At-a-glance: Canada’s proposed new privacy law

Privacy legislation in Canada will expand data privacy obligations. PrivSec Report summarises the key changes in the bill in its current form.

In November, Bill C-11 for the Digital Charter Implementation Act, 2020 was introduced to the House of Commons as part of Canada’s updated privacy legislation, which will enact the Consumer Privacy Protection Act (CPPA).

If transcribed into law, the CPPA will replace the Personal Information Protection and Electronic Documents Act (PIPEDA) in most areas and will expand data privacy obligations and impose new enforcement mechanisms on businesses collecting users’ data.

Expanded rights

The CPPA maintains the ten core privacy principles of PIPEDA, including, accountability, consent and challenging compliance.

However, it expands  consumers’ rights in certain areas, such as allowing individuals to request access and deletion of their data, with some exceptions and data portability rights. Furthermore, the CPPA implements the concept of algorithmic transparency, which will enable consumers to receive an explanation as to why a certain algorithmic decision has been made about them upon request. It must then inform any service provider to which it transferred the PI of the individual’s request and obtain confirmation that the service provider deleted the PI.


Under CPPA, businesses will have to meet extra requirements for obtaining valid consent. At the point of collection, organisations must provide consumers with the following information:

  • The purposes of the collection, use, or disclosure of the PI, as determined and recorded by the organisation
  • The way PI is to be collected, used, or disclosed
  • Any reasonably foreseeable consequences of the collection, use, or disclosure of the PI
  • The specific type of PI to be collected, used, or disclosed
  • The names of any third parties or types of third parties to which the organization may disclose the PI.

However, in a move away from PIPEDA, the new law will also provide exceptions in obtaining consent when de-identifying information.

Additionally, there are exceptions for obtaining consent if the collection or use is made for a business activity, such as providing or delivering a product or service that the individual requested or preventing or managing commercial risk. An organisation may also transfer an individual’s personal information to a service provider without the user’s knowledge.


The CPPA includes significantly high penalties for non-compliance through the Personal Information and Data Protection Tribunal (PIDPTA), which will have the power to impose administrative penalties on businesses, who use personal information for an improper purpose, require a person to consent to the use of their personal information as a condition of supplying a good or service, or retain personal information for longer than needed.

The Tribunal can impose administrative penalties on recommendation by the Privacy Commissioner and will also be able to hear appeals of the Privacy Commissioner’s decisions and assist in administration of the CPPA.

The maximum administrative penalty under the CPPA is the greater of C$10 million or 3% of global revenue for the previous year. The maximum penalty for serious offences will be up to 5% of an organization’s global revenues or $25 million whichever is higher.

Privacy Commissioner (OPC)

The Commissioner will also receive greater order-making powers under the CPPA than PIPEDA. Notably, they can order a company to “take measures to comply with the CPPA; cease doing something in contravention of the CPPA; follow a compliance agreement; or make public any corrective actions it must take to comply with the CPPA.” Under PIPEDA, the Commissioner is only able to make recommendations.

Register for free to receive the latest privacy, security and data protection news and analysis straight to your inbox

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.