CPPA & PIPEDA: The Business Guide to Canada’s Privacy Laws

Batja Huisman
Batja Huisman
May 24, 2022
min read
CPPA & PIPEDA: The Business Guide to Canada’s Privacy Laws

Data privacy is sweeping the world, with laws and regulations being debated and enacted in Europe, the US, China, India, and additional locations. Canada has also been participating in this global debate. What started with PIPEDA in 2000 is now being enhanced through the CPPA. Let’s look at what each of these laws requires, how they compare, and what this means for businesses worldwide.

PIPEDA’s Main Features:

PIPEDA (Personal Information Protection and Electronic Documents Act) was enacted in 2000 as a law governing how businesses collect, use, and disclose personal information. <hl>PIPEDA requires all companies that collect or use personal information to:<hl>

  • Obtain consent for collecting, using, and disclosing personal data - consent needs to be meaningful, which means people understand what they are consenting to. In addition, consent can only be required for information that is necessary to collect, and it can be withdrawn at any time.
  • Explain what collected personal information is used for - and make this information available and accessible, and user-friendly. 
  • Protect the personal data they collect - through a security policy and safeguards that are reviewed constantly to ensure they are up-to-date.
  • Serve individuals even if they refuse to give consent for collecting and using their personal data - you are required to provide service regardless of if consent is given and inform individuals of this.
  • Collect information fairly and lawfully and keep it up-to-date and accurate - keep data organized and establish policies for making sure it is up-to-date.
  • Ensure personal information policies are clear and available - let individuals know which information is collected, who it is shared with, why it is being collected, and the potential risks.
  • Appoint someone to ensure compliance with PIPEDA - assign someone in your organization and provide senior management support and authority.
  • Enable individuals to challenge the business’s compliance with PIPEDA - establish a complaint process and a process for investigating potential challenges made by individuals.

Violating PIPEDA can lead to fines of up to 80,000 Canadian dollars.

 Now, what is CPPA, and why does Canada need it if it has PIPEDA?

The CPPA’s Main Features:

In 2020, CCPA was submitted under the Digital Charter Implementation Act (DCIA) and Bill C-11, but it is unclear when exactly it will be passed. Once it is passed, it will be one of the most powerful and strict privacy laws globally, like the GDPR or the CCPA.

<hl>The CPPA (Consumer Privacy Protection Act) is intended to replace and augment PIPEDA and give consumers control over their private data while providing transparency about how businesses use their personal data. The CPPA requires all companies that collect or use personal information to:<hl>

  • Obtain consent for collecting, using, and disclosing personal data. Consent has to be explicit and explained in clear terms.
  • Justify why an algorithm-based, AI-based decision or recommendation was made if it was based on personal data. For example, suppose an e-commerce system recommended a certain product to an individual based on their personal data. In that case, the e-commerce company should be able to explain why this product was recommended to them.
  • Enable de-identification, i.e., the reuse of data while removing all personal identifiers so the personal individual cannot be identified through the data.
  • Enable data to be transferred to another organization, similar to GDPR.
  • Enable individuals to be forgotten, similarly to the GDPR. This enables individuals to require companies to delete their personal information.

Fines for violating the CCPA can reach or exceed 3% of a business’s annual revenue or 10 million Canadian dollars. Serious cases could warrant fines of 5% of a business’s annual revenue or 25 million Canadian dollars. This substantial amount is similar in scope to GDPR fines.


As previously mentioned, the CPPA is intended to replace PIPEDA while augmenting it, which will make it more resemble laws like the GDPR. The main differences include:

1. Significant Fines and Penalties for Businesses

<hl>The CPPA imposes greater fines on businesses that violate its regulations. Businesses can face fines of 3%-5% of their annual global revenues or 10 - 15 million Canadian dollars.<hl>

2. Empowering Individuals

The CPPA enables individuals to privately claim damages due to losses or injuries after the business has been penalized under the CPPA. In addition, under CPPA, individuals have the right to data portability and the right to data erasure.

3. Augmented Consent

To obtain consent, businesses must provide individuals with information about the purpose of data collection, types of information collected, third parties that will see the data, and foreseeable consequences of the collection. If a business stores information outside of Canada, it is required to share if this is expected to have any implications.

4. AI and Automation Repercussions

Businesses are required to provide information on their use of automated decision-making systems that could impact individuals, as well as explain how personal information was used to make the decision.

5. De-Identification

Information can be de-identified without the individual’s consent, as long as the measures are proportionate. This information cannot be used for individual identification.

Preparing for CPPA: What it Means for Businesses

While the CPPA still hasn’t been enacted, it is high time for businesses to prepare since it is in constant debate and could be turned into a binding law very soon. In addition, as Canadian individuals become more aware of their privacy rights and see citizens in other countries being protected by their governments, they begin to expect more from businesses and might choose where to do business based on how their personal information is used and protected.

<hl>Here is how businesses can prepare for the CPPA and enhanced privacy demands:<hl>

  • Review your policies and procedures for collecting personal information. Make sure they are clear and accessible. Add any missing sections as required by the CPPA.
  • Check how personal information is being collected and stored. Ensure it can easily be extracted so it can be transported or erased. You can use automated data mapping to simplify and accelerate the process and ensure it is accurate and covers all your data.
  • Review your consent procedures. Ensure they are clear and comprehensive. Add any missing sections as required by CPPA.
  • Speak with your data science and engineering team to make sure you can understand and explain how algorithms and AI make decisions.
  • Vet your vendors and third parties. Make sure they adhere to your privacy standards.