you serve.
The CPPA also allows companies to store and access personal information outside of Canada. This Canadian privacy law doesn’t pose a limit where a business can make the proper use of the customer's personal information internationally.
However, it is important to note that whenever the company or organization wants to disclose or transfer the personal information of individuals to an international business or system, the organization should inform the individuals about it. In other words, the international usage and sharing of personal information of an individual is only possible when the individual permits such actions.
2. Automated Decision Systems
CPPA advices you to add an automatic decision system to yoir company assets to ensure transparency of entire data privacy systems, including organizations and consumers.
Here you might be wondering:
What is an automated decision system? The Automated Decision System is essentially technology that can replace human judgement or assist other human beings in making final decisions. It involves the use of technology, such as rule-based systems, regression analysis, machine learning, deep learning, predictive analysis, or neutral nets.
According to the CPPA, it is very important for organizations to efficiently and transparently use automated decision systems and to only use them for recommendations and decisions regarding cooperation with their customers.
CPPA Codes Of Practice And Certification
CPPA introduces rules for organizations and specifies how they can develop their codes of practice and certification system. However, whenever an organization develops codes of practice and any other relevant policies, the policies must be submitted as applications to the Privacy Commissioner for final approval.
The cases the commissioner doesn't approve, CPPA allows organizations to develop another code of practice and detailed privacy policies and submit them again for the review.
This Canadian privacy act provides detailed information about the criteria set out in the regulations. It shows a deep concern for the security of the individual buyers as well as businesses. Therefore, in cases where the commissioner approves the code of practice, the organizations can proceed with accountability frameworks and self-regulation.
While developing certification systems, organizations should also work on a detailed mechanism for independent verification of an organization's compliance with the code of practice.
Is CPPA for Canada the same as CCPA for California?
Despite having similar names, it is important to clear any confusion about the differences between the Canadian CPPA and the Californian CCPA. The Californian CCPA or Californian Consumer Privacy Act is now the most comprehensive privacy legislation in the United States and it has a very great economic impact on the whole state of California. The CCPA is essentially focused on granting Californian residents with new rules about the collection and safety of their personal information. However, Canada has its own CPPA that does not concern California residents, and mainly relates to Canadian citizens.
Whether it is Canadian CPPA or Californian CCPA, the safety of consumers as well as organizations is the top priority for both Acts. California and Canadian privacy acts both focus on providing the consumer with maximum security and ensures the smooth flow of information from collection to use of information.