CPPA – Consumer Privacy Protection Act (Canada)
What is CPPA?
CPPA stands for Consumer Privacy Protection Act. It is a new Canadian legislation that was introduced as a bill on 17 November 2020. CPPA has similarities to GDPR and LGPD. It is expected that CPPA will come intor force in late 2021 or early 2020.
Is a Cookie Layer required?
How about personalized advertising?
What alternatives to consent exitst?
Under the draft federal CPPA, express consent is considered the “default requirement”, but implied consent (e.g. through notice) is acceptable in some circumstances. So, if the cookies in question only operate to make the user experience more seamless or to provide the website owner with usage information, implied consent would very likely be acceptable. However, if the cookies operate in the way described above (to serve targeted advertising to users), prior express consent will likely be required under the CPPA (assuming it is passed by Parliament in its current form).
The current federal privacy legislation (“PIPEDA”) allows for consent to be express or implied, depending on all of the relevant circumstances and does not identify express consent as a “default rule”. In December 2015, the office of the federal privacy commissioner (“OPC”) released a policy statement regarding the application of PIPEDA to organizations using cookies for the purpose of online behavioural advertising (“OBA”). The OPC’s position states that meaningful consent is required for OBA, but that implied or opt-out consent may be acceptable providing certain following parameters are in place (and, given the OPC decision in the Bell Canada case, depending on the quantity and sensitivity of the user personal information used to serve targeted advertising). The parameters identified by the OPC were:
- Individuals are informed of these purposes at or before the time of collection and provided with information about the various parties involved in OBA;
- Individuals are able to easily opt-out of the practice – ideally at or before the time the information is collected (one way to opt out would be to turn off cookies);
- The opt-out takes effect immediately and is persistent;
- The information collected and used is limited, to the extent practicable, to non-sensitive information (avoiding sensitive information such as medical or health information); and
- Information collected and used is destroyed as soon as possible or effectively de-identified.
The above were guidelines issued by the OPC in connection with PIPEDA, not legislated requirements.
What derogations exist?
Generally speaking, if an organization has no business presence in the Province of Québec (no employees there, no bricks and mortar facilities) and if the website is being offered by an organization situated outside Québec or outside Canada, the federal private sector privacy legislation will apply (i.e. currently PIPEDA and, eventually, the CPPA), rather than the Québec private sector privacy legislation.