What are the privacy laws in Canada?

There are various privacy laws in Canada that apply in different contexts, but this post will focus on two laws that marketers and publishers should be aware of: PIPEDA, which is currently in effect and undergoing significant updates, and Quebec’s privacy law, Law 25 (formerly Bill 64), most of which came into effect in 2023 and may set a precedent for federal and/or other provincial privacy laws. 

Quebec’s Law 25 and discussions around potential amendments to PIPEDA demonstrate recent efforts to modernize Canada’s privacy laws, bringing them more into line with the realities of today’s digital marketing and advertising ecosystem.

FAQs on Quebec Law 25 and PIPEDA

My company is headquartered outside Canada; do PIPEDA and Quebec’s Law 25 apply?

Regardless of their headquarters, all businesses that operate in Canada and handle personal information that is transferred across provincial or national borders, or within certain sectors, such as banking, telecommunications or transportation, are subject to PIPEDA.

Certain provincial private-sector laws, like Quebec’s Law 25, have been “deemed substantially similar to” PIPEDA, and apply to most organizations operating within the applicable province.

Quebec’s Law 25 specifically applies to enterprises that perform the collection, holding, use or communication to third parties of personal information of a Quebec resident. There is no requirement that the enterprise be based in Quebec, nor does it have a consumer threshold for applicability.

What are the fines under Canadian privacy laws?

Under Law 25, organizations may be liable for penalties up to the greater of CAD 10 million and 2% of global turnover, or in the case of penal proceedings, the greater of CAD 25 million and 4% of global turnover, which may be doubled in the event of subsequent offenses. 

Law 25 is also quite unique in that it provides a private right of action; if the court finds that the violation was done on purpose or due to a major mistake (gross fault), the court must order the violator to pay the consumer at least CAD 1,000 in punitive damages.

Under PIPEDA, organizations may be liable for fines up to CAD 100,000. 

What is PIPEDA?

PIPEDA stands for the Personal Information Protection and Electronic Documents Act, which went into effect in 2000. It has been amended occasionally, most significantly with the addition of breach notification obligations in 2015, but recent years have seen a push for a more significant overhaul. 

In May 2022, the Office of the Privacy Commissioner of Canada (OPC) issued key recommendations for federal privacy legislation that would protect digital innovation while recognizing privacy as a fundamental human right. Specifically, the  OPC recommended a privacy law that enables responsible innovation, adopts a rights-based framework, increases corporate accountability, ensures interoperability of laws, adopts quick and effective remedies, and gives the OPC tools to adopt a risk-based approach while being transparent.

Subsequently, the Canadian parliament has been debating the proposed Canadian Consumer Privacy Protection Act (“CPPA”), part of Bill C-27, which would bring much needed updates to PIPEDA.

Would Bill C-27 replace PIPEDA?

Federal Bill C-27 would actually enact three laws: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. The CPPA component of the bill seeks to amend the existing Personal Information Protection and Electronic Documents Act (PIPEDA) concerning the collection and use of personal information for commercial activities. Under this law, consent is generally required, except for certain limited activities such as security or safety measures, providing a product or service, or in cases of legitimate interest. However, legitimate interest cannot be used as a basis for data collection if the purpose is to influence an individual’s behavior or decisions, or if a reasonable person would not expect such collection.

What is Quebec’s data privacy law?

Quebec’s privacy law, known as Law 25, comes into force in three phases, with most of the substantive provisions coming into effect in September 2023. It introduces several new requirements that bring it into closer alignment with GDPR, particularly regarding transparency and consent, although there are some distinctions. Partially in response to this, the IAB Canada launched its own compliance framework, the TCF Canada, based on the TCF framework, originally designed for GDPR.

Is Quebec’s Law 25 similar to GDPR?

Quebec’s transparency requirements are similar to GDPR, although Law 25 contains more specific requirements regarding technologies used for profiling. Organizations must provide the following information to individuals upon collection of their personal information:

1. The purposes of the collection
2. The means of collection
3. The rights of access and rectification
4. The person’s right to withdraw consent to the communication or use of the information collected

Additionally, if applicable, organizations must inform individuals about:

1. The name of the third party for whom the information is being collected
2. The categories of third parties to which it is necessary to communicate the information (e.g., service providers)
3. The possibility that personal information could be communicated outside Quebec

Organizations must publish a privacy policy on their website if they collect personal information through technological means, drafted in clear and simple language. They must also inform individuals of any collection of personal information using technology that includes functions allowing the individual to be identified, located, or profiled, as well as the means available to activate such functions.

Is consent required under Quebec’s privacy law?

Unlike the GDPR, Quebec’s Law 25 allows for implicit consent in most circumstances. This means that, except in certain situations such as the collection of sensitive personal information, a user’s continued use of a service after being provided with a privacy notice is sufficient to constitute consent. This approach differs from the explicit consent model commonly required under the GDPR, where users typically must actively agree, for example, by checking a box or clicking “I agree.”

In the case of sensitive data, Law 25 mandates express consent. Sensitive personal information includes medical, biometric, or otherwise intimate data that entails a high level of privacy expectation. Additionally, consent for individuals under 14 years old must be obtained from a person with parental authority or a guardian.

This framework aims to balance the need for user consent with practical considerations for businesses while ensuring that more stringent protections are in place for sensitive information and vulnerable populations.

If you’re interested in learning more about using a CMP to help you comply with Canada privacy law, register for our upcoming webinar