Like many countries, federal and some provincial governments in Canada have been considering updates to their private sector privacy laws.
These laws govern the collection, use, or disclosure of personal information of Canadian residents in the course of commercial activities, including through contact centers. They would apply to organizations operating within Canada and those outside Canada with a “real and substantial connection” to the country.
Canada’s current federal law (the Personal Information Protection and Electronic Documents Act, known as PIPEDA), passed in 2000, served for many years as the international gold standard for the protection of personal information.
PIPEDA has widely recognized strengths, including its balanced purpose statement, which embraces the enormous social and economic benefits of data use for Canadians, while protecting individuals’ right to privacy.
...Bill C-27...is intended to modernize Canada’s private sector privacy framework through a proposed Consumer Privacy Protection Act...
PIPEDA’s principles-based framework, for the most part, has stood the test of time. It has provided considerable flexibility, allowing privacy protections to be applied to a range of fast-moving technologies and applications.
PIPEDA’s Replacement: CPPA via C-27
In recent years, the Canadian government determined that PIPEDA needed to be replaced with a law that provides more meaningful privacy protection in the digital age.
In 2022, the government introduced Bill C-27, which is intended to modernize Canada’s private sector privacy framework through a proposed Consumer Privacy Protection Act (CPPA), and which will replace PIPEDA.
The CPPA’s purpose statement sets two fundamental priorities: ensuring effective privacy protection for consumers and enabling Canadians to enjoy the enormous social and economic benefits of private sector data use.
The CPPA has preserved two of PIPEDA’s key strengths: both laws are principles-based and technology-neutral, with rules that apply evenly across all processing activities. This approach is critical to ensure that the law remains flexible in the face of rapidly evolving technologies and business models for years to come.
Consumers would be able to move their data from one organization to another...
There are several important differences between the two laws. For example:
- The CPPA contains a meaningful enforcement model backed by broad order-making powers for the privacy commissioner and the strongest financial penalties in the G7, while maintaining a focus on early resolution and constructive engagement with businesses. Under PIPEDA, the commissioner can undertake investigations and issue findings, but can neither compel an organization to change its behavior nor impose penalties.
- The CPPA introduces a series of new consumer rights that build on existing rights to access and correct their data, and to withdraw their consent. Consumers would be able to move their information from one organization to another (under approved data mobility frameworks) and to request that their information be disposed of when it is no longer appropriate or necessary.
- Organizations would need to comply with greater transparency requirements with respect to their handling of personal information, and with respect to any automated decisions, predictions, or recommendations that may have a significant impact on individuals.
The bill reflects years of extensive consultation with a wide range of stakeholders. It was designed to bolster privacy protections for consumers while fostering innovation in the digital economy.
For Canadian consumers, the CPPA would provide a host of new rights, including:
- A new right for consumers to request that their data be deleted.
- A new right to request that data be ported from one organization to another (subject to an approved “data mobility” framework).
- A new right to expect companies to provide clearer information about how their data is collected, used and shared for automated decision-making.
- A new right to seek compensation from the courts for various violations.
- Special protections for minors’ data.
In addition, consumers would benefit from a meaningful enforcement model backed by broad order-making powers for the privacy commissioner and the strongest financial penalties in the G7.
Bill C-27 milestones and steps that lie ahead
- June 16, 2022: First Reading in the House of Commons.
- November 4, 2022: Second Reading in the House of Commons.
- September 2023 – February 2024: Consideration in Committee.
- April 8, 2024: Industry Committee begins debating amendments to the bill. Votes on 9 of close to 200 amendments before beginning their summer recess.
Still to come
- Industry Committee report back to the House of Commons.
- Third reading in the House of Commons.
- First and second reading in the Senate, referral to a Senate committee, completion of the Senate committee’s report followed by third reading in the Senate.
- Review in the House of Commons of any amendments made by the Senate.
Where C-27 Stands
Between September 2023 and April 2024, Parliament’s Industry Committee, which is studying the bill, heard testimony from 131 witnesses – including the Canadian Marketing Association (CMA) – one of only three national Canadian business associations that were invited to participate.
The members of Parliament (MPs) on the Industry Committee then filed close to 200 amendments. They began debating the amendments in April 2024. To date, they have completed their deliberations on only 10 of the amendments (summarized in CHART 1).
Just as in the U.S., it can take a long time for a bill to become law. This is due to many factors, including the complexity of the bill, the legislative calendar, the political climate, and the urgency of the bill.
What Has Changed So Far?
Amendments that have been passed to date include:
- Defining the age of a minor (an individual under 18 years of age).
- Amending the definition of personal information (to include inferred information).
- Amending the definition of sensitive personal information to include any information about an individual, for which, the individual generally has a high expectation of privacy. Which may include information such as racial or ethnic origin, sexual orientation, financial data, and geolocation data. See the following for more details.
What’s Next?
If Bill C-27 is not adopted by the House and the Senate before the next federal election (which must take place on or before October 20, 2025), it will be abandoned, and the new government would need to start from scratch and introduce a new bill.
It’s unclear how much of a priority privacy law reform will be for the next government, regardless of which party wins the election, particularly if it is a minority government. Newly elected governments typically focus on legislation that fulfills their campaign promises and key policy platforms, such as budget and fiscal policies, housing affordability, and healthcare.
The only way the current bill could be adopted before the election is if the political parties agree to expedite the process. Although this is not an impossible scenario, there is currently no clear pathway for this to occur.
Quebec’s Law 25
In the meantime, several provinces have been considering updating or introducing privacy laws, following the lead of Quebec, which has already adopted Law 25.
Law 25 overhauls the privacy regime in Quebec, introducing a range of new requirements for businesses in Quebec and for businesses processing the data of Quebec residents.
Major updates include strengthened privacy rights for individuals and several controller requirements, such as privacy policies, risk assessments, and data breach notification.
The law allows the Quebec privacy regulator to impose large potential fines for non-compliance of up to $10 million or 2% of worldwide revenues, whichever is greater. In the case of a subsequent offense, fines can be doubled.
What Steps is the CMA Taking?
The CMA is continuing to speak to policymakers about the proposed amendments to C-27. If the bill overcomes the daunting challenges it is facing, and advances through the legislative process, the CMA will continue to stress the importance of ensuring that it achieves its original two purposes.
If Bill C-27 is not adopted by the House and the Senate before the next federal election (which must take place on or before October 20, 2025), it will be abandoned...
In addition, the CMA is actively participating in consultations with several government bodies, including the Office of the Privacy Commissioner, the Competition Bureau, and some provinces on a range of topics including privacy, the protection of minors’ data, AI, consumer protection, and more.
The objective is to foster a legislative and regulatory environment in which businesses can compete effectively and consumers are protected.
understanding canadian attitudes
By Alison Simpson
Alison Simpson, president and CEO of the CMA, is an accomplished executive leader, and an award-winning marketer with extensive brand and agency experience. Alison had served as president of several agencies and as marketing lead for top tier brands, including Holt Renfrew, Rogers Communications, and TMX Group.
To give context to the proposed Canadian privacy legislation changes it is critical to understand consumers’ attitudes towards brands.
According to the most recent Canadian Marketing Association (CMA) Digital Marketing Pulse survey, conducted in 2022 and in partnership with Ipsos, 72% of Canadians are fairly to very concerned about their financial situation in the current economic climate.
So, it is not surprising that 90% feel that brands should be sympathetic to consumers and 75% believe brands should actively communicate with them.
But as businesses face more complex regulatory challenges domestically and globally, contact centers must continuously strengthen their ability to meet customer needs while also protecting personal information.
The Digital Marketing Pulse survey found that overall, marketers and agencies seem to be relatively confident with the way that data is collected and used. They still agree that investments in data insights are worth it, and they are more confident that their company gathers the right amount of data to understand their audience.
...contact centers must continuously strengthen their ability to meet customer needs while also protecting personal information.
However, a bigger proportion than in 2021 (22% versus 12%) agree that privacy compliance challenges have caused them to reconsider or even scale back some of their digital activities.
With regulatory changes on the horizon, it is more important than ever for marketers and contact center representatives to stay informed. There are training programs being offered by many organizations. Meaningful professional development will position industry professionals to make an impact.