In our previous update, we summarized key operational elements that businesses should be aware of under the proposed Consumer Privacy Protection Act (CPPA), and provided practical tips to help businesses comply with these new requirements. As currently drafted, the CPPA codifies a number of best practices and recommendations issued by the Office of the Privacy Commissioner of Canada under the Personal Information Protection and Electronic Documents Act.

In this update, we take a closer look at the CPPA’s requirements regarding the collection and processing of personal information, specifically addressing the following elements:

  • Enhanced consent requirements;
  • Appropriate purposes and uses of personal information; and
  • Using personal information for automated decision-making.

Enhanced consent requirements

The CPPA establishes that personal information can only be collected, used or disclosed by businesses if valid consent has been obtained from the individual. This consent must be obtained no later than at the time that personal information is collected. For consent to be considered valid, businesses must provide individuals with certain information when seeking consent, such as: 

  • the list of types of personal information collected, used or disclosed by the business;
  • the purposes for the collection, use or disclosure;
  • how it will be collected, used and disclosed, reasonably foreseeable consequences, as the case may be; and
  • the names or types of third parties to which personal information may be disclosed. 

Furthermore, information must be in plain language, which one could reasonably expect to be understood by a reasonable person. As a general rule, the CPPA requires consent to be explicitly obtained from individuals, unless it is appropriate to rely on the individual’s implied consent. 

That said, relying on implied consent must take into account the individuals’ reasonable expectations of privacy, and the sensitivity of the relevant personal information. In other words, if there is a high expectation of privacy or if personal information is considered sensitive, it will be more difficult for businesses to rely on an individual’s implied consent (see our previous post for more details on what is considered sensitive information by the Office of the Privacy Commissioner of Canada).

The CPPA also introduces a number of exceptions to the general rules regarding consent, whereby consent may not be required for businesses to collect, use and disclose personal information, including when information is required for business activities or for public interest considerations. 

“Business activities” include (among others) activities necessary to provide a product or service requested by the individual or to ensure the business’s information, system or network security. However, businesses will need to ensure that reasonable persons would expect the collection or use of their personal information for such activity, and that personal information is not used to influence the individual’s behaviour or decisions. 

Proposed next steps for businesses:

  • Review existing consent mechanisms and policies. Specifically, ensure all the required information is provided to individuals using plain language.  
  • Identify and track whether consent is obtained implicitly rather than explicitly. Document processes for obtaining consents, as well as any analyses used to rely on implicit consent or other exceptions.
  • List purposes for which personal information is collected and processed and document any exceptions being relied upon. 

Appropriate purposes and uses of personal information

The CPPA notes personal information can only be collected for purposes that would be considered appropriate by a reasonable person, regardless of whether or not consent is required. When assessing the appropriateness of the use or purpose of personal information, the following factors may be considered:

  • sensitivity of targeted personal information;
  • legitimate business needs and whether the proposed approach is effective in meeting such needs;
  • the level of intrusion as opposed to the purpose; and
  • whether the individual’s loss of privacy is proportionate to the business’s benefits. 

The purposes for which businesses wish to collect, use or disclose personal information must be determined at or before the point of collection. If, after the point of collection, a new purpose is identified, it must be recorded by the business collecting personal information before any personal information is used or disclosed for the new purpose. Unless businesses can rely on an exception to seeking consent, they must obtain a new consent from the impacted individuals before using collected personal information for this new purpose.  

Proposed next steps for businesses:

  • Identify all purposes for which personal information is collected and determine whether they are appropriate with regards to the CPPA factors. 
  • Record all purposes for which personal information is collected, and implement mechanisms to update such purposes.
  • Implement a method of recording new purposes for which personal information can be used or disclosed and obtaining a new consent from individuals. 

Using personal information for automated decision-making

The CPPA also provides specific requirements for circumstances where personal information is used for automated decision-making that may significantly impact individuals. In such cases, businesses will be required to present individuals with a general account of the use of such systems, including how personal information and automated decision-making is used to make predictions, recommendations and/or decisions. 

As of now, there is no indication on what form this general account will take. Upon request, businesses will also be required to provide an explanation of the types of personal information used to make the prediction, recommendation or decision, as well as the reasons for or the main factors leading to that prediction, recommendation or decision.

Additionally, any personal information used by businesses to make a decision about an individual must be kept for a sufficient period of time to allow individuals to request access to such information. The period of time within which an individual must make such a request is not specified in the CPPA although, as a comparison point, Quebec’s new Law 25 requires businesses to hold personal information used in a decision-making context for one year following the decision.

Proposed next steps for businesses:

  • Determine whether any automated decision-making systems are used, and if so, prepare general accounts that can be supplied to individuals.
  • Review your data retention practices to ensure any information used in a decision-making process is stored for a sufficient period of time.

 

Finally, we note the House of Commons began its second reading of Bill C-27 on November 4, 2022, but it has not advanced to the next step, which is committee consideration. We expect the bill to be amended as part of the legislative process, and will provide updates once any amendments are confirmed.



Contacts

Partner, Co-Head of Cybersecurity and Data Privacy, Canada
Canadian Head of Technology and Co-Head of Cybersecurity and Data Privacy, Canada
Partner
Counsel

Recent publications

Subscribe and stay up to date with the latest legal news, information and events . . .