Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityInternational LawPrivacyTechnology Media and Telecom

A Compliance Briefing for Privacy Officers on the New Canadian Consumer Privacy Protection Act

By John Beardwood and Shan Arora
September 01, 2022

Part One of this series discussed the history of Canada's recently introduced Consumer Privacy Protection Act and reviewed the similarities with GDPR, such as data portability, the right to be forgotten, codes of practice, and a safe harbor provision. Part Two analyzes the new compliance requirement of valid consent.

|

Other New Compliance Requirements

While necessarily not exhaustive, we have highlighted below some of the other new compliance requirements which should be of most interest to privacy officers.

|

Valid Consent

PIPEDA already imposes a reasonably robust set of requirements on organizations in order to ensure that the consents that they obtain from data subjects are clear and informed:

  1. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
  2. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  3. The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The Act, however, takes a complete recut of the language outlining the preconditions which are required to be met in order for a consent to be valid:

  1. at or before the time that the organization seeks the individual's consent, it must provide the individual with the following information:
    1. the purposes for the collection, use or disclosure of the personal information
    2. the manner in which the personal information is to be collected, used or disclosed;
    3. any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
    4. the specific type of personal information that is to be collected, used or disclosed; and
    5. the names of any third parties or types of third parties to which the organization may disclose the personal information (Section 15(3)); and
  2. the information in the consent must be provided in "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand" (Section 15(4)).

By requiring that the information in the consent has to be provided in "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand," the Act introduces a somewhat subjective standard. It is not fully subjective: that would require that the actual recipient would reasonably understand. Rather, this is directed at the 'target' recipient of the organization. That being said, apart from consents addressed at children or individuals with limited capacity, it is difficult to see how the vast range of individuals to whom an organization's activities are directed would be affected by this requirement.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.