The proposed Consumer Privacy Protection Act ("CPPA") is intended to replace the Personal Information and Electronic Documents Act ("PIPEDA"). The current text of the CPPA will make a number of significant changes to some of the consent requirements Canadian private sector organizations must obtain.
See our previous blog about CPPA's proposed privacy management program requirements.
Consent Requirements in the CPPA
The CPPA includes more defined requirements for valid consent than its predecessor, PIPEDA. It is not new that organizations must obtain an individual's consent before they can collect, use, and disclose their personal information. CPPA proposes more prescriptive requirements to obtain valid consent. In future, an organization must provide the following information:
- the purposes for the collection, use or disclosure of the personal information;
- how the personal information is to be collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the specific type of personal information that is to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
What are the important changes?
Organizations should pay attention to these changes and consider modifying their practices accordingly.
The CPPA requires that an organization provide the above noted-information to individuals in plain language. Moreover, organizations must use plain language that their typical target audience would reasonably be expected to understand. This requirement ensures that individuals fully appreciate any risk to their privacy before they interact and share information with organizations. As you prepare for the new legislation, double check the language that your organization uses when obtaining individuals' consent and simplify it if need be.
Explaining Reasonably Foreseeable Consequences
To obtain an individual's valid consent, organizations must flag any reasonably foreseeable consequences that could arise from their collection, use, or disclosure of the individual's personal information. Organizations will have to assess potential risks, identify a range of possible outcomes, and communicate their conclusions.
Risk assessment may be relatively simple for organizations that use information only to fulfill orders or other straightforward requests. However, it will not necessarily be as clear cut for organizations that use information in more complex ways, such as behavioural advertising or eligibility for certain services. Your organization might need to clarify that the provision of certain information may result in a decision (positive or negative) about them, or result in some action, or a denial. While these may be reasonably implied in the circumstances, your organization may now be required to be explicit about it.
Third Party Disclosure
The CPPA imposes an obligation on organizations to list the names of any third parties, or the types of third parties, that they may disclose information to in the course of business. Many organizations operating in, or marketing to, Europe already do this as GDPR has a similar requirement.
Your organization should review and inventory its various service providers (this should be part of an information inventory or data flow record your organization has), to ensure it will be able to get consent to share the information when necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.