{"id":346,"date":"2021-10-20T15:30:14","date_gmt":"2021-10-20T13:30:14","guid":{"rendered":"https:\/\/stage.usercentrics.com\/?post_type=knowledge&#038;p=16211"},"modified":"2025-06-26T10:07:26","modified_gmt":"2025-06-26T08:07:26","slug":"canada-consumer-privacy-protection-act","status":"publish","type":"knowledge","link":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/","title":{"rendered":"Canada&#8217;s Consumer Privacy Protection Act &#8211; an overview"},"content":{"rendered":"\n\n<p>Bill C-11 was tabled as part of the <a href=\"https:\/\/parl.ca\/DocumentViewer\/en\/43-2\/bill\/C-11\/first-reading\" target=\"_blank\" rel=\"noopener\">Digital Charter Implementation Act, 2020<\/a> and had two component parts: the Consumer Privacy Protection Act (CPPA) and the Personal Information and Data Protection Tribunal Act (PIDPTA). It would have represented a big step forward in modernizing Canada\u2019s privacy legislation. The bill died when a federal election was called for September 2021 before it could be passed. However, in 2022, work is being done on a new bill.<\/p>\n<p>The following article looks at <a href=\"https:\/\/www.justice.gc.ca\/eng\/csj-sjc\/pl\/charter-charte\/c11.html\" target=\"_blank\" rel=\"noopener\">Bill C-11<\/a> and the CPPA and the implications for both Canadian citizens and businesses. It is for archival purposes only, and we will prepare a new article if new privacy legislation passes in Canada.<\/p>\n<p>Read on to learn more about:<\/p>\n<ul>\n<li>What is Bill C-11 and the CPPA?<\/li>\n<li>Powers of the Privacy Commissioner under the CPPA<\/li>\n<li>A brief overview of PIPEDA<\/li>\n<li>Comparison of PIPEDA and the CPPA<\/li>\n<li>Changes to definitions of valid consent<\/li>\n<li>Consumer rights under the CPPA<\/li>\n<li>Responsibilities of businesses and foreign companies under the CPPA<\/li>\n<li>Appropriate purposes for data processing<\/li>\n<li>Penalties and enforcement<\/li>\n<li>Comparisons of the CPPA with the GDPR and CCPA<\/li>\n<\/ul>\n\n\n<div id=\"uc-cta_69e5fc5676d90\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Website Audit<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Is your website privacy-compliant? Find out now!<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Find out your website\u2019s cookie compliance risk level in moments for major privacy regulations. <\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"3809e2b9-168b-48fa-b24c-c4919dedcf33\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/data-privacy-audit\/\" target=\"\"><span>Start now!<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/Audit-1-1.png\" class=\"attachment-large size-large\" alt=\"icon Audit\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e5fc5676d90\"));\n    <\/script>\n\n\n<h2 class=\"wp-block-heading\">What is Bill C-11 and the CPPA?<\/h2>\n<p>The Digital Charter Implementation Act (Bill C-11) introduced new legislation for the collection, distribution, use and disclosure of personal information for commercial activity in Canada. This updated legislation would repeal parts of the <a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/\" target=\"_blank\" rel=\"noopener\">Personal Information Protection and Electronic Documents Act (PIPEDA)<\/a>, which has been in place since 2000.<\/p>\n<p>Under Bill C-11, the updated Consumer Privacy Protection Act (CPPA) has been proposed, with the aim of modernizing regulation of the commercial activities of Canadian private sector organizations and establishing more robust protections over the personal information of Canadian individuals. Of note is that the bill references \u201cindividuals\u201d, and does not specify \u201ccitizens\u201d or \u201cresidents\u201d of Canada. PIPEDA uses the same language.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Powers of the Privacy Commissioner under the CPPA<\/h2>\n<p>The Privacy Commissioner would retain existing powers and receive additional ones relating to oversight and compliance. These include investigations and audits of business activities as they pertain to privacy protection. Additionally, it would initiate inquiries into alleged violations of the CPPA. Tribunals could be called under PIDPTA to hear appeals issued by the Commissioner and to administer penalties for violations as applicable under CPPA regulations.<\/p>\n\n\n<div id=\"uc-cta_69e5fc5677ddc\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Pricing plans<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">Right plan for your growing business<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Whether you are a scrappy startup or a global enterprise, we have the right plan to help you achieve data compliance peace of mind.<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"6eb7b079-c5e0-4fda-b160-db462b62dbd7\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/pricing\/\" target=\"\"><span>Get started<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/08\/icon-Article.png\" class=\"attachment-large size-large\" alt=\"icon Article\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e5fc5677ddc\"));\n    <\/script>\n\n\n<p>Under the CPPA the Privacy Commissioner may:<\/p>\n<ul>\n<li>Request the production of records<\/li>\n<li>Enter private places to examine records<\/li>\n<li>Share relevant information with federal regulatory bodies<\/li>\n<li>Share information with provincial authorities and foreign states<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\">A brief overview of PIPEDA <\/h2>\n<p>Before the introduction of the CPPA, PIPEDA required all private sector organizations across Canada that use personal information for commercial activity to obtain individuals\u2019 consent prior to the collection, use and\/or disclosure of their personal information. The CPPA adds more exceptions to circumstances when obtaining consent is required.<\/p>\n\n\n<div class=\"uc-notice\">\n    <div class=\"uc-notice__icon\">\n        <svg width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\">\n<path d=\"M10.8177 17.0093H12.8177V11.0093H10.8177V17.0093ZM11.8177 9.00928C12.1011 9.00928 12.3386 8.91344 12.5302 8.72178C12.7219 8.53011 12.8177 8.29261 12.8177 8.00928C12.8177 7.72594 12.7219 7.48844 12.5302 7.29678C12.3386 7.10511 12.1011 7.00928 11.8177 7.00928C11.5344 7.00928 11.2969 7.10511 11.1052 7.29678C10.9136 7.48844 10.8177 7.72594 10.8177 8.00928C10.8177 8.29261 10.9136 8.53011 11.1052 8.72178C11.2969 8.91344 11.5344 9.00928 11.8177 9.00928ZM11.8177 22.0093C10.4344 22.0093 9.13442 21.7468 7.91775 21.2218C6.70108 20.6968 5.64275 19.9843 4.74275 19.0843C3.84275 18.1843 3.13025 17.1259 2.60525 15.9093C2.08025 14.6926 1.81775 13.3926 1.81775 12.0093C1.81775 10.6259 2.08025 9.32594 2.60525 8.10928C3.13025 6.89261 3.84275 5.83428 4.74275 4.93428C5.64275 4.03428 6.70108 3.32178 7.91775 2.79678C9.13442 2.27178 10.4344 2.00928 11.8177 2.00928C13.2011 2.00928 14.5011 2.27178 15.7177 2.79678C16.9344 3.32178 17.9928 4.03428 18.8927 4.93428C19.7927 5.83428 20.5052 6.89261 21.0302 8.10928C21.5552 9.32594 21.8177 10.6259 21.8177 12.0093C21.8177 13.3926 21.5552 14.6926 21.0302 15.9093C20.5052 17.1259 19.7927 18.1843 18.8927 19.0843C17.9928 19.9843 16.9344 20.6968 15.7177 21.2218C14.5011 21.7468 13.2011 22.0093 11.8177 22.0093Z\" fill=\"black\"\/>\n<\/svg>\n    <\/div>\n    <div class=\"uc-notice__content\">\n                <p>Requiring consent before data collection is commonly referred to as an opt-in model, such as is used by the <a href=\"https:\/\/usercentrics.com\/gdpr\/\">General Data Protection Regulation (GDPR)<\/a> in the EU and the <a href=\"https:\/\/usercentrics.com\/lgpd\/\">General Data Protection Law (LGPD)<\/a> in Brazil. The alternative model for consent is opt-out. Under that model companies do not have to get consumers\u2019 consent before data collection, rather only if the data is to be shared or sold. This model has been adopted in the United States, to date in California with the <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/california-consumer-privacy-act\/\">California Consumer Privacy Act (CCPA)<\/a> and its successor, the <a href=\"\/knowledge-hub\/california-privacy-rights-act-cpra-enforcement-begins\/\">California Privacy Rights Act (CPRA)<\/a>.<\/p>\n            <\/div>\n<\/div>\n\n\n\n\n<p>Categories of personal information could include:<\/p>\n<ul>\n<li>Age<\/li>\n<li>Name<\/li>\n<li>Ethnic background<\/li>\n<li>Blood type<\/li>\n<li>Income<\/li>\n<li>Identification numbers<\/li>\n<li>Personal opinions, comments, or evaluations<\/li>\n<li>Social status<\/li>\n<li>Disciplinary actions<\/li>\n<li>Employee files<\/li>\n<li>Credit and\/or loan records<\/li>\n<li>Medical records<\/li>\n<li>Records of dispute<\/li>\n<li>Commercial intentions<\/li>\n<li>Professional intentions<\/li>\n<\/ul>\n<p>Under PIPEDA, individuals retained full right to access and challenge the accuracy of any information about them held by an organization. Personal information could only be used for the express purpose(s) for which it was collected and any ulterior or additional usage would require additional consent from the individual.<\/p>\n<p>Generally, PIPEDA did not apply to:<\/p>\n<ul>\n<li>Personal information held by the federal government under the <a href=\"https:\/\/laws-lois.justice.gc.ca\/ENG\/ACTS\/P-21\/index.html\">Privacy Act<\/a><\/li>\n<li>Business contact information<\/li>\n<li>Individuals\u2019 collection of personal information for personal purposes<\/li>\n<li>Collection of personal information for journalistic, artistic or literary use<\/li>\n<li>Provincial or territorial governments and their agents<\/li>\n<li>Not-for-profit organizations and charities<\/li>\n<li>Political parties and associations<\/li>\n<li>Universities, schools, hospitals and municipalities<\/li>\n<\/ul>\n\n\n<div id=\"uc-cta_69e5fc567915a\" class=\"uc-cta uc-cta--illustration uc-cta--primary uc-ctx--blue\">\n    <div class=\"uc-cta__inner container\">\n        <div class=\"uc-cta__content\">\n                            <div class=\"uc-cta__label like-label-m\">Checklist<\/div>\n                                        <div class=\"uc-cta__heading no-default-margin\">CCPA Checklist: Your Toolkit for Compliance<\/div>\n                                        <div class=\"uc-cta__description\">\n                    <p>Enforcement of the CCPA began in 2020. Do you how to ensure your company\u2019s compliance?<\/p>\n                <\/div>\n                                                    <div class=\"uc-cta__buttons\">\n                    <a id=\"e52cd9d2-ef28-4231-a8e4-5c604c52b3ba\" class=\"uc-button uc-button-size-m uc-button-contained  no-default-link-decoration\" href=\"https:\/\/usercentrics.com\/resources\/ccpa-checklist\/\" target=\"\"><span>Download now!<\/span><\/a>                <\/div>\n                                            <\/div>\n                            <div class=\"uc-cta__section\">\n                                                                    <div class=\"uc-cta__section__img-wrapper\">\n                                <img loading=\"lazy\" decoding=\"async\" width=\"1\" height=\"1\" src=\"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/09\/Checklist.png\" class=\"attachment-large size-large\" alt=\"icon Checklist\" \/>                            <\/div>\n                                                            <\/div>\n            <\/div>\n<\/div>\n    <script type=\"module\">\n        new Uc_Cta(document.getElementById(\"uc-cta_69e5fc567915a\"));\n    <\/script>\n\n\n<h2 class=\"wp-block-heading\">Comparison of PIPEDA and the CPPA<\/h2>\n<p>The scope of who is protected under PIPEDA and the CPPA does not change, and both laws explicitly reference the protection of individuals and federal employees or applicants. Individuals would receive private right of action (the ability to sue companies for violations) under the CPPA, which they did not have under PIPEDA. The CPPA does strengthen consent requirements to ensure it is explicit and informed, though also has more exceptions to when consent is required. The CPPA also has more detailed requirements for organizations to explain data collection purposes and use, and how individuals can contact organizations with questions or requests.<\/p>\n<p>No further restrictions have been added on transferring data outside of Canada, but under the CPPA individuals have new rights for data mobility\/portability, with companies required to provide necessary safeguards. Individuals do not have the ability to opt out of automated decision-making using their personal data under the federal CPPA (as under provincial Quebec law), but they would receive the right to receive an explanation about that usage.<\/p>\n<p>Companies have more accountability obligations under the CPPA regarding identifying purposes for data processing, notifications in the event of a breach, and implementing and maintaining a privacy management program, which includes deletion of data upon request. While under PIPEDA companies could only retain data as long as needed to fulfil the specific communicated purpose, under the CPPA individuals can make requests at any time to have their data deleted as soon as is reasonably feasible, and be notified when it\u2019s done (with some exceptions).<\/p>\n<p>Under the CPPA the Commissioner has expanded powers of enforcement. Companies will have to perform privacy assessments in circumstances other than after a breach. If there is a breach, the CPPA is more specific about how quickly notifications about it must be made, and the potential penalties if that\u2019s not done. The CPPA only notes that notification must be done as soon as is \u201cfeasible\u201d, however, and not within a more specific time frame like within 72 hours as required by the GDPR. Additional recordkeeping about breaches is also a new requirement. Fines that can be levied for upheld violations can be substantially higher than under PIPEDA. The previous maximum fine was CA $100,000 per violation, but fines are now more in line with those under other international privacy laws. For most violations, the maximum fine is CA $10 million or 3 percent of global annual revenue for many fines, but for particularly severe violations it\u2019s CA $25 million or 5 percent of global annual revenue.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Changes to definitions of valid consent<\/h2>\n<p>While both PIPEDA and the updated CPPA legislation require companies to obtain valid consent before collecting, using, and\/or disclosing any individual\u2019s personal information, there are some notable differences between the two legal frameworks.<\/p>\n<p>Building on PIPEDA, the CPPA introduces a range of additional exceptions to the standard requirements for consent:<\/p>\n<ul>\n<li>Organizations may transfer an individual\u2019s personal information to a service provider without consent if necessary for delivery of a product or service that the individual has requested<\/li>\n<li>Organizations may use an individual\u2019s personal information to de-identify the information (learn more in <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/data-anonymization\/\">Data Anonymization: The What, Why, and How of Data Anonymization<\/a>)<\/li>\n<li>Organizations may use an individual\u2019s personal information for internal research and\/or development, provided that the information is de-identified prior to use<\/li>\n<li>Organizations may disclose an individual\u2019s personal information to any government, healthcare, post-secondary educational institution, or library, provided that the information is first de-identified, and provided that it is for the benefit of public amenities, infrastructure, environment, or other prescribed purpose.<\/li>\n<\/ul>\n<p>Under the CPPA companies must obtain valid consent before collecting, using, and\/or disclosing any individual\u2019s personal information. For consent to be considered valid, organizations must provide individuals with the following information in \u201cplain language\u201d:<\/p>\n<p><strong>(a)<\/strong> The type of personal information to be collected, used, or disclosed<br \/>\n<strong>(b)<\/strong> The intended data collection method to be used<br \/>\n<strong>(c)<\/strong> The purpose for data collection, use and\/or disclosure<br \/>\n<strong>(d)<\/strong> A list of \u201creasonably foreseeable\u201d consequences of the collection, use and\/or disclosure<br \/>\n<strong>(e)<\/strong> The names of any third parties or types of third parties to which the information may be disclosed<\/p>\n<p>Under the CPPA companies cannot require an individual\u2019s consent to the collection, use, or disclosure of their personal data as a condition for the supply of the product or service in question. Furthermore, any consent obtained via deceptive means will be considered necessarily invalid.<\/p>\n<p>The only conditions under which an organization may collect and\/or use an individual\u2019s personal information with consent are:<\/p>\n<p><strong>(a)<\/strong> To deliver products or services requested by the individual from the organization<br \/>\n<strong>(b)<\/strong> To carry out due diligence as part of organizational risk prevention<br \/>\n<strong>(c)<\/strong> To support the organization\u2019s system, network security or the safety of a product or service<br \/>\n<strong>(d)<\/strong> In cases where it is impractical to obtain individual consent for lack of a direct relationship<\/p>\n\n\n<h2 class=\"wp-block-heading\">Consumer rights under the CPPA<\/h2>\n<p>Canadians have established rights under PIPEDA when it comes to the use of their personal information, and there are some changes and expansions under the CPPA. Individuals would now be able to withdraw previously granted consent and opt out of information sharing at any time. In order to do so, individuals would need to provide reasonable notice to the organization in question, after which the organization must inform the individual about cessation of collection or disclosure of their personal information.<\/p>\n<p>Under the CPPA, individuals would have \u201cprivate right of action\u201d, which enables them to sue organizations under certain circumstances if privacy violations are upheld by the Privacy Commissioner after investigation. Individuals can claim damages for loss (financial or otherwise) and\/or injury suffered as a result of the violation. The offending organization may also be subject to administrative fines levied by the Privacy Commissioner.<\/p>\n<p>Individuals have the right to access their personal information, and request amendments to it if it is incorrect or outdated. Organizations that receive such requests are then legally required to respond within 30 days of receipt. Any inaccurate, outdated, or incomplete information must be amended to the individual\u2019s satisfaction. Individuals can also request the deletion or transfer of their information to another organization at any time (data portability) and the company has to ensure that necessary safeguards for the data remain in place for that process.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Responsibilities of businesses and foreign companies under the CPPA<\/h2>\n<p>In addition to protecting the rights of public individuals, PIPEDA includes federal employees and applicants (though not private sector individuals in their capacity as workers), and this continues under the CPPA. Organizations also need to be clearer and more detailed under the CPPA with regards to requesting consent for data processing, ensuring it is informed and explicit, and that proof of consent can be provided.<\/p>\n<p>Further to the clarity of communication, organizations must also comply with the more detailed requirements for explaining data collection purposes and use (commonly in a privacy policy), as well as how they can be contacted by individuals regarding requests, like those to have data ported or deleted.<\/p>\n<p>Companies would not be any more restricted from transferring data outside of Canada under the CPPA, though they do have to enable user data to be deleted or transferred elsewhere upon request, and to appropriately safeguard the data at all points. They would also be less restricted in how long they can keep data than under PIPEDA, which stipulated data could only be kept for as long as needed to fulfill the purpose for which it was collected. Organizations do not have to enable users to opt out of automated decision-making that\u2019s done using their data, but they do have to be able to provide an explanation about that usage and how it\u2019s done, upon request.<\/p>\n<p>In the event of a breach, companies would have more accountability obligations under the CPPA, especially regarding notifications and sending them as quickly as possible, as well as recordkeeping related to any breaches. Organizations would also need to implement and maintain a privacy management program and perform privacy assessments, as a matter of regular operations and not just when there was a breach.<\/p>\n<p>With the private right of action that individuals would receive under the CPPA, companies would either have to prove that a breach did not occur if accused of a violation and sued for it, or reasonably disprove that damages or injury occurred. As we have seen with lawsuits to date resulting from the CCPA in California, it has been difficult to achieve that. Under the CPPA companies would also be at risk of far higher penalties than under PIPEDA if a violation is upheld.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Appropriate purposes for data processing<\/h2>\n<p>Under the CPPA, <a href=\"https:\/\/parl.ca\/DocumentViewer\/en\/43-2\/bill\/C-11\/first-reading#ID0ECCCA\" target=\"_blank\" rel=\"noopener\">Section 12(2)<\/a>, organizations may only collect, use or disclose personal information in \u201cappropriate\u201d circumstances, relating to:<\/p>\n<p><strong>(a)<\/strong>\u2002the sensitivity of the personal information;<br \/>\n<strong>(b)<\/strong>\u2002whether the purposes represent legitimate business needs of the organization;<br \/>\n<strong>(c)<\/strong>\u2002the effectiveness of the collection, use or disclosure in meeting the organization\u2019s legitimate business needs;<br \/>\n<strong>(d)<\/strong>\u2002whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits; and<br \/>\n<strong>(e)<\/strong>\u2002whether the individual\u2019s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.<\/p>\n<p>Potential contraventions of the CPPA by businesses, separate from violations themselves, which are punishable by fine, include:<\/p>\n<ul>\n<li>Re-identifying personal information that has been de-identified<\/li>\n<li>Contravening any order issued by the Privacy Commissioner following an enquiry<\/li>\n<li>Obstructing the investigation of a complaint or the conduct of an audit<\/li>\n<\/ul>\n\n\n<h2 class=\"wp-block-heading\">Penalties and enforcement<\/h2>\n<p>Noncompliance penalties under the CPPA would be significant. Most fines would be up to 3 percent of a company\u2019s total global revenue for the previous year, or CA $10 million (whichever is higher). For the highest tier offences, fines could be up to 4 percent of a company\u2019s total global revenue for the previous year, or CA $25 million (whichever is higher). These thresholds are higher than those established by the GDPR, and the 5 percent number matches China\u2019s Personal Information Protection Law (PIPL). This is a big step up from noncompliance fines under PIPEDA, which could levy a maximum CA $100,000 fine per violation under the <a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/privacy-laws-in-canada\/the-personal-information-protection-and-electronic-documents-act-pipeda\/r_o_p\/02_05_d_63_s4\/\" target=\"_blank\" rel=\"noopener\">Digital Privacy Act<\/a>.<\/p>\n<p>Under the updated measures, accused violators would be subject to a personal information and data protection tribunal, which will be responsible for hearing any appeals and determining the extent of the penalties due. The Commissioner will be ultimately responsible for performing necessary audits, issuing binding orders, recommending penalties and monitoring enforcement practices. The Commissioner cannot order fines itself, but can approve recommended penalties.<\/p>\n\n\n<h2 class=\"wp-block-heading\">Comparisons of the CPPA with the GDPR and CCPA<\/h2>\n<p>PIPEDA has been law in Canada since 2000, but it is not known if or when Bill C-10 may be passed. The GDPR has been enforced in the European Union since 2018, and in the US, California had the first state-level American privacy law come into effect in 2020 with the CCPA. That will be partially replaced and expanded in 2023 with the CPRA. There is no federal US privacy law at this time, but to date <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/virginia-consumer-data-protection-act-vcdpa\/\">Virginia [Consumer Data Protection Act (CDPA)]<\/a> and <a href=\"https:\/\/usercentrics.com\/knowledge-hub\/colorado-privacy-act\/\">Colorado [Colorado Privacy Act (CPA)]<\/a> have also passed state-level privacy laws.<\/p>\n<p>Until the CPPA is passed (or if it isn\u2019t), PIPEDA will remain in force in Canada, which also has privacy laws in place at the provincial\/territorial level. The GDPR and CCPA are extra-territorial, applicable to organizations that may not be headquartered or have a physical presence in the region covered by the law. The CPPA does not address extra-territoriality.<\/p>\n<p>The GDPR covers employees broadly, not just federal ones, as the CPPA would. The CCPA is the only one of the laws with thresholds for which companies are subject to it, relating to annual gross revenue, the number of individuals whose data is processed annually, or the percentage of revenue generated from the sale of personal information. The CPPA and GDPR also require that companies have parties responsible for compliance, while the CCPA does not, though it does note the company\u2019s responsibility for compliance and data protection.<\/p>\n<p>All three laws require contractual agreements to be made with third parties that would receive and process personal information, with some exceptions. Data subjects must be notified before their data is accessed by any new or additional third parties, or if the purpose of processing communicated changes.<\/p>\n<p>All three laws differ with regards to transferring data out of the country\/region. The CPPA does not have restrictions on it, the GDPR requires \u201cadequacy agreements\u201d with all countries or regions to which data would be transferred, and the CCPA has provisions in the instance of mergers or acquisitions. It requires that consumers be able to opt out if how their data is to be used changes from the circumstances under which it was collected, which could include transfers and third parties to whom it would be sent.<\/p>\n<p>The CPPA and GDPR provide individuals with rights to data portability, but the CCPA does not. Under the California law companies only have to provide various kinds of information about the data collected to the data subject. The CPPA and GDPR address use of data for automated decision-making, but the CCPA does not. The closest it gets is the right to non-discrimination. Neither the CPPA nor GDPR explicitly enable individuals to opt out of automated decision-making, but the GDPR does enable individuals to require the decisions that have a legal effect to be made by a human. The CPPA requires a company to clearly explain what data is being used and how in the automated decision-making upon request.<\/p>\n<p>All three laws outline requirements for user consent, with some exceptions, and all three laws provide rights to erasure of data, also with some exceptions. The CCPA is the only one of the laws that does not require user consent before data collection, only before sale or sharing of it. The GDPR outlines six legal bases for processing personal data, of which consent is only one. Canada\u2019s Privacy Commissioner already has <a href=\"https:\/\/www.priv.gc.ca\/en\/privacy-topics\/collecting-personal-information\/consent\/gl_omc_201805\/\" target=\"_blank\" rel=\"noopener\">published guidelines for obtaining meaningful consent<\/a>, which would make sense to maintain, update, or expand if the CPPA is passed.<\/p>\n<p>All three laws also have transparency requirements, so notifications and relevant information for individuals must be clear and detailed with regards to the request being made or information provided. The CCPA explicitly requires websites to have a clearly displayed \u201cDo Not Sell My Personal Information\u201d link.<\/p>\n<p>All three laws have requirements for organizations to have privacy management programs, including maintained systems, assessments, etc. The GDPR particularly notes that this is required in higher-risk situations. Whereas the CPPA notes that privacy-related systems and operations need to be maintained generally, not just if there\u2019s a breach. The CCPA relies on California law\u2019s general breach notification statutes for how such events must be handled, but the CPPA and GDPR go into greater detail, particularly regarding reporting, notifications, and recordkeeping.<\/p>\n<p>All three laws provide individuals with private right of action against companies. The CPPA requires the Privacy Commissioner and Tribunal\u2019s involvement, and the CCPA is the only one of the laws with floor and ceiling amounts regarding damages. The CPPA would substantially increase potential penalties for violations over what they were under PIPEDA, with these amounts more in line with fines under the GDPR, and based on the company\u2019s annual revenue. The CCPA outlines a monetary range per violation, per user, which may look less substantial initially, but US $2,500 to US $7,500 times millions of users could be a lot of money, especially since there isn\u2019t an upper limit set for fines.<\/p>\n<p>Under the GDPR, each region has its own enforcement authorities (typically country-based), whereas in Canada it\u2019s handled federally by the Privacy Commissioner and Tribunal. With the CCPA being a state-level law, enforcement falls to the California Attorney General. Under the CCPA\u2019s partial replacement, the CPRA, a new enforcement agency will be in place, the California Privacy Protection Agency (confusingly, also CPPA).<\/p>\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n<p>If and when passed into law, CPPA regulations will replace the previous 20-year-old PIPEDA legal framework. While both frameworks are designed to support the information privacy rights of individuals, the CPPA brings about some marked changes. Significant among them is the increased power granted to the Privacy Commissioner and the addition of substantially higher financial penalties for organizations proven to be in violation of CPPA regulations.<\/p>\n<p>Consumers would gain greater freedom to request access to their personal data and\/or request the removal of their personal information from company databases. Organizations would also be granted broadened parameters under which information can be legally used without consent. While there are notable differences in scope and details between the CPPA, the EU\u2019s GDPR, and California\u2019s CCPA\/CPRA, the CPPA would bring Canadian regulations in line with those and other global privacy regulations, such as <a href=\"https:\/\/usercentrics.com\/lgpd\/\">Brazil\u2019s LGPD<\/a>, <a href=\"https:\/\/usercentrics.com\/popia\/\" target=\"_blank\" rel=\"noopener\">South Africa\u2019s POPIA<\/a>, and China\u2019s PIPL for an increasingly digital world.<\/p>\n<p>Do you have questions about how changes to Canadian privacy law could affect your business? <a href=\"https:\/\/usercentrics.com\/book-a-consultation\/\" target=\"_blank\" rel=\"noopener\">Talk to an expert today<\/a>!<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>Canada\u2019s B-C11 would greatly modernize the country\u2019s privacy law. We will take a look at one of the two acts it includes, the Consumer Privacy Protection Act.<\/p>\n","protected":false},"featured_media":2098,"template":"","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"tags":[],"magazine_issue":[],"magazine_tag":[],"resource_tag":[14],"class_list":["post-346","knowledge","type-knowledge","status-publish","has-post-thumbnail","hentry","resource_tag-privacy"],"acf":[],"yoast_head":"<title>CPPA: Overview of Canada&#039;s Consumer Privacy Protection Act<\/title>\n<meta name=\"description\" content=\"We explain what the CPPA means for consumers &amp; companies and how it updates PIPEDA.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CPPA: Overview of Canada&#039;s Consumer Privacy Protection Act\" \/>\n<meta property=\"og:description\" content=\"We explain what the CPPA means for consumers &amp; companies and how it updates PIPEDA.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/\" \/>\n<meta property=\"og:site_name\" content=\"Usercentrics - US\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/usercentrics\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-26T08:07:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/10\/CPPA.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"CPPA: Overview of Canada&#039;s Consumer Privacy Protection Act\" \/>\n<meta name=\"twitter:description\" content=\"We explain what the CPPA means for consumers &amp; companies and how it updates PIPEDA.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/10\/CPPA.jpg\" \/>\n<meta name=\"twitter:site\" content=\"@usercentrics\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/\",\"name\":\"CPPA: Overview of Canada's Consumer Privacy Protection Act\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2021\\\/10\\\/CPPA-an-Overview.svg?v=293c197969a7454c\",\"datePublished\":\"2021-10-20T13:30:14+00:00\",\"dateModified\":\"2025-06-26T08:07:26+00:00\",\"description\":\"We explain what the CPPA means for consumers & companies and how it updates PIPEDA.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/\"}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/#primaryimage\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2021\\\/10\\\/CPPA-an-Overview.svg?v=293c197969a7454c\",\"contentUrl\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/wp-content\\\/uploads\\\/sites\\\/7\\\/2021\\\/10\\\/CPPA-an-Overview.svg?v=293c197969a7454c\",\"caption\":\"Canada\u2019s Consumer Privacy Protection Act \u2013 an overview\",\"copyrightNotice\":\"\u00a9 Copyright 2026 Usercentrics GmbH\",\"creator\":{\"@type\":\"Organization\",\"name\":\"Usercentrics GmbH\"},\"creditText\":\"Image: Usercentrics GmbH\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Resources\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/resources\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Blog\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Canada's Consumer Privacy Protection Act - an overview\",\"item\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/knowledge-hub\\\/canada-consumer-privacy-protection-act\\\/\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/#website\",\"url\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/\",\"name\":\"Usercentrics - US\",\"description\":\"Consent Management Platform (CMP) Usercentrics\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/usercentrics.com\\\/us\\\/?s={search_term_string}\"}}],\"inLanguage\":\"en-US\"}]}<\/script>","yoast_head_json":{"title":"CPPA: Overview of Canada's Consumer Privacy Protection Act","description":"We explain what the CPPA means for consumers & companies and how it updates PIPEDA.","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"CPPA: Overview of Canada's Consumer Privacy Protection Act","og_description":"We explain what the CPPA means for consumers & companies and how it updates PIPEDA.","og_url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/","og_site_name":"Usercentrics - US","article_publisher":"https:\/\/www.facebook.com\/usercentrics","article_modified_time":"2025-06-26T08:07:26+00:00","og_image":[{"url":"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/10\/CPPA.jpg","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_title":"CPPA: Overview of Canada's Consumer Privacy Protection Act","twitter_description":"We explain what the CPPA means for consumers & companies and how it updates PIPEDA.","twitter_image":"https:\/\/usercentrics.com\/wp-content\/uploads\/2021\/10\/CPPA.jpg","twitter_site":"@usercentrics","twitter_misc":{"Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/","url":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/","name":"CPPA: Overview of Canada's Consumer Privacy Protection Act","isPartOf":{"@id":"https:\/\/usercentrics.com\/us\/#website"},"primaryImageOfPage":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/#primaryimage"},"image":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/#primaryimage"},"thumbnailUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/10\/CPPA-an-Overview.svg?v=293c197969a7454c","datePublished":"2021-10-20T13:30:14+00:00","dateModified":"2025-06-26T08:07:26+00:00","description":"We explain what the CPPA means for consumers & companies and how it updates PIPEDA.","breadcrumb":{"@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/"}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/#primaryimage","url":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/10\/CPPA-an-Overview.svg?v=293c197969a7454c","contentUrl":"https:\/\/usercentrics.com\/us\/wp-content\/uploads\/sites\/7\/2021\/10\/CPPA-an-Overview.svg?v=293c197969a7454c","caption":"Canada\u2019s Consumer Privacy Protection Act \u2013 an overview","copyrightNotice":"\u00a9 Copyright 2026 Usercentrics GmbH","creator":{"@type":"Organization","name":"Usercentrics GmbH"},"creditText":"Image: Usercentrics GmbH"},{"@type":"BreadcrumbList","@id":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Resources","item":"https:\/\/usercentrics.com\/us\/resources\/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/"},{"@type":"ListItem","position":3,"name":"Canada's Consumer Privacy Protection Act - an overview","item":"https:\/\/usercentrics.com\/us\/knowledge-hub\/canada-consumer-privacy-protection-act\/"}]},{"@type":"WebSite","@id":"https:\/\/usercentrics.com\/us\/#website","url":"https:\/\/usercentrics.com\/us\/","name":"Usercentrics - US","description":"Consent Management Platform (CMP) Usercentrics","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/usercentrics.com\/us\/?s={search_term_string}"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/346","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge"}],"about":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/types\/knowledge"}],"version-history":[{"count":0,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/knowledge\/346\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media\/2098"}],"wp:attachment":[{"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/media?parent=346"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/tags?post=346"},{"taxonomy":"magazine_issue","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_issue?post=346"},{"taxonomy":"magazine_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/magazine_tag?post=346"},{"taxonomy":"resource_tag","embeddable":true,"href":"https:\/\/usercentrics.com\/us\/wp-json\/wp\/v2\/resource_tag?post=346"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}