Last Updated on December 15, 2022 by Satyendra
Not to be confused with the California Consumer Privacy Act (CCPA), the Consumer Privacy Protection Act (CPPA) is a modernization of Canada’s existing data privacy regulations. Similar to the GDPR, the CPPA (Bill C-11) applies to any organization that processes the personal data of Canadian citizens for commercial purposes, regardless of where they are located.
The last revision of the CPPA was on June 16, 2022, although it is unclear exactly when the CPPA will officially come into force.
As mentioned above, the CPPA is designed to replace the existing Personal Information Protection and Electronic Documents Act (PIPEDA). While the CPPA doesn’t change the scope of the PIPEDA, it does give consumers elevated rights when it comes to pursuing legal action against companies who fail to adequately protect the confidentiality of their data. Likewise, the CPPA also extends the consent requirements to ensure that companies are providing clear and concise privacy notices that inform data subjects about how and why their data is collected, stored, shared and used.
What are the Consumer Privacy Protection Act (CPPA) Requirements?
The CPPA necessitates significant changes to the way organizations handle sensitive personal data belonging to Canadian citizens. Below are the most notable CPPA requirements.
Appropriate data processing
The collection, disclosure, and use of personal data are restricted according to; how sensitive the personal data is; and whether the purposes for handling personal data are legitimate. Data controllers must also ensure that data subjects have the right to request the transfer of their data from one organization to another and that they are transparent regarding the use of algorithms and artificial intelligence systems to process personal data.
Stricter consent requirements
As mentioned above, under the CPPA, companies must obtain full and explicit consent from the data subject before collecting, processing, disclosing, and using their personal data. The information provided to the data subject must be written in “plain language”, and should include the following:
- The purpose for collecting, using, and disclosing personal data;
- How and why personal data is collected, used, or disclosed;
- The type of personal data that will be collected, used, or disclosed;
- A list of third parties with who the controller intends to share personal data;
- The potential consequences of mishandling personal data.
NOTE: Data subjects must be allowed to revoke their consent at any time by providing “reasonable notice” to the data controller.
NOTE: Data subjects must be allowed to revoke their consent at any time by providing “reasonable notice” to the data controller.
Private right of action
Under the CPPA, the Privacy Commissioner will be granted additional powers to investigate and audit privacy-related business activities, and also initiate inquiries into alleged violations of the CPPA. If a data controller is found to be in violation of the CPPA, the affected data subject will be allowed to pursue a “private right of action”, which may involve taking the controller to the Federal Court or a superior provincial court. The data subject may claim any damages caused by the violation.
Penalties for non-compliance
A failure to comply with the CPPA could result in fines of up to 4% of a company’s total global revenue for the prior year, or CA $25 million – whichever is higher. While few companies will be required to pay this amount, it is still significantly higher than the maximum of CA $100,000 per violation, as defined under PIPEDA.
How can Lepide Help with CPPA compliance?
The Lepide Data Security Platform makes complying with the CPPA, or any other data privacy law, significantly easier.
To start with, the platform comes with a data classification software that can automatically discover and classify personal data – as defined by the CPPA. This in turn makes it easier to implement access controls to prevent unauthorized access.
Lepide can help you make sure that your users don’t have access to sensitive data by reporting on users with excessive permissions based on their data usage patterns. Failing to protect sensitive data through unnecessary, over-privileged, access to data could be seen as a breach of CPPA.
Likewise, you’ll need to ensure that you are able to monitor what your employees are doing with that data (the ones who have legitimate access to it, that is). When user behavior deviates from the norm, Lepide can alert you and generate an automated response of your choosing, all in real-time.
Lepide also allows you to easily generate pre-defined reports that are customized to meet the requirements of the CPPA, which can be sent to the relevant authorities to demonstrate compliance, if/when necessary. It also stores a detailed audit log, to help with future investigations.
If you’d like to see how the Lepide Data Security Platform can help you comply with the CPPA, schedule a demo with one of our engineers.