In a previous life, I sat in on a data governance meeting as a consultant. During the conversation, the team was discussing an automated decision-making process where one of the pieces of information collected was an individual's age. Where an individual was under a certain age, they were disqualified and pre-screened out of using a product. Then, one of the team members spoke up and raised a concern about using this automated decision factor, and even whether we should collect this information at all. The team member stated that age alone was not helpful to the company in qualifying or disqualifying the potential customer and may even discriminate against otherwise excellent potential customers. The conversation raised a serious question about the true value of the information to the company's product delivery. It also raised a question about whether use of that information could be justified if reliance on it to deny access to the product was brought to light.

With the recent announcement of new federal privacy legislation, this experience offers a glimpse into how companies should evaluate their data governance structures and data use. The new legislation puts increasing obligations on companies that collect and use personal information.

The New Legislation

The federal government is replacing the Personal Information Protection and Electronic Documents Act (PIPEDA) with the Consumer Privacy Protection Act (CPPA). Minister Navdeep Bains has stated that the goals of the federal government are to provide Canadians with the privacy and data protection needed for an increasingly digital reality by increasing control and transparency surrounding the collection and use of personal information in commercial activities. At the same time, the federal government has identified the need to have a clear framework in place that sets boundaries while allowing for businesses to continue to innovate. Minister Bains has also signaled that the CPPA is to be a principles-based piece of legislation driven by the 10 principles of the Digital Charter. What this means is that the legislation is designed to provide clarity while also retaining flexibility to adapt over time to meet the needs of consumers and businesses in this digital reality. The Government has also provided a summary of the CPPA.

There are significant changes to consent requirements that demand greater transparency from organizations collecting and using personal information. Canadians are also able to demand information be destroyed or deleted, or even require an organization to move or share their information with another organization. Additionally, penalties for violations of the CPPA are more significant and individuals will also be able to seek damages for breach of privacy against companies who are found to have violated the act.

As with PIPEDA, the CPPA mandates that collection, use or disclosure of personal information is only allowed for purposes that the reasonable person would consider appropriate. The sensitivity of the information matters - the greater the sensitivity of personal information, the greater the benefit must be in exchange for the loss of privacy the customer experiences. The CPPA also requires organizations to consider:

  • whether stated purposes are legitimate business needs
  • whether the purposes are effective in meeting those legitimate needs
  • whether there is a less intrusive means of achieving the purpose for comparable cost and benefit.

So, what does this mean for you? The next sections highlight important changes that will impact your data collection and protection policies and procedures.

Consent

The purposes for collection, use or disclosure must be expressly stated. This means that collection, use or disclosure is limited to the purposes expressed to the individual providing consent unless you acquire further valid consent for an additional "purpose". Consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on implied consent. Reliance on implied consent will be determined by the reasonable expectations of the individual and the sensitivity of personal information in question.

In order to obtain valid consent, you will need to obtain consent at or before the time of collection of personal information, and provide the following information in plain language:

  • The purposes for collection, use, or disclosure
  • The way personal information will be collected, used or disclosed
  • The specific type of personal information to be collected, used or disclosed
  • The names of any third parties or types of third parties to which the organization may disclose personal information
  • Any reasonably foreseeable consequences of collection, use, or disclosure

For the last item above, think about reasonably foreseeable consequences as connected to a breach or loss of data. Given that permitted uses are outlined in the CPPA, the reasonably foreseeable consequences would be focus on things such as the risks of loss of information or breach of personal information.

There are two other important notes regarding consent that you should be aware of. First, you cannot require consent as a condition of service, nor can you require more personal information than is necessary to provide a product or service. Second, you cannot obtain or attempt to obtain information using false or misleading information or practices.

Collection, Use and Disclosure Without Consent

Collection and use can occur without knowledge or consent if (i) the collection or use is made for a defined "business activity", and (ii) a reasonable person would expect collection or use for that activity. Personal information cannot be collected or used in order to influence the individual's behavior or decisions. The list of permitted business activities is as follows:

  • Activity necessary to provide or deliver a requested product or service to the individual
  • Activity carried out to prevent or reduce commercial risk
  • Activity necessary for the organization's information, system or network security
  • Activity necessary for product or service safety
  • Activity where obtaining consent would be impracticable because the organization does not have a direct relationship with the individual

An organization can transfer personal information to a service provider without knowledge or consent, to de-identify information, or for internal research and development (provided the information has been de-identified). For de-identified information, you cannot use this type of information to identify an individual who has provided personal information. The only exception to this is where you are testing the effectiveness of security safeguards in place to protect the information.

Finally, if you have disclosed information without consent, you must provide the names or types of third parties where disclosure has been made.

Withdrawal of Consent

After an organization receives notice of withdrawal of a user's consent, it must "as soon as feasible after that, cease the collection, use, or disclosure of the individual's personal information in respect of which the consent was withdrawn".

Personal information must not be retained for a period longer than necessary to fulfil the purposes of collection, use or disclosure or to comply with the CPPA. Retention of personal information outside of stated purposes at the time of consent will be a violation under the CPPA.

An individual can make a written request for the disposal of their personal information. The organization must dispose of that information as soon as feasible with two exceptions:

  • The information cannot be separated from another individual's personal information and disposal of the information would lead to disposal of the other person's information.
  • There are legal requirements under federal or provincial law, or reasonable contract terms, that prevent it from doing so.

If you have shared personal information with a service provider, and you are disposing of that information, you must inform the service provider and obtain confirmation from the service provider that they have also disposed of the information.

Transparency

Transparency is of increasing importance in complying with your data obligations. As noted above, valid consent requires the use of plain language. Additionally, you must make data protection policies and practices readily available and in plain language including:

  • types of information under your control
  • how you make use of personal information including how you apply the exceptions to obtain consent to your practices
  • whether you transfer information interprovincially or internationally and reasonable privacy implications that come with those transfer
  • how an individual may request disposal
  • business contact information where complaints may be made

The CPPA also introduces transparency requirements around the use of automated decision systems. An automated decision system is defined as "any technology that assists or replaces the judgment of human decision-makers using techniques such as rules-based systems, regression analysis, predictive analytics, machine learning, deep learning and neural nets". If you use these systems to make a prediction, recommendation or decision about an individual, you must be able to provide an explanation about the prediction, recommendation or decision and how you obtained the personal information to make that decision.

Consent also requires increased transparency on the part of companies collecting, using disclosing personal information. One example of what this transparency might look like can be found here, where Apple announces what some are describing as a privacy "nutrition label". This will be required on an app's product page as of December 8, 2020 so users can understand that app's privacy practices before they download the app.

Simply put, the federal government is signaling that people have the right to know:

  • what you are collecting
  • why you are collecting it
  • how their information will be used
  • who their information will be shared with
  • the risks an organization sees to the security and privacy of their information given these intended uses and disclosures

Organizations will need to have clear answers to these questions and strong policies in place that can be accessed by potential and existing customers.

Penalties in the Case of Violations

CPPA also introduces significant penalties in the event of violations and a private right of action for individuals in the event of a violation of the CPPA. Minister Bains has signaled that the federal government desires to have the Privacy Commissioner provide guidance and advice to businesses on their privacy programs in a manner that incentivizes compliance. With that in mind the federal government has separated the role of providing guidance with the disciplinary role of the tribunal.

First, where the Privacy Commissioner finds a violation of the CPPA, they can make a recommendation to the Personal Information and Data Protection Tribunal of an appropriate penalty. Violations of the CPPA can lead to a monetary penalty or fine of up to $10 million or 3% of gross global revenue, whichever is greater. Where the organization in question has knowingly committed an offence, these penalties increase to up to $25 million or 5% of gross global revenues.

Second, if an organization is convicted of an offence under the CPPA, or the Privacy Commissioner or Tribunal has determined that an organization has violated the CPPA, individuals now have a private right of action. It does not appear that penalties are limited to either monetary penalties or claims arising under a private right of action, but that organizations may be liable for either, or both.

What Does This Mean for Me?

The Notorious B.I.G. aptly stated, "I don't know what they want from me, it's like the more money we come across the more problems we see". In this new world, it may be helpful to think about data in the same terms - more data, more problems. In preparation for the CPPA coming into force and effect, companies should look to do the following:

  • Privacy Policy – At bare minimum, draft and implement a privacy policy if you do not already have one. This policy should state (i) what data you are collecting, (ii) what you are using that data for, and (iii) how you are collecting and storing that data it. Think about how you are intaking data and how you are communicating to people about what you are doing with it. Note specifically that CPPA can require a company to disclose their privacy management programs/policies to regulators.
  • Data Collection Review – Consider reviewing each piece of data in your organization and ask the following questions: Do we need this information? How does this information improve product or service delivery? Do the liabilities that come with this information outweigh the benefits of holding such information? Where information is no longer required, consider disposing of existing stored information and no longer collecting that information.

While data is of great benefit to organizations, CPPA makes clear that with great power comes great responsibility. If you cannot strongly connect your data to a legitimate business purpose, it is important to realize that the liabilities of holding that information may outweigh its benefits. Consider the potential costs of having to dispose of information and ensure that any third parties or service providers have disposed the information, particularly where that information was not actually needed to deliver your product or service. Ask yourself whether you can "erase" a customer and their information upon request. In many cases, this is a very difficult task.

If the information offers no discernable benefit to your product or service delivery, it is likely best to avoid collecting that information at all. Therein lies a potential purpose of this new legislation. Rather than creating a reactive legislative framework for personal data privacy, the federal government seems to be encouraging organizations to take a proactive approach in reducing their data intake and liabilities to only the information necessary to deliver their best product or service.

Finally, if you need assistance with putting together a privacy management program or policy, or better understanding these obligations, please reach out to our firm. We have lawyers who intimately understand both privacy laws as well as the business realities of technology and software companies. The Minister of Innovation, Science and Industry has indicated there will be a 12 to 18 month transition period to allow companies to comply with CPPA; however, work should begin early.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.