Canada PrivacyCanada’s New Privacy Bill Aims to Strengthen Privacy Rights for Citizens

Canada’s New Privacy Bill Aims to Strengthen Privacy Rights for Citizens

On November 17, 2020, the Canadian Minister of Innovation, Science, and Industry introduced a new federal privacy bill that would reshape Canada’s privacy framework with a main goal of strengthening interoperability with both the European Union and the United States. Bill C-11 proposes the Digital Charter Implementation Act, 2020 which includes the Consumer Privacy Protection Act. This legislation would significantly increase protection of Canadian personal information by enhancing Canadian control over data and demanding more transparency from companies as to their handling of personal information. The Digital Charter Implementation Act includes:

  1. Increased control and transparency of Canadian personal identifiable information being handled by companies,
  2. Ability for Canadians to move information from one organization to another in a secure manner,
  3. Right for Canadians to destroy their information,
  4. Ability of the Privacy Commissioner to force an organization to comply and order businesses and corporations to stop collecting data or using personal information, and
  5. Strongest fine among G7 privacy laws.

Penalties and Provisions

There are significant fines for noncompliant businesses – up to 5% of revenue or a sum of Can$25 million, whichever is higher. The bill would also modernize the Consumer Privacy Protection Act (CPPA) to protect an individual’s personal information while regulating organizations collection, use, and disclosure of personal information. The CPPA would also further consent requirements for handling personal information, create transparency requirements with respect to algorithms and artificial intelligence (AI), mobility of personal data, retention and disposal of personal information, and codifies legitimate interests where consent is not required. The CPPA updates the Personal Information Protection and Electronic Documents Act, which governed how private sector organizations collect, use, and disclose personal information in commercial business.

Part of Bill C-11 also introduces the Personal Information and Privacy Protection Tribunal Act (PIPPTA). The PIPPTA was established to create an accelerated and more direct path to enforcement of orders from the Office of the Private Commissioner to meet its expanded role and provide strong enforcement. The PIPPTA also includes a private right of action, allowing individuals to sue where the commissioner issues a finding of a privacy violation and it will be upheld by the Tribunal. However, all cases must be brought up within two years of the violation.

Impact

Canada’s proposed federal privacy bill follows the lead of the European Union’s General Data Protection Regulation and the United States’ California Consumer Privacy Act. Canada’s privacy bill was created to impose obligations on any business that collects Canadian personal data. Businesses and companies that fail to comply will be subject to the penalties outlined above. If Bill C-11 is passed, US businesses that collect and/or process the personal data of Canadians will have to enact procedures that comply with the Consumer Privacy Protection Act and other requirements in the bill. As with any new piece of data legislation, it crucial that companies potentially impacted perform a thorough review of their forward-facing privacy practices as well as update their internal procedures to address any new compliance requirements.

At Beckage, we have a team of Global Data Privacy Attorneys that continue to monitor the constantly evolving data privacy and cybersecurity legislation landscape. The Beckage team is made up of technologists and Certified Information Privacy Professionals (CIPP/US & CIPP/E) who can help develop and review new and existing privacy policies compliant with Bill C-11 and other international legislation to help protect your business.

*Attorney Advertising. Prior results do not guarantee similar outcomes.

Subscribe to our Newsletter.

CPRACalifornia Passes Proposition 24 on Consumer Privacy

California Passes Proposition 24 on Consumer Privacy

Businesses that have worked hard to implement California Consumer Privacy Act (CCPA) compliance initiatives will have a whole new set of privacy standards to comply with in the very near future.  California’s Proposition 24, also known as the California Privacy Rights Act (CPRA), has passed, expanding the state’s consumer privacy regulations. 

The CCPA, which passed only two years ago, the final regulations of which were just released earlier this year, will remain in effect until the CPRA becomes effective on January 1, 2023.  The CPRA expands the CCPA, adding new privacy rights aimed at strengthening consumer privacy. 

Among the changes introduced by the CPRA is the creation of a new, five-member agency with regulatory authority for enforcement of both the CCPA and CPRA.  The California Privacy Protection Agency will take over enforcement authority from the California Attorney General and dramatically change the way privacy rights are handled.  The Agency will be empowered to issue guidelines and impose fines on businesses who fail to comply. The Agency is slated to take over on July 1, 2021.

What is new in the CPRA? 

The CPRA modifies the CCPA in some meaningful ways by introducing new privacy rights and obligations pertaining to certain categories of personal information.  The updates will likely have a significant impact on companies that do business in California.  

New provisions of the CPRA include:

  • Sensitive Personal Information. The CPRA introduces a newly defined category of personal information that includes things like social security number, driver’s license number, passport number, sexual orientation, biometric data, health and financial information, and precise geolocation.
  • Additional Consumer Rights.  In addition to the rights conferred upon consumers under the CCPA, under the CPRA consumers will have additional rights, including the right to:
    • correct personal information;
    • know the length of data retention;
    • opt-out of geolocation utilization;
    • limit businesses from collecting more data than necessary;
    • restrict usage of sensitive personal information;
    • know what personal information is sold or shared and to whom;
    • prevent retaliation for exercising privacy rights.
  • Sharing of Data.  Of note, the CPRA allows consumers to opt out of the sharing of their personal information (rather than sale) for “cross-context behavioral advertising.”  This change is intended to close a perceived loophole in the CCPA that some businesses have relied on to avoid compliance.  This means businesses who do not sell data but share for digital advertising purposes may have to comply.
  • Expanded Breach Liability.  The CPRA adds a private right of action for unauthorized access or disclosure of an email address and password or security question that would permit access to an account if the business failed to maintain reasonable security.
  • Disclosure Obligations.  Businesses will be required to disclose the duration they will retain each category of personal information, the purpose for which they retain the personal information, and the volume collected.  Misrepresentations would constitute a statutory violation.
  • Increased Penalties for Children’s Personal Information.  The CPRA triples the maximum penalties for any violations concerning children’s personal information (under the age of 16).  The new penalties may go up to $7,500 per intentional violation.
  • Third Party Requirements.  Businesses that share personal information with third-party service providers are required under the CPRA to enter into contracts extending the CPRA privacy requirements to the third parties.
  • Covered Business.  The CPRA also slightly updates who is a covered business required to comply, increasing the threshold from buying, selling, or sharing personal information from 50,000 California consumers/households to 100,000.

Certain exemptions from the CCPA are retained in the CPRA, including exemptions for medical information or protected health information covered by HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act).  In addition, the CPRA extends the CCPA’s exemption for employee information and business to business data until January 1, 2023.

What impact will the CPRA have?

The CPRA becomes effective on January 1, 2023.  The CPRA will apply to personal information collected on or after January 1, 2022.  While many details still need to be clarified and defined through regulation, the impact of the CPRA will likely be significant as the concept of sharing is much broader in scope than selling.  The passage of another stringent privacy law in California may boost the likelihood of a comprehensive federal privacy law in the near term.

Beckage’s California Privacy Team continues to actively monitor the updates to the privacy landscape and the impacts the new data privacy law will have. The CPRA underscores the importance of operationalizing robust data security and privacy practices that can stand the test of time and adapt to the evolving consumer privacy landscape.  To learn more about the impact the CCPA and the CPRA may have on your business reach out to our team of attorneys.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Looking Back: Top Privacy and Cybersecurity Headlines from 2019Looking Back: Top Privacy and Cybersecurity Headlines from 2019

Looking Back: Top Privacy and Cybersecurity Headlines from 2019

In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:

Read More
Federal Data Privacy Law Proposals_ Notable DifferencesFederal Data Privacy Law Proposals: Notable Differences

Federal Data Privacy Law Proposals: Notable Differences

Hearings on two federal privacy law bills from opposite sides of the aisle were held late last week before the U.S. Senate Committee on Commerce, Science, and Transportation. The bills stand as indications of differences in between Democrat and Republican views on a comprehensive privacy law.  The first – Consumer Online Privacy Rights Act (COPRA) – was proposed by Democratic Senator Maria Cantwell, D. Wash, and has the backing of several other Democrat Senators.  The second – the United States Consumer Data Privacy Act (CDPA) – was proposed by Republican Senator Roger Wicker, R-Miss., is likely to have other Republican support.

Read More
Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly ApproachesYesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

Yesterday California Attorney General Published Proposed Regulations As States Privacy Law CCPA Effective Date Rapidly Approaches

With only a few months left before the landmark California Consumer Protection Act (CCPA) takes effect, yesterday the California Attorney General announced Proposed Regulations implementing the CCPA. By way of background, the CCPA comes into effect January 1, 2020 and will put some of the strictest guidelines the US has seen regarding the collection and processing of personal information of California residents. While the law addresses the processing of personal information of California residents, the CCPA is likely to have far reaching impacts on businesses across the nation, including New York-based businesses. The text of the CCPA can be found here.

Read More
1 2