Canada’s Consumer Privacy Protection Act and Bill C-11

Canadians’ privacy protections nearly received a significant boost in 2021 with Bill C-11, which was introduced by the Federal Government back in November 2020, and included the proposed Consumer Privacy Protection Act (CPPA). 

The CPPA would have enhanced parts of Canada’s existing privacy laws and given new powers to the Office of the Privacy Commissioner (OPC).

Bill C-11 “died on the order table” after the Canadian election this summer, meaning that the bill did not pass into law as planned. 

But—particularly with stronger privacy laws springing up across Canada’s provinces—C-11 is likely to return in some form soon. That means businesses have an opportunity to familiarize themselves with the proposed new rules and prepare for some changes.


What Is Bill C-11?

Bill C-11 was part of Canada’s Digital Charter Implementation Act and consisted of two parts:

  • Consumer Privacy Protection Act (CPPA) 
  • Personal Information and Data Protection Tribunal Act (PIDPT)

We’ll focus on the CPPA, which would update Canada’s existing federal privacy law, the Personal Information Processing and Electronic Documents Act (PIPEDA). The CPPA would amend certain rights under PIPEDA and hand stronger enforcement powers to the OPC.

The latter of the two acts above, the PIPDT, would introduce a tribunal tasked with hearing appeals of the OPC’s decisions.


What Is the Consumer Privacy Protection Act (CPPA)?

There are many similarities between the CPPA and PIPEDA, including that both laws apply to private sector organizations operating in a commercial context. 

We’re going to look at three of the most important differences between these two laws in the areas of consumer rights, consent, and enforcement.


Consumer Rights

PIPEDA already confers some basic data protection rights on individuals in Canada, including the rights to access and correct personal information. The CPPA provides the following additional consumer rights:

  • The right to withdraw consent: Individuals may withdraw consent for data processing at any time (unless prohibited by the “reasonable terms of a contract”)
  • The right to be informed about automated decision-making: Individuals may receive an explanation of any AI-based system used to make a “prediction, recommendation, or decision” about them.
  • The right to data portability: Individuals have the right to the “mobility of personal information.” Organizations would need to transfer an individual’s personal information to a designated third party in a portable format on request. This obligation would be governed by further CPPA regulations.



The CPPA would reform PIPEDA’s rules on consent—but the act would not go as far as other important data protection laws, such as the EU’s General Data Protection Regulation (GDPR).

Canada’s existing PIPEDA law recognizes “express” and “implied” consent, and the CPPA would not change that. Instead, the new act would bring much of the OPC’s non-binding Guidelines for Obtaining Meaningful Consent into law.

The CPPA’s consent rules would specify the information that organizations must provide before requesting or inferring consent. This information includes the organization’s purposes for collecting the data and the names of any third parties to whom the data may be transferred.

The law would also clarify that organizations must generally have a person’s consent before collecting, using, or transferring their personal information, except where the organization is:

  • Delivering services requested by the individual
  • Carrying out due diligence for risk prevention purposes
  • Using the personal information to support the organization’s system, network security, or product safety
  • Reasonably unable to obtain consent due to the lack of a direct relationship with the individual


Enforcement and Sanctions

The CPPA would significantly increase the penalties available to the OPC. Organizations found to have violated the CPPA could face fines of up to:

  • 3% of gross global revenues for the previous year or up to 10 million CAD for less serious offenses
  • 5% of gross global revenues for the previous year or up to 25 million CAD for more serious offenses

The act would also introduce a private right of action, enabling consumers to sue organizations that had violated their rights under the CPPA.

Find out more about how Cassie can help your business with our proven Cookies, Consent and Preference Management solution and contact us today.