Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityInternational LawPrivacyTechnology Media and Telecom

A Compliance Briefing for Privacy Officers on the New Canadian Consumer Privacy Protection Act

By John Beardwood and Shan Arora
September 01, 2022

Part One of this series discussed the history of Canada's recently introduced Consumer Privacy Protection Act and reviewed the similarities with GDPR, such as data portability, the right to be forgotten, codes of practice, and a safe harbor provision. Part Two analyzes the new compliance requirement of valid consent.

|

Other New Compliance Requirements

While necessarily not exhaustive, we have highlighted below some of the other new compliance requirements which should be of most interest to privacy officers.

|

Valid Consent

PIPEDA already imposes a reasonably robust set of requirements on organizations in order to ensure that the consents that they obtain from data subjects are clear and informed:

  1. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
  2. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  3. The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The Act, however, takes a complete recut of the language outlining the preconditions which are required to be met in order for a consent to be valid:

  1. at or before the time that the organization seeks the individual's consent, it must provide the individual with the following information:
    1. the purposes for the collection, use or disclosure of the personal information
    2. the manner in which the personal information is to be collected, used or disclosed;
    3. any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
    4. the specific type of personal information that is to be collected, used or disclosed; and
    5. the names of any third parties or types of third parties to which the organization may disclose the personal information (Section 15(3)); and
  2. the information in the consent must be provided in "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand" (Section 15(4)).

By requiring that the information in the consent has to be provided in "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand," the Act introduces a somewhat subjective standard. It is not fully subjective: that would require that the actual recipient would reasonably understand. Rather, this is directed at the 'target' recipient of the organization. That being said, apart from consents addressed at children or individuals with limited capacity, it is difficult to see how the vast range of individuals to whom an organization's activities are directed would be affected by this requirement.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.