Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyFeaturesCybersecurityInternational LawPrivacyTechnology Media and Telecom

A Compliance Briefing for Privacy Officers on the New Canadian Consumer Privacy Protection Act

By John Beardwood and Shan Arora
September 01, 2022

Part One of this series discussed the history of Canada's recently introduced Consumer Privacy Protection Act and reviewed the similarities with GDPR, such as data portability, the right to be forgotten, codes of practice, and a safe harbor provision. Part Two analyzes the new compliance requirement of valid consent.

Other New Compliance Requirements

While necessarily not exhaustive, we have highlighted below some of the other new compliance requirements which should be of most interest to privacy officers.

Valid Consent

PIPEDA already imposes a reasonably robust set of requirements on organizations in order to ensure that the consents that they obtain from data subjects are clear and informed:

  1. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used.
  2. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  3. The consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization's activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.

The Act, however, takes a complete recut of the language outlining the preconditions which are required to be met in order for a consent to be valid:

  1. at or before the time that the organization seeks the individual's consent, it must provide the individual with the following information:
    1. the purposes for the collection, use or disclosure of the personal information
    2. the manner in which the personal information is to be collected, used or disclosed;
    3. any reasonably foreseeable consequences of the collection, use or disclosure of the personal information;
    4. the specific type of personal information that is to be collected, used or disclosed; and
    5. the names of any third parties or types of third parties to which the organization may disclose the personal information (Section 15(3)); and
  2. the information in the consent must be provided in "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand" (Section 15(4)).

By requiring that the information in the consent has to be provided in "plain language that an individual to whom the organization's activities are directed would reasonably be expected to understand," the Act introduces a somewhat subjective standard. It is not fully subjective: that would require that the actual recipient would reasonably understand. Rather, this is directed at the 'target' recipient of the organization. That being said, apart from consents addressed at children or individuals with limited capacity, it is difficult to see how the vast range of individuals to whom an organization's activities are directed would be affected by this requirement.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Role and Responsibilities of Practice Group Leaders Image

Ideally, the objective of defining the role and responsibilities of Practice Group Leaders should be to establish just enough structure and accountability within their respective practice group to maximize the economic potential of the firm, while institutionalizing the principles of leadership and teamwork.

Removing Restrictive Covenants In New York Image

In Rockwell v. Despart, the New York Supreme Court, Third Department, recently revisited a recurring question: When may a landowner seek judicial removal of a covenant restricting use of her land?