In November 2020, the federal government introduced Bill C-11 (The Digital Charter Implementation Act). The proposed bill would overhaul Canada’s existing federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), with a modernized replacement known as the Consumer Privacy Protection Act (CPPA).
If the CPPA becomes law, it will impose several new obligations on businesses. Perhaps one of the biggest changes is a requirement that every organization implement a privacy management program that details the policies, programs and procedures they are using to meet their obligations under the Act. These programs will be unique to each organization and must reflect the volume and sensitivity of the information that the business handles.
In October 2020, the Office of the Privacy Commissioner (OPC) released a guide to help businesses comply with PIPEDA. Notably, these guidelines include a framework of a privacy management program and may provide businesses a preview of what is to come.
While the new CPPA requirements are more robust than what is currently required under PIPEDA, there are also potential benefits for businesses that choose to adopt a comprehensive privacy management program from the outset.
Privacy practices linked to brand trustworthiness
Studies show that consumers care how companies handle their personal information. A 2020 Consumer Privacy Survey completed by Cisco found that nearly one-third of consumers surveyed had switched service providers over a company’s privacy and data sharing practices. For these individuals, dubbed “Privacy Actives,” a company’s privacy practices are a direct reflection of the brand’s trustworthiness and how they treat their customers.
This type of feedback matters. Section 72 of the CPPA introduces a data mobility right, where an individual can request that an organization transfer all the personal information it has collected from the individual directly to another organization. The only caveat here is that both organizations need to be subject to a data mobility framework. Details on which organizations would be subject to this framework will be addressed through regulations. Consumers have always had the power to take their business elsewhere. Under these new provisions, they may be able to transfer the information (and underlying investment used to attain them) directly to a competitor.
As COVID-19 has accelerated the use of e-commerce, there may be broader commercial reasons to adopt more robust privacy legislation.
A report issued by the OECD identifies that individuals’ lack of trust in the security and privacy features of websites remains a significant barrier to broader e-commerce adoption. The report recommends governments identify ways to foster trust around using the e-commerce model to allow more individuals to participate. The introduction of tougher privacy legislation may be one solution.
Research suggests that consumers’ perceptions of privacy legislation and its ability to safeguard their information may positively influence their trust in the service providers they choose. Modernizing Canada’s private sector privacy legislation may potentially alleviate some mistrust and encourage more consumers to shop from smaller retailers.
The CPPA’s proposals are a necessary step to keep pace with global privacy laws like the EU’s General Data Protection Regulation (GDPR). Some businesses will see the proposed new requirements as a compliance box that needs to be ticked. However, for those who view privacy practices as integral to their customer relationships, there could be greater opportunity to build customer loyalty and long-term value. This may be something for businesses to consider while Canada’s privacy legislation is under review.
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.