Bill C-11 (the Digital Charter Implementation Act) was introduced on November 17, 2020, proposing the new Consumer Privacy Protection Act (“CPPA”) as a replacement for the existing Personal Information Protection and Electronic Documents Act (“PIPEDA”), the federal legislation regulating privacy in the private sector.
This is the seventh of a series of articles addressing specific issues raised by the proposed CPPA. This article addresses the CPPA’s new consent requirements and new exemptions from having to obtain consent.
Click here for a more general discussion of the changes introduced by the Bill; scroll to the bottom for links to other posts in the CPPA: In Depth series.
The basics of consent
Consent is a key element of PIPEDA, and would continue to underpin the CPPA. Under PIPEDA, organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. Consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information.
The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations must take into account the sensitivity of the information – more sensitive information will require express consent; less sensitive information can be used with opt-out consent. In obtaining consent, the reasonable expectations of the individual are also relevant.
Very little of this would change under the CPPA. However, in recognition of the challenges posed by data-intensive business models, and consumer difficulty understanding privacy policies, consent under the CPPA has been re-worked and would, among other things, create exemptions from having to obtain consent for certain well understood and common business activity uses, and require express consent for all collection, use and disclosure unless an organization could demonstrate that opt-out (or implied) consent was appropriate.
Appropriate purpose, reasonableness would need to be documented
Under PIPEDA, even with consent, an organization may only collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. Often, businesses interpret this requirement to mean what is reasonable to them and their commercial interests; this is not a correct understanding of this requirement.
The CPPA attempts to provide clarity by adding in new “factors” that must be considered when trying to determine whether a purpose is reasonable (section 12):
(a) the sensitivity of the personal information;
(b) whether the purposes represent legitimate business needs of the organization;
(c) the effectiveness of the collection, use or disclosure in meeting the organization’s legitimate business needs;
(d) whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and
(e) whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.
These factors derive from the “reasonableness test” established by the Federal Court in the Turner v. Telus Communications Inc. case (subsequently affirmed by Federal Court of Appeal), which set out factors for evaluating whether an organization’s purpose was in compliance with subsection 5(3).
Note that consideration of these factors is mandatory (“must”). A failure to do so would be a violation of the CPPA. Organizations may want to document that they have considered the factors of the reasonableness test that would be newly required under the CPPA.
Detailed, plain language consent would be required
The CPPA formalizes what were Principles in PIPEDA, supplemented by OPC guidance, and adds additional specific requirements. Under PIPEDA, consent was valid only if was reasonable to expect the individual at whom the organization’s activities were directed would understand the nature, purpose, and consequences of the of the collection, use or disclosure.
The CPPA would remove the interpretative ambiguity be prescribing (section 15(3)) certain elements that would be required to be disclosed. This information would have to be provided at or before the point at which the organization seeks the individual’s consent. In addition, this information must be provided in plain language.
- the purposes for the collection, use or disclosure of the personal information determined by the organization and recorded under subsection 12(3) or (4);
- the way in which the personal information is to be collected, used or disclosed;
- any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
- the specific type of personal information that is to be collected, used or disclosed; and
- the names of any third parties or types of third parties to which the organization may disclose the personal information.
This has obvious implications for organizations, many of which will need to rewrite and redesign privacy policies. Online processes may need to re-designed to ensure that consumers have this information available “at or before” the point at which consent is sought.
Prohibition on “tied selling” expanded
Under PIPEDA, an organization is prohibited from, as a condition of the supply of a product or service, requiring an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil “the explicitly specified, and legitimate purposes.”
The CPPA removes the “legitimate purposes” justification for collection, use, or disclosure of personal information without consent. The new threshold under the CPPA would be whether personal information is simply “necessary to provide the product or service”, as opposed to the broader, and potentially more flexible threshold of what constitutes a “legitimate purpose”. From a compliance perspective, organizations will likely need to review their collection and use of personal information to determine if it is necessary, and document this.
Business contact information exemption narrower
PIPEDA creates an exemption for business contact information, defined to include “any information that is used for the purpose of communicating or facilitating communication with an individual in relation to their employment, business or profession”.
The CPPA would narrow this, and now provides an exemption only for “personal information that the organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession”.
Consent obtained by providing false or misleading information invalid
Furthermore, the CPPA would contain an express provision (section 16) stating that any consent obtained by providing false or misleading information or using deceptive or misleading practices would not be valid. This dovetails with the “false or misleading representations” in the Competition Act, and creates double the risk for organizations which fail to get this right.
Businesses should review their privacy policies and consent documentation against current business activities to ensure they are not obtaining consent by deception.
Exemptions from withdrawal of consent narrowed
Under PIPEDA, individuals have a right to withdraw their consent at any time, “subject to legal or contractual restrictions and reasonable notice”. Under the CPPA, these exemptions would be narrowed by more specific language: “subject to this Act, to federal or provincial law or to the reasonable terms of a contract”.
The CPPA also expressly permits the withdrawal of consent “in whole or in part” in section 17(1). Partial withdrawal for consent (e.g., for some activities, but not others) is not specifically contemplated in PIPEDA.
Collection and use without knowledge or consent expanded
Many of these exemptions exist under PIPEDA. However, a significant change in the CPPA would see organizations no longer needing to seek consent for certain defined, well understood business purposes (section 18(1)), as well as certain uses of de-identified information.
Under the CPPA, knowledge and consent would not be required for:
1. Business activities (which don’t include certain marketing activities)
For instance, the CPPA would allow organizations to collect or use (but not disclose) an individual’s personal information without their knowledge or consent if the collection or use is made for a listed business activity (described further below) and:
a) a reasonable person would expect such a collection or use for that activity; and
b) the personal information is not collected or used for the purpose of influencing the individual’s behaviour or decisions.
Importantly, not all business activities qualify. Only the following activities, listed in section 18(2):
a) an activity that is necessary to provide or deliver a product or service that the individual has requested from the organization;
b) an activity that is carried out in the exercise of due diligence to prevent or reduce the organization’s commercial risk;
c) an activity that is necessary for the organization’s information, system or network security;
d) an activity that is necessary for the safety of a product or service that the organization provides or delivers;
e) an activity in the course of which obtaining the individual’s consent would be impracticable because the organization does not have a direct relationship with the individual.
It is worth noting that by virtue of the provision in section 18(1)(b) above, collection or use related to targeted advertising, or delivering “nudges” or recommendations would likely be excluded from this provision, and consent would therefore be required. Under the CPPA, section 15(4), such consent would need to be express – unless the organization can establish “that it is appropriate to rely on an individual’s implied consent, taking into account the reasonable expectations of the individual and the sensitivity of the personal information that is to be collected, used or disclosed.” The exclusion of these types of marketing activities from the ambit of this exemption will likely be of concern to many organizations.
Under the CPPA, organizations will also need to be mindful that they and their employees don’t make the assumption that because the personal information is being used for one of the enumerated activities, it must be okay to use if for other activities, which are not enumerated. If this were to occur, there is a significant risk those “other” activities would be using the personal information without adequate consent, without the benefit of falling within the exempted activities.
2. Transfers to service providers
Under the CPPA, transfers to a service provider would not require knowledge or consent, stating explicitly what was already found in OPC guidance.
Because of this, however, it is important that organizations acting as service providers be very careful about how the scope of their processing activities is defined in their service contracts with accountable organizations. If a service provider strays outside the permitted processing (e.g., aggregation, drawing statistical inferences, market insights, etc.), it will no longer benefit from being excepted from many of the CPPA provisions, and will itself become the accountable organization – and likely be unable to demonstrate it has appropriate consent for the out-of-scope processing.
3. De-identification, and certain uses of such information
An organization does not require an individual’s knowledge or consent to de-identify personal information. However, de-identification does not give an organization carte blanche to use it in any way it sees fit. De-identified information remains under the purview of the CPPA and can only be used in the following ways:
- for internal research and development purposes (section 21);
- for prospective business transactions (section 22(1)) and completed business transactions (section 22(2)) (where “business transaction” refers to, among other things, the purchase, sale or other acquisition or disposition of an organization); and
- for disclosure to a prescribed entity, but only if it is for a “socially beneficial purpose” (section 39);
Note that the requirement that information be de-identified prior to being disclosed for a prospective or completed business transaction is new. Under PIPEDA, the disclosure of personal information itself was exempted; this would no longer be the case. Organizations should be aware that, under the CPPA, where de-identification of relevant information is not possible, or not appropriate, consent will be required. Provisions to this effect should be contained within a privacy policy to ensure organizations aren’t hamstrung by this requirement at the time of the business transaction.
Other posts in the CPPA: In Depth series:
Part 5: CPPA: An in-depth look at the data mobility provisions in Canada’s proposed new privacy law
Part 6: CPPA: An in-depth look at the disposal provisions in Canada’s proposed new privacy law
Part 7: CPPA: An in-depth look at the consent provisions in Canada’s proposed new privacy law
Part 8: CPPA: An in-depth look at the access request provisions in Canada’s proposed new privacy law
Part 10: CPPA: An in-depth look a the privacy policy provisions in Canada’s proposed new privacy law
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training in respect of personal information. Subscribe and stay updated.