Recent press around the California Consumer Privacy Act of 2018, passed last week, may have Canadian business leaders wondering how they’re going to comply with another foreign privacy law, but a leading expert says they have little to worry about.
In fact, former Ontario Privacy Commissioner, Privacy By Design architect, and Ryerson University Privacy by Design Centre of Excellence leader Ann Cavoukian says that the updates to Canada’s privacy laws proposed by the Standing Committee on Access to Information, Privacy and Ethics are likely to leave Canada’s privacy laws stronger than California’s.
“I think we have very strong legislation to begin with,” Cavoukian tells IT World Canada, noting that Canada’s existing Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to identify when they’re collecting user information, and why, and even obtain consent – though as experts such as University of Ottawa law professor Michael Geist have noted, many companies interpret its standards loosely.
In February, the Standing Committee recommended that the federal government take a page from the European Union’s recently-enacted General Data Protection Regulation (GDPR), and adopt Cavoukian’s seven Privacy By Design principles in developing its much-needed update of Canada’s privacy laws.
Those principles include adopting privacy as the default setting by requiring users to explicitly opt in if they want their data shared.
“We know that [federal privacy commissioner] Daniel Therrien is trying to get PIPEDA upgraded,” Cavoukian says. “It’s dated. By adding privacy by design to it, we’ll achieve essential equivalence with the GDPR.”
By contrast, the California act’s principles are similar to PIPEDA: it requires companies that store personal information, such as Google and Facebook, to disclose the type of data they collect and allow users to opt out of having their data sold.
In other words, Cavoukian says, it allows companies to continue collecting user data by default.
“I don’t want to sound negative because I think it’s great that California passed this law, and so quickly,” she says. “It’s better than nothing but it is arguably weaker than GDPR. GDPR is predicated on a positive consent model, California’s is opt out – and Canada is looking to strengthen our law to achieve essential equivalence with the GDPR.”
Cavoukian emphasizes that she is glad California’s legislation is “waking up” companies across the U.S. to the risks of unchecked data gathering.
“The U.S. has many sector specific privacy laws, but California’s is quite broad, and my understanding is it’s alarming many businesses because they will have to take a lot of measures,” she says. “If someone says they don’t want their information sold, the companies have to ensure that customer’s information is not being sold to data brokers and advertising companies. And that’s a real positive.”
It’s also where Canadian companies should already be as our federal government strengthens its own laws.