My Take: The Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act and the Digital Charter Implementation Act (DCIA)

Bill C-11: the Canadian version of GDPR — a little less and a little more.

Called Bill C-11, the draft was presented yesterday and so far, it seems to be well received by lawyers and privacy advocates. It is pretty ambitious and probably far from being perfect — but it is certainly a step in the right direction and something that was long overdue.

Statistics Canada says that about 57 per cent of Canadians online reported experiencing a cyber security incident in 2018.
CBC, Nov 16, 2020

So now, on top of GDPR, CCPA, and many others, we have DCIA and CPPA. So many acronyms ! So many slightly different rules to follow!

What’s Similar to the GDPR?

For my friends more familiar with the General Data Protection Regulation in Europe (GDPR), it comes close to it. It also improves upon the Personal Information Protection and Electronic Documents Act (PIPEDA). The DCIA Fact Sheet provides some highlights.

Here are some of the most important points of the new CPPA:

  • meaningful/informed consent, openness and transparency — short and accessible to the average citizen;
  • limiting collection, use and disclosure — and it is illegal to take anonymized data to merge and cross-reference it with other sources with the goal of de-anonymizing it, which also includes user profiling;
  • retention and disposal — limited to the shortest amount of time possible;
  • accuracy, information access and correction;
  • security safeguards — negligence and substandard security will now be more than a slap on the wrist;
  • data mobility — so you can request, view and transfer (albeit certainly with some effort) the data a company has about you. A given scenario would be a bank transferring your data to another one. Albeit plausible, I think the truth will be something like this: old bank CSV export> customer > specialized data-mapping service > new bank;
  • disposal of personal information (right to be forgotten) and withdrawal of consent (opt-out);
  • de-identified information is more clearly covered, although as research on privacy continue to evolve, we will find more cases where information was thought to be de-identified but isn’t. The classic case is Latanya Sweeny, who demonstrated in 1997 how birth date, gender and zip could be used to identify 87% of the U.S. population, or more recently, when Mozilla demonstrated browser history could be used to re-identify over 80% of users. Who knows which trick will be used next to identify people?
  • governance — through the Tribunal, including all you would expect from compliance requirements, notification, inquiry, audits, penalties, appeals and enforcement. But also a big change: the concept of a Data Protection Officer (DPO) as we see under GDPR— although simply called a “designated individual” within the organization — with the responsibility to develop procedures describing
    a) the protection of personal information;
    b) how requests for information and complaints will be received and dealt with;
    c) the training and information provided to the organization’s staff; and
    d) the development of materials to explain the organization’s policies and procedures.
  • and algorithmic transparency is something I think is unique under CPPA and I’m covering below;
  • exceptions, such as public interest, investigation and where required by law, disclosure to government institutions.

What’s new or unique?

Besides the points above, which we were expecting and are closer to GDPR or CCPA, there are two important aspects I want to highlight.

Finally a bit of a bite!

The Tribunal is a welcome change. Until now, the powers of the Privacy Commissioner of Canada was laughable. It elevates what used to be “recommendations” to “orders” — the impact is significant. The former was often simply ignored, while the second has some tooth! The administrative tribunal will obviously be more specialized but also have the possibility to impose penalties in two tiers: from $20 million or 4% of the organization’s gross global revenue, whichever is lower, up to $25 million or 5% (125). Although our Prime Minister claimed those are the highest of any G7 country, under GDPR it’s €10 million/2%, whichever is higher, up to €20 million/4%…

Automated decision? Wait a minute!

I really like the Automated decision system 63(3) point: “on request by the individual, provide them with an explanation of the prediction, recommendation or decision and of how the personal information that was used to make the prediction, recommendation or decision was obtained.” I will be very curious to see how adtech and social media behemoths will answer to those requests!

What’s missing, odd, wrong?

Some things aren’t perfect, or even questionable. For now, at least, I’m worried about the notion of “personal information” and “reasonable person.”

What is personal information?

The definition of “personal information” fits in 5 words! “information about an identifiable individual.” And there is no definition of “identifiable individual.” I hope I’m wrong or I’m missing something; otherwise we will go through all the usual questions: Is an IP address personal information? Is a postal code alone personal information? Is a corporate email address of the form personal information? Is browsing or search history personal information? (Hint: assume yes to all those!)

What is a reasonable person?

Throughout the proposed bill, there are references to what “a reasonable person would consider appropriate” (5, 12(1), 18(1)). A friend told me it is worded similarly when it comes to plagiarism in the music industry: the “reasonable person” aspect is akin to going on the street and asking passerby if two songs look too similar. The problem is it will be left to the court interpretation and opens the door to be challenged, on the positive side, it leaves room for evolution and unforeseen changes in the privacy landscape.

Application boundaries. Oups!

Interprovincially or within a province? I noticed something odd under Application 2(b): In English, it says “within a province,” while in French it says “interprovinciale” (instead of intra!) — which would mean personal data exchanged within a province wouldn’t be subject to the new bill…


They are many. There are 40 specific situations where organizations may use or share personal information with partners without consumers’ knowledge or consent, as long as the data is “de-identified.” This includes information used for internal research and development purposes. As much as exceptions are unavoidable, they make the law more complex. But I’m glad they didn’t make an exception based on the number of employees or the revenue level, as is the case with CCPA (CCPA applies only to companies of over $25M in annual revenue, process the data of over 50,000 Californians, and 50% of revenue comes from selling to California consumers…).

Other exceptions in the law explicitly covers collection of debts, life-threatening emergency situation, but those are expected, common in other legal frameworks, and already known in the case law.

Marketing, Profiling, Targeting? Nada!

There is no notion of legal basis or controller and processor, as we see under GDPR. There is absolutely nothing specifically mentioned about anonymous profiling and data-enrichment. My worry is martech/adtech often claim no personal information is being collected and an individual user is never targeted. However, I’m of the opinion that somewhere, deep in the depth of any adtech Big Data Swamp, there is a unique combination of attributes — something similar to your unique DNA sequence — that describes YOU. For example, this uniqueness is what fuels the real-time bidding industry. Johny Ryan, Senior Fellow at Irish Council for Civil Liberties, call it “The greatest data breach of all time”…

My Take

Since I took a turn toward data privacy & ethics, I’ve been advocating for embracing the most stringent aspects of GDPR even if a business doesn’t have to (for example, a Canadian business not targeting or serving European citizens). Few listened… Even larger organizations I work with felt no need to prioritize a privacy compliance audit, review their privacy policies, clean up the martech mess of tags on their website and be more transparent and straightforward with an informed consent process. Too bad, because they would have had a leeway toward the new CPPA/DCIA compliance requirements.

A scenario à la Desjardins data leak wouldn’t have been prevented, but the responsibility and real financial consequences would have been clearer. I hope questionable marketing ethics like the one I exposed regarding Equifax Canada will now be much more difficult to get away with (see here and here). If only for that, I would be happy.

Like the average consumer, maybe I misunderstand how those Bills works… after all, I’m not a lawyer! I feel some great aspects of GDPR are missing, notably the notion of legal basis for processing, controller/processor and aspects of anonymous profiling and data enrichment for marketing purposes.

Many jobs will be created as a result of those new legal obligations. It will require work to bring businesses up to the new obligations level, legal experts will be busy, and a new role similar to a Data Protection Officer (DPO) will be assigned within the organization. This is great news for users, and ultimately, for businesses as well. However, in the short term we can expect small and large businesses alike will find it hard and annoying to add those obligations given tight budgets and resources.

If I can be of any help, it’s easy to contact

Stéphane Hamel is a seasoned independent digital marketing and analytics consultant, innovator, teacher and speaker with a strong interest for user privacy and the ethical use of data.

If you enjoyed this article, you should follow me on LinkedIn and while you’re at it, why not click the nice little clapping hands on the left and follow me on Medium!

All the world is made of faith, and trust, and pixie dust. Digital marketer & analyst with a strong interest in privacy and the ethical use of data.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store