The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data reforms in Canada during and beyond COVID-19. If you have any questions or suggestions, please contact Kate Skipton at email@example.com. This page is not legal advice.
Recent privacy updates
- Privacy: Quebec retailers soon required to report breachesStarting September 2022, retailers in Quebec will be required to track and report confidentiality incidents (privacy breaches) and notify affected individuals. The … Continued
- Bill C-27: More privacy proposals made by federal governmentOn June 16, 2022, the federal government tabled a second set of major proposals to overhaul Canada’s main privacy law affecting … Continued
- New Quebec privacy rules set for Fall 2022In 2021, Quebec adopted a series of significant amendments, including much higher penalties for contraventions, to its main privacy law governing … Continued
COVID-19 privacy implications on retailers
COVID-19 has raised many privacy issues for retailers. These include what customer and employee information can be collected, analyzed and shared as retailers try to keep stores and staff safe. Cyber risk has also increased.
Privacy and data for Canadian retailers
Almost daily, we see and hear headlines about data privacy concerns, data breaches and overall misuse of data (e.g.: Cambridge Analytica, Desjardins). Increasingly, the retail landscape requires retailers to make use of data to create great customer experiences, while also protecting individuals’ personal information.
Privacy laws and regulations generally apply when a retailer handles information that can identify an individual person. Retailers collect personal information in many situations. An email address, clothing size, physical location, name, credit card number, IP address, web cookies and video camera footage – these are only some examples of personal data that retailers handle. This data often flows across physical and digital landscapes and often across many national and international legal jurisdictions.
Who regulates privacy in Canada?
Disclaimer: None of the information here is legal advice. This is to inform retailers concerned about regulatory and legislative developments relevant to privacy and to help them assess potential relevance to them.
Federal: The federal Office of the Privacy Commissioner of Canada (OPC) is the main regulator for retailers handling consumer personal information in Canada. The OPC administers Canada’s federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA is Canada’s main privacy law governing consumer information held by retailers. B.C., Quebec and Alberta also have their own private sector privacy legislation. This means that in many circumstances, the provincial law applies instead of the federal law. The OPC explains more about how this works. View information.
It is best to assess which law(s) apply on a case-by-case basis depending on the situation you are dealing with.
|PIPEDA applies if information crosses provincial/national borders during commercial activities.||PIPEDA applies without the complement of a regional, substantially equivalent private sector privacy law.|
|Prince Edward Island||Yes|
Regional: Every Canadian province and territory has a regulator, in the form of a Commissioner or Ombudsperson, who deals with that region’s legislation governing privacy legislation.
Regulators in Quebec, BC and Alberta address private sector privacy in those provinces. At times, they may conduct joint investigations with the federal Privacy Commissioner (view example). Four provinces have health privacy laws deemed substantially equivalent to PIPEDA and regulators that address them: Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador. View regional regulator list. View health privacy list.
Generally, privacy regulator involvement is triggered by a complaint from an individual, such as from a customer who shares personal information with a retailer and then feels that the retailer has not taken very good care of it. View more information
What’s happening in Canadian data privacy reform?
Privacy and data regulatory frameworks are currently undergoing significant reviews and reforms in Canada and internationally. The need for Canada to maintain “adequacy status” under Europe’s rigorous General Data Protection Regulation (GDPR) is part of what is driving Canadian privacy reforms. Businesses, including retailers, whose operations involve personal data flowing across regional and international borders will be looking at a more complex mosaic of stricter data privacy laws emerging over the next few years in Canada.
What potential new privacy rules should retailers expect?
The ongoing Canadian data privacy reforms involve a range of stricter new requirements intended to protect individuals’ personal information in the modern, data-driven world. Some new and enhanced rules commonly proposed across different Canadian jurisdictions include:
- Empowering individuals to have more control over their data. e.g.:
- Rigorous consent and transparency requirements,
- Right to have a company delete their data,
- De-indexing/the right to be forgotten (letting a person remove their information from search engine queries or databases),
- Data portability/data mobility (letting a person take all their data out of a company in portable format)
- Empowering individuals and regulators to hold companies more accountable, e.g.: mandatory breach notification, expanded audit powers, more administrative monetary penalties and fines, private rights of action for individuals.
- Anonymizing (also called “de-identifying”) datasets to help protect the identities of those whose information is contained in the data, as well as addressing the risks of re-identification.
- Requiring consideration, to varying degrees, of legal privacy protections in countries where companies send data for storage or analysis.
- Specific process requirements, like appointing a privacy officer and mandating privacy impact assessments (PIAs).
- Regulating autonomous decision making by technologies, e.g. artificial intelligence.
- New language in privacy policies, in plain and simple terms, to reflect all these proposed requirements.
Retailers may wish to look more closely at the regional and international markets in which they operate. They may wish to assess how their current approach to personal data protection fits with any potential new data privacy requirements.
The federal government has tabled a second set of major proposals to overhaul Canada’s main privacy law affecting retailers: Bill C-27, the Digital Charter Implementation Act, 2022. Their initial set of reform proposals, Bill C-11 tabled in 2020, timed out when the 2021 federal election was called.
Bill C-27 2022 was introduced a few days before Parliament finished sitting for the spring session. This left retailers, along with the many other stakeholders affected by federal privacy reform, the summer to explore how this new set of privacy reform proposals could affect them and their businesses. Among many other requirements, Bill C-27 2022 would establish a new federal law and new regulator specifically governing artificial intelligence and data, as well as penalties for breaking privacy rules to a maximum of 5 per cent global turnover or $25-million, whichever is higher. Bill C-27 2022 would replace the main Canadian privacy law governing retailers, PIPEDA, with proposed new legislation called the Consumer Privacy Protection Act.
Once Parliament resumes sitting in the fall, Bill C-27 will need to go through several stages in order for it to pass into law and modernize the rules that currently govern private sector privacy in most Canadian regions. RCC will share updates as relevant.
For more information:
In September 2021, Quebec passed a series of stringent new privacy amendments affecting retailers into law: Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
Strongly inspired by Europe’s General Data Protection Regulation (GDPR), these amendments contain many significant changes to Quebec private sector privacy law. These include new requirements for data transfers to service providers outside Quebec, new consumer rights like data portability, financial penalties at $25M or 4% of turnover and numerous others. The new law comes into force in staggered time periods of one to three years after September 2021, meaning that it will be in force in full by the end of 2024.
- Borden Ladner Gervais on Bill 64’s adoption and key business requirements
- PwC Canada on Bill 64 compliance requirements and costs
Ontario released a new Digital and Data Strategy in spring 2021. This included proposals for “Canada’s first provincial data authority” and a new artificial intelligence framework.
In summer and fall of 2021, the province also released and consulted on a White Paper proposing a new, made-in-Ontario privacy law. The White Paper included stringent data privacy proposals for new provincial private sector privacy legislation inspired by federal, Quebec and international privacy reforms.
After a hiatus due to an election, British Columbia resumed consultations on its review of its Personal Information Protection Act (PIPA) in spring and early summer 2021.
The Special Committee reviewing PIPA released their report, with 34 recommendations, in December 2021.
The recommendations address the following areas: alignment with other privacy legislation, new and emerging technologies (e.g. biometrics, automated processes and anonymization), meaningful consent, mandatory breach notification, disclosure of personal information, employer accountability, health information and augmented powers for the Office of the Information and Privacy Commissioner.
For more information: View full report.
Alberta held consultations during summer 2021 to inform the province’s review of its Personal Information Protection Act (PIPA).
For questions about these reforms, retailers can email firstname.lastname@example.org.
Disclaimer: None of the information here is legal advice. This is to inform retailers and others about regulatory and legislative developments relevant to privacy and to help them asses potential relevance to them.
Privacy resources for retailers
RCC Guidebook: Canadian Anti-Spam Law (CASL): Guidelines for Responsible Transmission of Electronic Messages (RCC members only)
CASL has been in force for several years and applies to email marketing and communications. This members-only Guidebook helps explain CASL for retailers (CASL may also see some changes as part of any forthcoming federal privacy reforms).
RCC Guidebook: How does the GDPR affect Canadian retailers? (RCC members only)
Europe’s General Data Protection Regulation (GDPR) is a privacy regulation that was launched in 2018. If your business has customers or even website visitors from Europe, then you may fall under the GDPR’s scope. The GDPR’s large fines (up to 20M Euro or 4% of a firm’s worldwide annual turnover, whichever is highest), global reach and influence on Canadian federal and provincial privacy reform make it relevant to Canadian retailers. RCC’s GDPR guidebook covers GDPR for Canadian retailers.
Guiding Principles on Privacy for Retailers in Canada (RCC members only)
Protecting your business and your customers’ personal information against the threats of cyber-breaches and criminal activities is paramount in today’s retail environment. The purpose of this paper is to clarify the guiding principles of the Personal Information and Protection of Electronic Documents Act (PIPEDA) (pre-reform) and the practical applications associated with those principles pertaining to loss prevention and fraud specifically.
Privacy Committee (RCC members only)
The Privacy Committee is comprised of retail professionals interested in and responsible for the areas of data governance and privacy. The purpose of the committee is to share best practices and information related to data governance and privacy and to help members stay ahead of the curve on issues that impact the industry.
Federal requirements on data breach record-keeping and reporting
As of November 1, 2018, retailers must notify the federal Office of the Privacy Commissioner (OPC) if they experience a data breach that creates a “real risk of significant harm” (RROSH) to the individuals whose personal information is affected. Retailers must also record how they assess whether or not a data breach is serious enough to meet the RROSH standard and require notification.
How American retailers use consumer data
Nearly two thirds of U.S. consumers say retailers, not the government or tech vendors, are responsible for data privacy, according to a 2019 Deloitte report. Most U.S. consumers think that retailers use their personal data for target marketing. In fact, the top three consumer data uses by U.S. retailers are to:
- Increase operational efficiencies
- Improve product selection
- Enhance in-store services or experiences.
Consumer journey steps in a data-driven, American retail store may now include mobile phone location data gathering, with AI assistants generating product recommendations and push notifications to personal devices while customers walk around brick-and-mortar stores.
De-identifying personal data in big datasets
Many companies including retailers analyze large volumes of data routinely (“big data”). De-identifying personal information in large datasets is often mentioned as a way to protect privacy. Also called anonymization, effective de-identification means rendering it impossible to identify an individual from the information a dataset contains about them.
However, in practice, rapidly evolving data analytics technologies make it challenging to have confidence that de-identifying any dataset can be permanently effective.
Canadian non-profit CANON is an international resource that covers the challenges posed by anonymization and lists domestic and international anonymization guidance.
How do AI and machine learning challenge traditional Canadian privacy frameworks?
Effective data governance reform is challenging in part because some of the technologies underlying the “data-driven” world handle personal information in paradigm-shifting new ways. In the case of AI and machine learning, this paradigm shift presents itself essentially for two reasons: (1) these programs can analyze much larger and more complex datasets, including unstructured data (e.g. audio, image, video and text; unstructured data comprises 80% of enterprise data), and (2) machine learning programs can teach themselves new insights and make decisions based on what they learn.
The ways these technologies can process an individual’s personal data challenge long-held privacy principles like transparency and purpose-based consent. They raise new possibilities and challenges for how data privacy frameworks can still implement those principles in ethical and economically viable ways.
As a result, legal and regulatory reform pertaining specifically to these technologies has been and continues to be under discussion in Canada and internationally. AI’s predictive capacities make it useful to retailers in many ways, e.g. to better manage inventory and supply chains.
Where can I learn more on public policy issues in Canadian data governance that affect the broader business community, not just retail?
The Business Council’s 2019 Data-Driven Issues Paper provides a thorough overview of the public policy issues facing Canadian data governance policy makers. It delves into privacy elements at issue in the PIPEDA reform and discusses other data governance areas that affect retailers, including cybersecurity, cross-border data flows and interoperability. Broadly, it puts public policy on data in context from a business standpoint.
Contact Kate Skipton, Senior Policy Analyst, at email@example.com for more information on:
- Privacy and Data Committee for RCC members
- Consultation Submissions