What are the privacy laws in Canada?
June 6, 2022
There are various privacy laws in Canada that apply in different contexts, but this post will focus on two laws that marketers and publishers should be aware of: PIPEDA, which is currently in effect and may undergo additional changes, and Quebec’s privacy law, Bill 64, most of which will go into effect in 2023 and may set a precedent for federal and/or other provincial privacy laws.
Quebec Bill 64 and discussions around potential amendments to PIPEDA demonstrate recent efforts underway to modernize Canada privacy laws to bring them more into line with the realities of today’s digital marketing and advertising ecosystem.
My company is headquartered outside Canada; do PIPEDA and Quebec’s Bill 64 apply?
Regardless of their headquarters, all businesses that operate in Canada and handle personal information that is transferred across provincial or national borders, or within certain sectors, such as banking, telecommunications or transportation, are subject to PIPEDA.
There are certain provincial private-sector laws that have been “deemed substantially similar to” PIPEDA, like Quebec’s Bill 64, which apply to most organizations that operate within the applicable province.
Quebec’s Bill 64 applies to the collection, holding, use or communication to third parties of personal information in the course of carrying on a private enterprise operating in Quebec.
What are the fines under Canadian privacy laws?
Under Bill 64, organizations may be liable for penalties up to the greater of CAD 10 million and 2% of global turnover, or in the case of penal proceedings, the greater of CAD 25 million and 4% of global turnover, which may be doubled in the event of subsequent offenses.
Under PIPEDA, organizations may be liable for fines up to CAD 100,000.
What is PIPEDA?
PIPEDA stands for the Personal Information Protection and Electronic Documents Act and it went into effect way back in 2000. It has been amended on occasion since then, most significantly with the addition of breach notification obligations in 2015, but recent years have seen a push for a more significant overhaul.
The last attempt at an overhaul of PIPEDA died in 2021. However, in May 2022, the Office of the Privacy Commissioner of Canada (OPC) issued key recommendations for federal privacy legislation that would protect digital innovation while recognizing privacy as a fundamental human right. Specifically, the OPC recommends a privacy law that enables responsible innovation, adopts a rights-based framework, increases corporate accountability, ensures interoperability of laws, adopts quick and effective remedies, and gives the OPC tools to adopt a risk-based approach while being transparent.
In September 2021, Quebec passed their own privacy law, Bill 64, which received strong support from the OPC.
What is Quebec’s data privacy law?
Quebec’s privacy law, known as Bill 64, comes into force in three phases, with most of the substantive provisions (including provisions affecting consent mechanisms) coming into force in September 2023. It has a number of new requirements that bring it into closer alignment with GDPR with regard to transparency and consent, although there are some definite distinctions between the two laws. Due to this, the IAB Canada has been working to expedite a TCF framework for Canada. The TCF framework, originally designed for GDPR, lends itself to a Canadian adaptation. The TCF Canada framework is expected to be launched later this year, so watch this space.
Transparency requirements under Quebec’s privacy law
Quebec’s transparency requirements are fairly similar to GDPR, although Bill 64 contains more specific transparency requirements with respect to technologies used for profiling.
Organizations must provide the following information to individuals upon collection of their personal information:
- the purposes of the collection;
- the means of collection;
- the rights of access and rectification; and
- the person’s right to withdraw consent to the communication or use of the information collected.
If applicable, the following information must also be provided:
- the name of the third party for whom the information is being collected;
- the categories of third parties to which it is necessary to communicate the information for the purposes of the collection (i.e. service providers);
- the possibility that personal information could be communicated outside Québec
Organizations must also inform individuals of any collection of personal information using a technology that includes functions allowing the individual to be identified, located or profiled, as well as the means available to activate such functions.
Consent requirements under Quebec’s privacy law
Unlike GDPR, under Quebec’s Bill 64 consent can, in most circumstances, be implicit, rather than explicit; in other words, except in certain circumstances such as collecting sensitive personal information, a user’s continuation after receiving the privacy notice is sufficient to constitute consent, even if the user is not explicitly asked to check a box or click “I agree”.
In the case of sensitive data, express consent is required, and consent for persons under 14 years old must be provided by a guardian.
If you’re interested in learning more about using a CMP to help you comply with Canada privacy law, contact us.
Latest Blog Posts
The requirement to honor global privacy control is already...
Application of this California law is much broader than...
In response to IAB Europe's appeal of a February...
Latest White Papers
The current state of publisher compliance with CCPA, and...
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.