Now in its Second Reading, Bill C-11, the Consumer Privacy Protection Act (“CPPA”), is moving ever closer to adoption. The opening remarks by the Bill’s sponsor, MP Navdeep Bains, emphasized the law’s focus on control and consent with the aim of making privacy compliance more straightforward and transparent for Canadians who have seen an increase in online presence and activity since the pandemic began. As promised in our previous blog post, we begin our exploration of a few old and new concepts addressed by CPPA.
While some sections of CPPA replicate the Personal Information Protection and Electronic Documents Act (“PIPEDA”), generally speaking, CPPA includes more detail and is more prescriptive, which aims to clarify and bolster privacy protections for Canadians while, not insignificantly so, maintaining Canada’s ‘adequacy status’ under the European data protection regime, the General Data Protection Regulation (“GDPR”).
The concept of consent and business activities exemption
For example, the following section 5(3) of PIPEDA appears word for word in section 12(1) of CPPA:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
However, section 12 of CPPA goes further than PIPEDA did, adding factors to consider when determining whether the purposes are appropriate, as well as adding a new obligation to record the purposes for which the personal information is to be collected, used or disclosed, at or before the time of its collection.
The additional factors to assist in determining the appropriateness of the purposes are as follows :
- the sensitivity of the personal information;
- whether the purposes represent legitimate business needs of the organization;
- the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
- whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
- whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
Regarding the overarching theme of strengthening the notion of consent, section 15 of CPPA provides a more complete definition of the term than provided by PIPEDA, adding new considerations and precisions concerning the timing and form of consent. In particular, CPPA makes clear that express consent is required and implied consent is only acceptable where the organization can show it is appropriate given the reasonable expectations of the individual and the sensitivity of the personal information concerned.
CPPA also aims to simplify privacy for Canadian businesses. Section 18 of CPPA provides an exemption for certain business activities, allowing the collection and use of personal information without consent where an individual would reasonably expect it for the business activity in question and where the personal information is not being used to influence the individual’s behaviour or decisions.
The following are considered “business activities” for the purposes of the exception to obtaining consent:
- an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
- an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
- an activity that is necessary for the organization’s information, system or network security;
- an activity that is necessary for the safety of a product or service that the organization provides or delivers;
- an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual; and
- any other prescribed activity.
It is important to note that the business activities exemption does not exempt businesses from obtaining consent for the disclosure of personal information. However, section 19 of CPPA allows companies to transfer an individual’s personal information to a service provider without the individual’s consent.
While this exemption should simplify privacy for Canadian businesses, it remains to be seen whether these precisions will raise further questions as they are being implemented.