CPPA – Consumer Privacy Protection Act (Canada)

What is CPPA?

CPPA stands for Consumer Privacy Protection Act. It is a new Canadian legislation that was introduced as a bill on 17 November 2020. CPPA has similarities to GDPR and LGPD. It is expected that CPPA will come intor force in late 2021 or early 2020.

Is a Cookie Layer required?

In the Canadian provinces of BC, Alberta and Québec, the provincial private sector privacy legislation does not explicitly address cookies, and so the short answer is “no”. There is no explicit legislative requirement for a website that is available in those provinces (or visited/used by residents in those provinces) to necessarily have a content-layer/cookie banner.  It will be sufficient for cookies to be addressed in the organization’s privacy policy, which must be prominently available on the website.  In certain circumstances, depending on what the cookies do and what personal information of users is utilized, prior consent from users may be necessary.

How about personalized advertising?

If the website utilizes cookies or other technology that combines different types of personal information about users (some of which may be sensitive, such as age, gender, income, areas of personal interest, etc.) in order to serve those users targeted advertising based on that personal information, then it will be necessary to have users consent to this use (or processing) of their personal information, prior to their personal information being used in this way.  This could be accomplished through consentmanager’s consent layer which presents users with the privacy policy (which must address and describe this targeted marketing use of cookies or similar technology) and which requires users to click a consent button in order to indicate their consent to the collection, use and disclosure of their personal information as outlined in the privacy policy.  This requirement arises from a decision of the Privacy Commissioner of Canada in a case called Bell Canada – the requirement is not explicitly stated in the legislation. 

What alternatives to consent exitst?

Under the draft federal CPPA, express consent is considered the “default requirement”, but implied consent (e.g. through notice) is acceptable in some circumstances.  So, if the cookies in question only operate to make the user experience more seamless or to provide the website owner with usage information, implied consent would very likely be acceptable.  However, if the cookies operate in the way described above (to serve targeted advertising to users), prior express consent will likely be required under the CPPA (assuming it is passed by Parliament in its current form).

The current federal privacy legislation (“PIPEDA”) allows for consent to be express or implied, depending on all of the relevant circumstances and does not identify express consent as a “default rule”.  In December 2015, the office of the federal privacy commissioner (“OPC”) released a policy statement regarding the application of PIPEDA to organizations using cookies for the purpose of online behavioural advertising (“OBA”). The OPC’s position states that meaningful consent is required for OBA, but that implied or opt-out consent may be acceptable providing certain following parameters are in place (and, given the OPC decision in the Bell Canada case, depending on the quantity and sensitivity of the user personal information used to serve targeted advertising).  The parameters identified by the OPC were:

  • Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be “buried” in the fine print of a privacy policy. Organizations should be transparent about their practices and consider how to effectively inform individuals of their online behavioural advertising practices, by using a variety of communication methods, such as online banners, layered approaches, interactive tools, etc;
  • Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
  • Individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected (one way to opt out would be to turn off cookies);
  • The opt-out takes effect immediately and is persistent;
  • The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
  • Information collected and used is destroyed as soon as possible or effectively de-identified.

The above were guidelines issued by the OPC in connection with PIPEDA, not legislated requirements.

What derogations exist?

The private sector privacy legislation in the Province of Québec does not expressly recognize implied consent, so we generally recommend that organizations operating in the Province of Québec obtain prior consent to a website privacy policy, especially if personal data is being collected and retained about registered users for purposes of online behavioural advertising.

Generally speaking, if an organization has no business presence in the Province of Québec (no employees there, no bricks and mortar facilities) and if the website is being offered by an organization situated outside Québec or outside Canada, the federal private sector privacy legislation will apply (i.e. currently PIPEDA and, eventually, the CPPA), rather than the Québec private sector privacy legislation.


The bottom line is that whether consent (instead of notice) is required will depend on how the cookies (or similar website technology) operate and for what purposes.  If the cookies are employed in order to serve targeted advertising to identifiable users, and the targeting is based on several personal data elements, some of which are sensitive in nature, an organization must obtain prior consent from such users, and a cookie banner is likely a good way to obtain that consent.  If the cookies in question are used for less invasive purposes, it will likely be sufficient for the website privacy policy to clearly address the use of cookies, so long as the privacy policy is prominent and easily accessed by users.


Not sure if you need a CMP?

If you are unsure if your company needs a CMP or not, please get in touch with us – we will help you find the right solution for your company!

Get In Touch