In recent years, the media has been buzzing about what many call “the trust factor” and what it means in regards to data privacy. Consumers have become increasingly wary of how businesses use, distribute, or sell their information. So many municipalities across the globe have implemented comprehensive legislation to protect consumers’ information from suspect activity. Canada is one example of a country that has tackled data privacy issues head-on by coming up with new legislation to safeguard consumer data. But what does the Digital Charter Implementation Act (DCIA) and associated Consumer Privacy Protection Act (CPPA) mean for businesses like yours? Get in the know to keep your customers protected and keep your business out of legal hot water.
November 2020: Canada Introduces Digital Charter Implementation Act (DCIA)
On November 17, 2020, the Canadian government introduced the Digital Charter Implementation Act. Which includes the Consumer Privacy Protection Act – a privacy-focused arm of the legislation. Which is an expansion to Canada’s pre-existing privacy law. This change serves to increase protections for Canadians’ personal information.
The change comes as jurisdictions around the world double-down on their data protection and privacy laws to better protect consumers. In a news release, Innovation Minister Navdeep Bains said, “As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled. ... For Canada to succeed, and for our companies to be able to innovate in this new reality, we need a system founded on trust with clear rules and enforcement.”
Consumer Privacy Protection Act as Part of the DCIA
The Consumer Privacy Protection Act was introduced for the purpose of giving Canadians more control of their information. And gaining greater transparency into how companies handle this information. It also outlines new consequences – such as steep fines – for businesses that do not comply with these laws.
What Does the Consumer Privacy Protection Act (CPPA) Do?
Through the CPPA, the Canadian government aims to establish a new privacy law for the private sector – that is, for consumers and their personal data. It protects the personal information of individuals while acknowledging the need of organizations to collect, use, or disclose this information in the course of their “commercial activities”.
The CPPA includes five primary objectives, which are:
- To provide “plain-language information for consumers so they can fully understand and meaningfully consent to the ways in which their data will, or will not, be used”;
- Give consumers the freedom to “transfer their private data between multiple private entities”;
- To provide the ability for consumers to be able to “withdraw their data-usage consent and have their personal information be properly and permanently disposed of”;
- To increase “algorithmic transparency requirements, with an emphasis on any systems relying on artificial intelligence or implicated in automated decision-making”; and
- Provide the ability for consumers to have “personally identifiable information about themselves removed in certain circumstances”.
How is the CPPA Enforced?
The CPPA proposes steep fines for potential violations, the highest monetary penalty being up to $25 million CAD ( approx. $19.5 million USD) or 5% of a company’s revenue, whichever is more. Additionally, the Privacy Commissioner is provided broad order-making powers. Including the ability to force an organization to comply with CPPA requirements and to stop collecting data or using consumer information.
Another enforcement tool is the availability of a “private right of action” for Canadian citizens. However, this can only be triggered if Canada’s Office of the Privacy Commissioner also determines that a violation has occurred.
What Does the Consumer Privacy Protection Act Mean for Your Business?
It’s in your organization’s best interest to comply with CPPA requirements in order to avoid hefty fines. And maintain your right to use consumer information in a way that serves your business while protecting your customers. Businesses often collect information to inform their marketing strategies, provide customers with personalized offers, etc. Playing by the CPPA rules is the best way to maintain your business’s growth trajectory.
Specifically, here are a few things to know when it comes to what the CPPA means for your business:
- You must obtain meaningful consent to collect, use, or distribute consumer information. This includes using “plain language” (i.e. layman’s terms) to explain to consumers how their data is being collected or used so they can make informed decisions about whether they want to provide certain information.
- You must make it easy for individuals to transfer their information from one organization to another. This means giving consumers options in regards to how they want their information to be stored. And providing clear steps for how they can transfer their information to other organizations.
- You must dispose of personal information securely and give individuals the option to withdraw their consent. The CPPA allows individuals to request that your organization dispose of personal information and grants them the right to withdraw consent for the use of their information.
- You must be transparent about how your business uses algorithms or systems (such as Artificial Intelligence). How you make predictions, offer product recommendations, etc. that may influence a consumer’s buying behavior. The CPPA grants Individuals the right to request that your organization explain how a prediction, product recommendation, or decision was made by an automated decision-making system/algorithm.
- You must follow CPPA guidelines in regards to how information is collected via social media. The CPPA ensures that Canadians have the ability to demand that their information on social media platforms be permanently deleted. And they can withdraw consent for data collection. The Privacy Commissioner also has the ability to order your social media company to comply, including ordering you to stop collecting data.
- Your organization must maintain a privacy management program. The CPPA requires organizations to establish a privacy management program that outlines policies and procedures. The organization must follow to protect personal information, deal with privacy complaints, etc. Your organization must also allow “on-demand” access to the Office of the Privacy Commissioner of Canada if they request to see these policies.
Benefits of the CPPA for Consumers and Businesses
As much as the implementation of new rules seems like it would be a buzzkill for businesses, the CPPA actually brings many benefits for businesses and consumers alike. Better data protection makes everyone happy, helping businesses gain trust from their customers and implement more ethical business practices.
The CPPA helps ensure that Canadians can trust that their privacy is respected by the organizations and companies they interact with. At the same time, organizations have the freedom to innovate and grow. But with a few more guidelines for how to keep consumers safe.
The CPPA helps businesses and consumers:
- Simplify consent – The use of personal information is often an essential factor in helping businesses deliver their product or service to consumers. In this digital economy, consumers have come to expect that their data will be used for such purposes. Under the CPPA, there will be less of a burden on businesses to obtain consent when it does not provide any meaningful privacy protection. This means fewer barriers between companies and the customers they serve.
- Use data for good – Some degree of data sharing is important when it comes to streamlining system efficiency and solving common consumer problems. Having this data readily available makes it easier for consumers to access their information across organizations. Avoiding time-consuming and costly errors. This legislation allows businesses to disclose certain information to public entities for socially beneficial purposes (such as public health and environmental protection causes).
- Understand data privacy best practices – This legislation allows organizations to ask the Privacy Commissioner to approve “codes of practice” that outline clear rules for how the CPPA applies to certain commercial activities. This makes it easier for businesses to comply, navigate complex data privacy issues. And provide the right information to their customers.
- De-identify information – The CPPA allows for the use of de-identified information and clarifies when it can be used without an individual’s consent. In short, this means that an organization may not have to obtain consent if they are to collect and use information. Information that does NOT include identifying information (such as an individual’s name, address, phone number, or email address).
Data Privacy Best Practices to Follow
Navigating the continuously shifting terrain of data privacy legislation can seem like a minefield to businesses. Fortunately, there are many resources online to assist organizations in implementing data protection best practices and avoiding costly legal blunders. To help, here are a few best practices your organization can employ:
- Look at data privacy holistically. Data privacy is a concern to your organization as a whole; it should be seen as an important risk management issue that’s of interest to everyone in your organization. As a team, you can brainstorm ways to better protect your customers while inspiring even more innovation in your organization.
- Vet your vendors. Make sure the third-party organizations, software, etc. you work with also follow security and privacy best practices. A blunder on their part could end up hurting your business and breaking trust with your customers.
- Map your customer data. At which “checkpoints” is data collected, stored, distributed, or used? Map out your data “lifecycle” to identify any gaps in your system and discover new ways to protect consumers at every stage.
- “Make sure your practices match your promises”. Your organization should have clear privacy policies, but you also need to be held to these obligations. In other words, make sure to practice what you preach.
- Review and update your privacy practices regularly. Make a point of re-examining your policies on a regular basis to ensure compliance or even find new ways to better protect your customers.
Maintain CPPA Compliance at Every Step
From marketing your business to generating leads to offering product recommendations. Your business uses data to better serve your customers and increase your revenue. With so many steps in the process, it’s important to follow CPPA requirements at every step. If you are a Canada-based company or serve customers in Canada, maintaining CPPA compliance is essential.
At Visitor Queue, we help businesses generate more B2B leads through their website using ethical data collection. Website visitors are able to consent to have their data collected and used. So you can rest easy knowing your new leads are excited for your business to reach out. Take the stress out of data privacy by partnering with Visitor Queue as your #1 lead generation software.