The laws governing privacy in Canada are undergoing rapid change, particularly for organizations that collect and use the personal information of their clients and customers. These changes have been driven by both public and government concerns, but also reflect international developments such as the General Data Protection Regulation (GDPR). This recap summarizes the laws that were discussed during the webinar and provides resources for keeping your business in compliance with these new regulations.
- Jill Briggs – Head of Policy and Regulatory Affairs, IAB Canada JBriggs@iabcanada.com
- Sara Clodman – VP Public Affairs and Thought Leadership, Canadian Marketing Association email@example.com
- Joanne Crump – SVP Integrated Media, Active International Joanne.Crump@activeinternational.com
PRIVACY LAWS IN CANADA
- Bill C-27 (Previously Bill C-11): Digital Charter Implementation Act, was meant to repeal parts of PIPEDA and replace then with
– CPPA: Canada Consumer Privacy Protection Act, meant to modernize and provide stricter regulations and enforcement over personal Information
- Quebec’s Bill 64 : An Act to modernize legislative provisions as regards the protection of personal information
- CCPA: California Consumer Privacy Act- A state statute that enhances privacy rights and consumer protection for California residents
- GDPR: General Data Protection Regulations- Data protection and privacy law in the European Union and European Economic Area.
Quebec’s Bill- 64
►On September 2021, Quebec adopted Bill 64: An Act to modernize legislation regarding the protection of personal information. This bill introduced significant changes to the provisions governing the use and protection of personal information under various laws. A three-year phased implementation of the bill will begin on September 22, 2022. To stay up to date with the three-year plan for Bill 64,
►IAB Canada has created an infographic that breaks down how Bill 64 will go into effect the next three years. Link.
►Bill 64 requires organizations to configure individuals’ privacy settings for products or services to offer the highest level of confidentiality and privacy. This includes appointing a privacy officer, mandatory breach reporting, and giving individuals the opportunity to expressly opt for such features in accordance with their preferences. Under the new legislation, organizations that do not comply with this requirement can be fined $10 million or 5% of global revenue, whichever is greater.
►To stay up to date on Bill 64, you can access it here
Canada’s Bill C-27
►On June 16, 2022, the Canadian government tabled in Parliament Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, as well as amendments to other Acts.
►Bill C-27 would modernize Canada’s approach to private sector data protection and introduce new rules related to artificial intelligence (“AI”). The bill would establish three new statutes:
- 1. The Consumer Privacy Protection Act (“CPPA”), which would repeal and replace the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and align it with the General Data Protection Regulation in Europe.
- 2. The Personal Information and Data Protection Tribunal Act, which would allow organizations and individuals to seek review of decisions made by the Privacy Commissioner.
- 3. The Artificial Intelligence and Data Act, which would regulate the development and deployment of AI in the Canadian marketplace.
►To stay up to date on Bill C-27, you can access it here
►Google will not be supporting 3rd party cookies in late 2023 which means greater reliance on first party data
►Under PIPEDA, organizations are required to explain why they collect personal information.
►Once the intended use of the data has been completed, organizations must dispose of the data. Whenever they are used for statistical purposes, they should be rendered anonymous.
►Having one federal law is the most effective approach for companies and consumers. Many provincial laws make compliance more complex and costly, without benefiting consumers.
►Legislation should be technology-neutral, so it can adapt to new technologies as they emerge. Otherwise, it becomes outdated.
►It is important to comply with privacy laws to maintain your company/industry’s reputation, and to maintain trust with consumers.
►Your consumer relationship should be as ethical as the way you would want your own data to be used.
►Sara’s Key Takeaways
- 1. Keep current on developments. At stake is your reputation, and that of your company and industry sector, along with significant fines once Bill C-27 becomes law..
- 2. Speak out on social media (especially Twitter) to support our advocacy efforts on behalf of the industry for balanced legislation.
- 3. Make wise decisions by putting on your “consumer hat“. How do you want your data, and your kids’ data used? Your customers probably want the same.
►Jill’s Key Takeaways
- 1. “Don’t wait to be told what to do” – Don’t wait for new legislation to impose your business practices; take action now!
- 2. Explore and shore up your first party data, make sure you have proper consumer consent get prepared for a time when you can no longer rely on third party cookies.
- 3. Use the proven technology and industry frameworks that already exist to improve upon your business practices.
►Joanne’s Key Takeaways
- 1. Transparency creates trust with the end user and creates a positive relationship between you and your customers.
- 2. “Putting the value exchange” – When you are collecting data, it is important to make the value exchange clear. Let your end users know what they will get in return for giving you their information.
- Businesses can stay in compliance with the new privacy laws by taking courses offered by both the IAB Canada and the CMA.
- Privacy-First Essentials for Digital Advertising Professionals – IAB CANADA
- CASL and Privacy 101 for Marketers – CMA
- Guidelines published by the Office of the Privacy Commissioner of Canada
- Guidelines on Privacy and Online Behavioral Advertising
- Guidelines for Obtaining Meaningful Consent
- Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5
Resources from the CMA
- The CMA has many privacy-related guides and tools. Most of them can be found here, including CMA’s Privacy Compliance Guide and Transparency for Consumers Guide, and numerous blogs. Our privacy law comparison chart, for those who are CMA members is also on this page.
- If you are interested in keeping up with legislative developments, visit CMA’s Privacy Law Reform page.
- CMA’s report on the GDPR is available here: Privacy Law Pitfalls: Lessons Learned from the European Union.
- Our Adtech Resource Hub is updated regularly