Applies to what:
“Personal information”: Information about an identifiable individual (other than business contact information of an individual that an organization collects, uses or discloses solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession).
“Personal information”: Information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.
Organizations are required to obtain meaningful consent, meaning individuals are provided with clear information explaining what organizations are doing with their information.
May be implied (in principle no express consent required).
Consent may be express or implied, depending on the circumstances and the type of information, and can only be required for the specified business purpose.
Includes a broad definition drawing in a list of data categories related to the consumer and their household. Excludes information that is in publicly available government records, aggregated or de-identified data and personal information covered by sector specific legislation (e.g. health data).
May be withdrawn at any time in a way that is clear, conspicuous and accessible. Minimum age of consent is 16 years.
Consent may be withdrawn, subject to legal/contractual restrictions and reasonable notice. Exceptions apply, including compliance with legal obligations. No minimum age of consent stated, but typically valid from age 13 according to OPC [Office of the Privacy Commissioner of Canada] guidelines. Security and safeguarding responsibilities:
Appropriate to the sensitivity of the information, an organization must adopt security safeguards to protect the personal information in its custody and control.
Although specific safeguards aren’t explicitly included, organizations must implement reasonable security measures appropriate to the nature of the information.
Organizations must implement applicable policies and practices to give effect to PIPEDA, including: a) designating one or more individuals who are accountable for the organization’s privacy compliance, b) implementing procedures to protect personal information, c) establishing procedures to receive and respond to complaints and inquiries and d) training staff and communicating to staff information about the organization’s policies and practices developing information to explain the organization’s policies and procedures.
No obligation to appoint a designated officer.
PIPEDA includes the following rights for individuals: a) the right to access personal information under the custody or control of an organization, b) the right to have one’s personal information be accurate, complete and up-to-date, c) the right to have one’s personal information be amended when an individual successfully demonstrates the inaccuracy or incompleteness of personal information and d) the right to withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
CCPA includes the following rights for individuals: a) the right to request information, b) the right of portability, c) the right of deletion, d) the right to opt-out and obligations to inform and e) the private right of action.
No right to be forgotten (no search engine de-indexing). No right to data portability. Mandatory data breach notifications:
An organization must: a) report to the OPC any breach of security safeguard involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual and b) notify the individuals.
While the CCPA does not include a data breach notification requirement, California has a separate, pre-existing, data breach notification law: the California Security Breach Information Act.
Retention of information:
For such a time as is necessary for the purposes identified, or to allow the individual to exhaust any appropriate legal recourse.
For such a time as is necessary to allow the individual concerned to exercise their rights of access to information, but for a period not exceeding 12 months.
Principle Resource • Karl Delwaide, Antoine Aylwin and Antoine Guilman. “Comparative Table of Personal Information Protection Laws”, Fasken, May 2019.