What was billed by the Canadian Marketing Association as a keynote speech on the Trudeau government’s proposed private-sector privacy legislation by a senior minister turned into a two-minute welcome to the CMA’s annual privacy conference.
Industry Minister François-Philippe Champagne said the proposed Bill C-27, which introduces the Consumer Protection Privacy Act, (CPPA) will “set a new standard when it comes to protecting children’s privacy. Minors and their parents will have more power to control the personal information they share online.”
“As marketers,” he told the online conference, “you are at the forefront of helping people find products and services to make their lives better. I am convinced that this new framework will enable you to work more effectively while also upholding important safeguards for Canadians’ privacy and data. Together we are building a better, safer and more prosperous Canadian economy.”
And after wishing attendees a good conference, his video statement ended.
That left time to reflect on a panel discussion by marketing and legal pros on the possible impact of the CPPA and the proposed Artificial Intelligence Data Act, should they survive their present form.
The legislation is perhaps a year from being implemented. C-27 still has to be debated before a parliamentary committee, which will hear from witnesses, and then go through the Senate. The government will also have to create regulations with some definitions to go along with the legislation.
“The overall positive aspect for both business and marketers is it achieves a balance, and there is flexibility,” said Amanda Maltby, general manager of corporate compliance and regulatory affairs at Canada Post. They will still be able to speak to consumers and to innovate, she added.
Like the current Personal Informational Protection and Electronic Documents Act, the CPPA has a principles-based framework, she said.
And while the Privacy Commissioner would be given new order-making powers, “generally this approach … is something biz and marketers will be able to operate under.”
David Elder, head of the data protection group at the Stikeman Elliot law firm, also described the proposed legislation as “pretty well-balanced.”
While there are exceptions to the need for businesses to get explicit consent from people to capture and use their personal data, he said, these aren’t available if the data is to be used for influencing behaviors or decisions — which is what marketers do. So, Elder concluded, CPPA means “stay the course” for the industry on consent issues.
But, he added, the CPPA would require companies to be more transparent about how automated decision-making applications work. So theoretically, he said, any predictive modeling or a product recommendation engine available to customers might be included.
Sahil Razdan, legal counsel for the Postmedia Network chain of newspapers and websites, noted that the CPPA would allow customers to withdraw their consent for their personal data to be collected by website cookies or other means. Marketers will have to think about data deletion or anonymization strategies, he said.
Under PIPEDA, there has always been the right to withdraw consent, Elder pointed out, but CPPA would make it more explicit.
Elder also noted that under the CPPA, an organization doesn’t have to get explicit consent from individuals if their data is transferred to a third party for processing — but, he added, the original data collector is still responsible for a third-party data breach.
Asked to give their top tips to marketers to prepare for C-27, Razdan said firms should try to better understand their customers’ views on privacy — how much personal data they want to keep, how much they are willing to share. Explaining why personal data is collected and how it will be used “will become the new norm,” he added.
Now is the time companies should review their privacy policies, and the website FAQs that explain them, Elder said. Firms should also think carefully about how their automated decision-making systems work.
Marketers in large firms should get to know the people who have to know the law — compliance and legal staff — said Maltby. Small and medium-sized organizations need to better understand the flow of personal data in their companies and what consents are attached to that data. “What is the current conversation you’re having with your customers about using their personal information?” she asked. “If you’re not having one … you really should.”