In today’s post we’ll present key provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) and changes proposed in the draft of the new Consumer Privacy Protection Act (CPPA). We’ll also show you the ways the laws can impact your digital strategy, including how you collect analytics data.
PIPEDA is the Canadian federal privacy law that regulates how the private sector collects, uses and discloses the personal information of its clients.
PIPEDA originally went into effect in 2000. Since then, it has been modified several times, with the most significant changes introduced in 2015. The amendment, known as the Digital Privacy Act, included mandatory breach notification requirements and enhanced the powers of Canada’s Privacy Commissioner.
Although many sources suggest otherwise, the Canadian act covers businesses operating outside Canada. While the text itself is silent about international reach, the Federal Court of Canada has ruled that PIPEDA should apply if there is “a real and substantial connection between the foreign organization and Canada and a physical presence is not required”.
This means that if your business offers products or services to Canadian residents, it’s subject to the act.
There’s no threshold when it comes to size or number of employees. The law applies to sole proprietors and large enterprises alike. The same rules go for foreign organizations dealing with the data of Canadian residents.
But there are some exceptions. Organizations outside PIPEDA’s scope include:
- Those operating entirely in Alberta, British Columbia or Quebec – provinces where local laws similar to PIPEDA are already in effect
- Non-profit organizations, political parties and associations, educational institutions and hospitals – if they don’t engage in any commercial activities
In PIPEDA, the notion of personal information involves any information about an identifiable individual:
- Age, name, ID numbers, income, ethnic origin, blood type
- Opinions, evaluations, comments, social status, disciplinary actions
- Employee files, credit records, loan records, medical records
Office of the Privacy Commissioner of Canada’s guide on Web tracking with cookies that:
If the cookie contains a unique identifier, then information about your visits to different websites can be linked together.
Further, if any of the sites (such as social networking sites) collect personal information, this information might also be collected by the advertisers. In this way, advertising companies are able to track the websites that you visit and build up detailed personal profiles […].
This means that the law also applies to marketing tools, including analytics platforms operating on cookies.
The Canadian law has been built around ten fundamental privacy principles:
- Identifying purposes
- Limiting collection
- Limiting use, disclosure and retention
- Individual access
- Challenging compliance
From the digital marketing and analytics point of view, the provisions can be boiled down to these key points:
- You’re responsible for personal information under your control and must appoint someone to be in charge of your company’s compliance. Under PIPEDA, this person is called the chief privacy officer (CPO).
- You must limit your collection of personal information to what’s needed for the purposes set by your company (e.g. analytics, remarketing or A/B testing). You need to make sure that the personal information about your visitors is accurate, complete and up-to-date.
- You can’t obtain, use or disclose personal information without prior consent.
- You must inform every interested individual about the collection, use and disclosure of their personal information and give them access to it. They should also have a chance to review the accuracy and completeness of their data. Finally, they should be able to challenge your organization’s compliance with PIPEDA principles and bring their challenge to your chief privacy officer (CPO).
- You must protect personal information using security measures proportional to the sensitivity of the information. In the case of a personal information breach, you need to report it to the Privacy Commissioner of Canada, notify the affected individuals and keep a record of the breach.
The requirements for lawful consent under PIPEDA are less strict and defined than for Europe’s General Data Protection regulation (GDPR). In its current form, PIPEDA allows companies to seek implied or express consent where:
Express consent is given through a specific action, e.g. clicking the “I agree” button on a consent request banner.
Implied consent is obtained through a person’s actions or inaction. For example, when a user has been given an opportunity to opt out but refused to do so.
If you’re not sure which method applies in your case, the Office of the Privacy Commissioner of Canada offers Guidelines for obtaining meaningful consent that suggest:
“Organizations must generally obtain express consent when:
The information being collected, used or disclosed is sensitive
The collection, use or disclosure is outside the reasonable expectations of the individual
The collection, use or disclosure creates a meaningful residual risk of significant harm”
Also have in mind that if a visitor files a complaint about your privacy practices, you may need to prove that you obtained a valid consent from them. For that reason it would make sense to stick to express consent whenever possible.
The fines for a breach of PIPEDA requirements are up to $100,000.
While PIPEDA shares some common points with GDPR, the two laws don’t have the same strength or impact on business. They differ especially in their consent requirements and penalties for non-compliance.
The Canadian authorities noticed that the act is slowly losing touch with today’s privacy standards. The most recent attempt to bring Canada up to speed with modern data protection laws came in the form of the Digital Charter.
Since the Digital Charter is only a guideline, not a binding document, the next logical step for legislators was to revise the existing laws and put the Charter’s principles in practice.
That’s why, in November 2020, Canadian legislators introduced the Digital Charter Implementation Act (DCIA), or Bill C-11. The bill also enacts the Consumer Privacy Protection Act (CPPA) – a new piece of privacy legislation set to amend the more outdated parts of PIPEDA.
The bill is presently in the draft stage. Its current provisions give Canadian residents more control over how companies handle their personal information, including the right of private action. It also introduces more serious consequences for non-compliance.
The requirements of CPPA apply to any organization that:
- Collects, uses and shares personal information of Canadian residents for commercial purposes
- Collects, uses and shares personal information about employees and job candidates
CPPA doesn’t apply to:
- Government organizations covered by the Privacy Act
- Personal information used for journalistic, artistic and literary purposes
- Personal information used for personal purposes
- Personal information about individuals used in relation to employment, business or profession
The law changes and expands on many concepts known from PIPEDA. However, it maintains the definition of personal information known from its predecessor. This means that unique identifiers such as the ones used in analytics are also covered by the act.
Here’s the list of the key privacy obligations according to the proposed draft:
1) Accountability and control
You need to acquire meaningful consents for collecting, processing and disclosing users’ personal information. Likewise, you have to write your request in plain language to make sure visitors are properly informed about their options.
As with PIPEDA, the consent request can take two forms:
- Implied – you need to inform users about the collection of their personal information and give them a way to opt out of it
- Express – you need to obtain users’ active opt-in before you start tracking their data
The difference is more defined conditions for using a certain type of consent. The act obligates you to collect express consents unless you’re able to prove that other grounds for processing apply in your case. It specifically states that:
Consent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.
Keep in mind that documenting consents, which is an obligation under CPPA, is also a lot easier with explicit consents than those based on inaction.
If you want to read more about the grounds for processing data under CPPA, be sure to check out this guide by McCarthy.
No matter which type of consent you choose to employ, make sure you inform your visitors about:
- The purposes for and ways in which you want to collect, use and disclose personal information
- The consequences of the collection, use or disclosure of the personal information
- The types of personal information you collect, use and disclose
- The names of any third parties you share users’ personal information with
Finally, remember about individuals’ right to withdraw consent. You should provide them with an easy way to change their mind, e.g. through a contact form or sending a message to an email address provided on your privacy page.
3) Right to data transfer and deletion
Apart from the right of access to and amendment of personal information as well as the right to challenge compliance known from PIPEDA, individuals will gain the right to:
- Data mobility – to transfer their personal information between organizations, e.g. banks or insurance providers
- Disposal of personal information – to request the deletion of their data
4) Privacy management programs and transparency
According to the new law, companies will have to establish transparent processes for handling personal information. Every organization should write down and thoroughly describe:
- How it will protect personal information
- How it will deal with requests for information and complaints
- How it will meet other obligations under the legislation
- What training and information it will provide to staff
5) Keeping records of consents
Your organization needs to keep records of consents and the purposes for which it collects, uses and discloses data. If you decide to use data for a new purpose, you need to obtain a separate consent, document it and add to those records.
You should keep this data in an easily accessible form. In case of an audit from data protection authorities, you’ll have to share your records with the privacy commissioner.
6) Working with de-indentified data
CPPA doesn’t specify the definition of de-indentified information. Instead, it provides the description of the process of de-identifiyng data:
De-identify means to modify personal information – or create information from personal information – by using technical processes to ensure that the information does not identify an individual or could not be used in reasonably foreseeable circumstances, alone or in combination with other information, to identify an individual.
According to the law, you can collect de-identified data without visitors’ consent.
7) New enforcement powers for privacy commissioner
The proposal announces new powers for the Office of the Canadian Privacy Commissioner. This allows them to better enforce the law and issue fines and penalties directly.
8) The right of private action
Finally, under CPPA consumers have a right of private action, which means they can sue companies that used their data in a way that violates the obligations of the act.
Fines for non-compliance with CPPA are as high as $10 million or up to 3% of global revenue. The act also includes higher penalties for more serious and deliberate violations, up to $25 million or 5% of global revenue.
It’s not yet known when CPPA will come into force and if it will remain in its current form. That said, it’s good to keep your ear to the ground and prepare your company for the upcoming changes in advance. And it goes without saying that you should adapt your data collection practices to existing privacy laws, if you haven’t done so already.
Below are some of the most important action points for dealing with analytics data under the new Canadian law:
Collecting or holding data, especially personal information you’re not using, is potentially risky and has no business benefit. You should only collect and keep what you can use.
A CPO should be responsible for your company’s compliance with the law and protection of personal information. If your company operates globally, you need a CPO (or data protection officer) to act in line with other regulations such as GDPR anyway. That person will also guide you through the Canadian privacy regulation landscape.
Implied or explicit consent? To decide, study the guidelines and assess which solution makes the most sense for your organization.
If you’d like to learn more about the rules around choosing the right ground(s) for processing, read Part 1 of the current draft of CPPA.
The next step would be to rethink your analytics choices. Do you want to collect personal information about your customers or gather de-identified statistics?
Let’s take the example of Google Analytics. The platform forbids you from storing personally identifiable information (PII) on its servers. But at the same time, it collects cookie IDs, advertising IDs, IP addresses and other end user identifiers that are considered personal information under PIPEDA and the upcoming CPPA.
Because of that, you may not collect any personal information except for online identifiers but still have to deal with all the obligations of PIPEDA and CPPA.
It’s worth considering other analytics platforms that let you work on meaningful pieces of personal information in a compliant way.
Alternatively, you could switch to a product that allows you to avoid personal information and the liabilities its collection entails. The best way to do this is by using advanced de-identification methods.
If you’ve chosen to use express consent, now you need to think about how you will respect users’ rights.
The acts alone don’t specify how to collect consents and process user requests. However, there are several solutions that have worked well under GDPR, such as consent managers. Some of them, including Piwik PRO Consent Manager, allow you to display different consent requests in different jurisdictions. By that, you can meet the obligations of multiple privacy laws, such as GDPR, LGPD in Brazil and, of course, PIPEDA and CCPA.
Bear in mind that even if you choose to obtain implied consent, you still need to ensure that your visitors can exercise their right to access and rectify their data or revoke consent. You can process such queries manually or automate the process using a data request manager, a feature available with many consent management platforms.
Rather toothless until now, the Canadian privacy framework is set to receive a more threatening bite. We’ll keep you posted on any developments with the law. If you’re interested in how Piwik PRO can help you comply with both PIPEDA and the upcoming CPPA, be sure to contact our team. We’ll be happy to fill you in on the details!
In the meantime, check out our selection of blog posts to help you do analytics right and respect user privacy: