The existing Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s main federal law protecting user privacy and governing how companies handle personal information.
Canada has been trying to better align its privacy and data protection laws with global trends by initiating a modernized data protection framework.
Over time, the Canadian government proposed bills to deploy the Digital Charter, which outlines fundamental principles relating to digital privacy. First, it introduced Bill C-11 in 2020, which has since been revoked, and Bill C-27, introduced in 2022, which is to enact the Consumer Privacy Protection Act (CPPA).
Today, we’ll present key provisions of PIPEDA and the changes proposed in CPPA. We’ll also show you how the laws can impact your digital strategy, including how you collect analytics data.
PIPEDA is the Canadian federal privacy law seeking to protect consumers’ privacy rights.
PIPEDA originally went into effect in 2000. Since then, it has been modified several times, with the most significant changes introduced in 2015. The amendment, known as the Digital Privacy Act, included mandatory breach notification requirements and enhanced the powers of Canada’s Privacy Commissioner.
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information.
Although many sources suggest otherwise, the Canadian act also covers businesses operating outside Canada. While the text is silent about international reach, the Federal Court of Canada has ruled that PIPEDA should apply if there is “a real and substantial connection between the foreign organization and Canada and a physical presence is not required”.
This means that if your business is located outside Canada but offers products or services to Canadian residents, PIPEDA applies to it.
There’s no threshold when it comes to size or number of employees. The law applies to sole proprietors and large enterprises alike.
But there are some exceptions. Organizations outside PIPEDA’s scope include:
- Those operating entirely in Alberta, British Columbia or Quebec – provinces where local laws similar to PIPEDA are already in effect
- Non-profit organizations, political parties and associations, educational institutions and hospitals – if they don’t engage in any commercial activities
- Organizations that collect, use or disclose personal information only for journalistic, artistic, or literary purposes
In PIPEDA, the notion of personal information involves any information about an identifiable individual:
- Age, name, ID numbers, income, ethnic origin, blood type
- Opinions, evaluations, comments, social status, disciplinary actions
- Employee files, credit records, loan records, medical records
The Office of the Privacy Commissioner of Canada’s guide on Web tracking with cookies states that:
If the cookie contains a unique identifier, then information about your visits to different websites can be linked together.
Further, if any of the sites (such as social networking sites) collect personal information, this information might also be collected by the advertisers. In this way, advertising companies are able to track the websites that you visit and build up detailed personal profiles […].
This means that the law also applies to marketing tools, including analytics platforms operating on cookies.
From the digital marketing and analytics point of view, the provisions of PIPEDA come down to these key points:
- You’re responsible for personal information under your control and must appoint someone to be in charge of your company’s compliance. Under PIPEDA, this person is called the chief privacy officer (CPO).
- You must limit your collection of personal information to what’s needed for the purposes set by your company (for example, analytics, remarketing or A/B testing). You need to ensure that your visitors’ personal information is accurate, complete and up-to-date.
- You can’t obtain, use or disclose personal information without prior consent.
- You should clearly communicate the purpose of collecting the data and the ways you want to process it. You should only use or disclose it for the purposes it was collected for, unless the individual consents otherwise. Also, you must only keep the personal information for as long as required to serve those purposes.
- You should maintain transparent policies and practices regarding the management of personal information. Keep these documents publicly available.
- You must inform every interested individual about the collection, use and disclosure of their personal information and give them access to it. They should also have a chance to review the accuracy and completeness of their data. Finally, they should be able to challenge your organization’s compliance with PIPEDA principles and bring their challenge to your CPO.
- You must protect personal information using security measures proportional to the sensitivity of the information. In the case of a personal information breach, you need to report it to the Privacy Commissioner of Canada, notify the affected individuals and keep a record of the breach.
The requirements for lawful consent under PIPEDA are less strict and defined than for Europe’s General Data Protection Regulation (GDPR).
In its current form, PIPEDA allows companies to seek implied or express consent where:
- Express consent is given through a specific action, for example, clicking the “I agree” button on a consent request banner.
- Implied consent is obtained through a person’s actions or inaction. For example, when a user has been given an opportunity to opt out but refuses to do so.
If you’re not sure which method applies in your case, the Office of the Privacy Commissioner of Canada offers Guidelines for obtaining meaningful consent that suggest:
“Organizations must generally obtain express consent when:
The information being collected, used or disclosed is sensitive
The collection, use or disclosure is outside the reasonable expectations of the individual
The collection, use or disclosure creates a meaningful residual risk of significant harm”
Also, keep in mind that if a visitor files a complaint about your privacy practices, you need to prove that you obtained valid consent from them. Therefore, it would make sense to stick to express consent whenever possible.
The fines for a breach of PIPEDA requirements are up to $100,000.
While PIPEDA shares some common points with GDPR, the two laws don’t have the same strength or impact on business. They particularly differ in their consent requirements and penalties for non-compliance.
The Canadian authorities noticed that the act is slowly losing touch with today’s privacy standards. The most recent attempt to bring Canada up to speed with modern data protection laws came in the form of the Digital Charter.
Since the Digital Charter is only a guideline, not a binding document, the next logical step for legislators was to revise the existing laws and put the Charter’s principles into practice.
First, in November 2020, Canadian legislators introduced the Digital Charter Implementation Act (DCIA), or Bill C-11, which later died on the order paper with the announcement of the federal election.
On June 16, 2022, the Federal Government introduced Bill C-27, known as the Digital Charter Implementation Act, 2022, which would reform Canadian privacy law.
Bill C-27 is a re-working and, as many say, improvement of Bill C-11. But also, a major portion of Bill C-11 has been transported over to Bill C-27.
If passed, Bill C-27 will enact three different legislations:
- Consumer Privacy Protection Act (CPPA), set to amend the more outdated parts of PIPEDA
- Artificial Intelligence and Data Act (AIDA), Canada’s first artificial intelligence (AI) legislation
- Personal Information and Data Protection Tribunal Act (PIDPTA), empowering a new tribunal to impose penalties for violations of the CPPA
The bill is presently in the draft stage. The proposed CPPA will address the needs of Canadians who rely on digital technology and respond to feedback received on previously proposed legislation. This law will ensure that the privacy of Canadians will be protected and that innovative businesses can benefit from clear rules as technology continues to evolve.
The requirements of CPPA apply to any organization that:
- Collects, uses and shares personal information of Canadian residents for commercial purposes
- Collects, uses and shares personal information about employees and job candidates
CPPA doesn’t apply to:
- Government organizations covered by the Privacy Act
- Personal information used for journalistic, artistic and literary purposes
- Personal information used for personal purposes
- Personal information about individuals used in relation to employment, business or profession
The law changes and expands on many concepts known from PIPEDA but retains its definition of personal information. This means the act also covers unique identifiers such as the ones used in analytics.
Here’s the list of the key privacy obligations according to the proposed draft:
Make sure you have a reasonable purpose for collecting, using or disclosing personal information. Some factors to consider when trying to determine that include:
- The sensitivity of the personal information
- Whether your purpose represents an actual business need of the company
- Whether you can achieve the same purposes in less intrusive ways at a comparable cost and with comparable benefits
- Whether the individual’s loss of privacy is proportionate to the benefits
You must acquire meaningful consent for collecting, processing and disclosing users’ personal information. Likewise, you have to write your request in plain language to make sure visitors are properly informed about their options.
As with PIPEDA, the consent request can take two forms:
- Implied – you need to inform users about the collection of their personal information and give them a way to opt out of it
- Express – you need to obtain users’ active opt-in before you start tracking their data
The difference is more defined conditions for using a particular type of consent. The act obligates you to collect express consent unless you can prove that other grounds for processing apply in your case. It specifically states that:
Consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.
Keep in mind that documenting consents, which is an obligation under CPPA, is also a lot easier with explicit consents than those based on inaction.
Bill C-27 introduces exceptions for when consent is not required. They include:
- Transfers to service providers
- Internal research, analysis and development based on de-identified data
- Business activities necessary to provide a product or service requested by an individual, for information, system or network security, and for the safety of a product or service
- A legitimate interest that outweighs potential negative effect on the individual
There are two conditions to the business activities exemptions:
- A reasonable person must expect such collection or use
- Personal information cannot be collected or used to influence the individual’s behavior or decisions
However, marketing purposes are excluded from these exemptions and still require consent.
If you want to read more about the grounds for processing data under CPPA, check out this guide by McCarthy.
No matter which type of consent you choose to rely on, make sure you inform your visitors about:
- The purposes for and ways in which you want to collect, use and disclose personal information
- The consequences of the collection, use or disclosure of the personal information
- The types of personal information you collect, use and disclose
- The names of any third parties you share users’ personal information with
Finally, remember about individuals’ right to withdraw consent. You should provide them with an easy way to change their mind, for example, through a contact form or by sending a message to an email address provided on your privacy page.
Apart from the right of access to and amendment of personal information and the right to challenge compliance known from PIPEDA, individuals will gain the right to:
- Data mobility – to transfer their personal information between organizations, such as banks or insurance providers.
- Disposal of personal information – to request the deletion of their data. This applies to all personal information that is under an organization’s control.
According to the new law, companies will have to establish transparent processes for handling personal information. Every organization should write down and thoroughly describe:
- How it will protect personal information
- How it will deal with requests for information and complaints
- How it will develop materials that explain the organization’s policies and procedures
- What training and information it will provide to staff
Additionally, organizations must inform users about:
- International transfers or disclosure of personal information (but only if it may have significant privacy implications)
- Whether they use automated decision systems to predict, recommend or make decisions about an individual
Your organization needs to keep records of consents and the purposes for which it collects, uses and discloses data. If you decide to use data for a new purpose, you need to obtain separate consent, document it and add it to those records.
You should keep this data in a readily accessible form. In case of an audit from data protection authorities, you’ll have to share your records with the privacy commissioner.
CPPA now clarifies two significant concepts related to data.
Here are the provided definitions:
- Anonymized data means information that has been irreversibly and permanently modified according to generally accepted best practices, to ensure that no individual can be directly or indirectly identified from the information. We also learn that anonymized data is outside the scope of this legislation.
- De-identified personal data stands for information that has been modified so that an individual cannot be directly identified from it, though a risk of the individual being identified remains. De-identified personal data is still considered personal information, hence falling within the scope of the law.
According to the law, you can collect de-identified data without visitors’ consent.
The proposal announces new powers for the Office of the Canadian Privacy Commissioner. This allows them to better enforce the law and issue fines and penalties directly.
The new bill authorizes the privacy commissioner to:
- Order organizations to change practices and publicize such changes
- Approve an organization’s Codes of Practice or Certification Program to meet compliance obligations
- Recommend penalties to the new Data Protection Tribunal
The law considers minors’ personal data to be sensitive. Parents or guardians can exercise the rights (including consent) on behalf of their child, but the child can object to their authorization. Also, children have more rights to have their personal data deleted.
Finally, under CPPA, consumers have a right of private action, which means they can sue companies that used their data in a way that violates the obligations of the act.
Fines for non-compliance with CPPA are as high as $10 million or up to 3% of global revenue. The act also includes higher penalties for more serious and deliberate violations, up to $25 million or 5% of global revenue.
It’s not yet known when CPPA will come into force and if its current form is final, given that it has already been amended. That said, it’s good to keep your ear to the ground and prepare your company for the upcoming changes in advance. And it goes without saying that you should adapt your data collection practices to existing privacy laws, if you haven’t done so already.
Below are some of the most important action points for dealing with analytics data under the new Canadian law:
Collecting or holding data, especially personal information you’re not using, is potentially risky and has no business benefit. You should only collect and keep data that you can use and have a purpose for.
A CPO should be responsible for your company’s compliance with the law and the protection of personal information. If your company operates globally, you need a CPO (or data protection officer) to act in line with other regulations such as GDPR anyway. That person will also guide you through the Canadian privacy regulation landscape.
Implied or explicit consent? To decide, study the guidelines and assess which solution makes the most sense for your organization and applies to your use cases.
You should also familiarize yourself with consent exemptions and see if there are any purposes for which you don’t require consent.
If you’d like to learn more about the rules around choosing suitable ground(s) for processing, read Part 1 of the current draft of CPPA.
The next step would be to rethink your analytics choices. Do you want to collect personal information about your customers or gather de-identified statistics?
Let’s take the example of Google Analytics. The platform forbids you from storing personally identifiable information (PII) on its servers. But at the same time, it collects cookie IDs, advertising IDs, IP addresses and other end user identifiers considered personal information under PIPEDA and the upcoming CPPA.
Because of that, you may not collect any personal information except for online identifiers but still have to deal with all the obligations of PIPEDA and CPPA.
It’s worth considering other analytics platforms that let you work on meaningful pieces of personal information in a compliant way.
Alternatively, you could switch to a product that allows you to avoid personal information and the liabilities its collection entails. The best way to do this is by using advanced de-identification methods.
If you’ve chosen to use express consent, think about how you will respect users’ rights.
The acts alone don’t specify how to collect consents and process user requests. However, several solutions, such as consent managers, have worked well under GDPR. Some of them, including Piwik PRO Consent Manager, allow you to display different consent requests in different jurisdictions. This will enable you to meet the obligations of multiple privacy laws, such as GDPR and, crucially, both PIPEDA and CCPA.
Bear in mind that even if you obtain implied consent, you still need to ensure that your visitors can exercise their right to access and rectify their data or revoke consent. You can process such queries manually or automate the process using a data request manager, a feature available with many consent management platforms.
Relatively toothless until now, the Canadian privacy framework is set to receive a more threatening bite. We’ll keep you posted on any developments with the law. If you’re interested in how Piwik PRO can help you comply with PIPEDA and the upcoming CPPA, contact our team. We’ll be happy to fill you in on the details!
In the meantime, check out our selection of blog posts to help you respect user privacy as you gain valuable insights from your analytics: