How does California’s tough new data privacy law affect Canadian businesses?

Recent press around the California Consumer Privacy Act of 2018, passed last week, may have Canadian business leaders wondering how they’re going to comply with another foreign privacy law, but a leading expert says they have little to worry about.

In fact, former Ontario Privacy Commissioner, Privacy By Design architect, and Ryerson University Privacy by Design Centre of Excellence leader Ann Cavoukian says that the updates to Canada’s privacy laws proposed by the Standing Committee on Access to Information, Privacy and Ethics are likely to leave Canada’s privacy laws stronger than California’s.

Ann Cavoukian

“I think we have very strong legislation to begin with,” Cavoukian tells, noting that Canada’s existing Personal Information Protection and Electronic Documents Act (PIPEDA) already requires organizations to identify when they’re collecting user information, and why, and even obtain consent – though as experts such as University of Ottawa law professor Michael Geist have noted, many companies interpret its standards loosely.

In February, the Standing Committee recommended that the federal government take a page from the European Union’s recently-enacted General Data Protection Regulation (GDPR), and adopt Cavoukian’s seven Privacy By Design principles in developing a much-needed update of Canada’s privacy laws.

Those principles include adopting privacy as the default setting by requiring users to explicitly opt in if they want their data shared.

“We know that [federal privacy commissioner] Daniel Therrien is trying to get PIPEDA upgraded,” Cavoukian says. “It’s dated. By adding privacy by design to it, we’ll achieve essential equivalence with the GDPR.”

By contrast, the California act’s principles are similar to PIPEDA: it requires companies that store personal information, such as Google and Facebook, to disclose the type of data they collect and allow users to opt out of having their data sold.

In other words, Cavoukian says, it allows companies to continue collecting user data by default.

“I don’t want to sound negative because I think it’s great that California passed this law, and so quickly,” she says. “It’s better than nothing but it is arguably weaker than GDPR. GDPR is predicated on a positive consent model, California’s is opt out – and Canada is looking to strengthen our law to achieve essential equivalence with the GDPR.”

Cavoukian emphasizes that she is glad California’s legislation is “waking up” companies across the U.S. to the risks of unchecked data gathering.

“The U.S. has many sector specific privacy laws, but California’s is quite broad, and my understanding is it’s alarming many businesses because they will have to take a lot of measures,” she says. “If someone says they don’t want their information sold, the companies have to ensure that customer’s information is not being sold to data brokers and advertising companies. And that’s a real positive.”

It’s also where Canadian companies should already be as our federal government strengthens its own laws.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Eric Emin Wood
Eric Emin Wood
Former editor of turned consultant with public relations firm Porter Novelli. When not writing for the tech industry enjoys photography, movies, travelling, the Oxford comma, and will talk your ear off about animation if you give him an opening.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs