Consumer data privacy is now a business imperative for all brands, and a critical advocacy point for ACA. Canada has been a leader in consumer privacy legislation since 2000, when the government introduced the Personal Information Protection and Electronic Documents Act (PIPEDA). We are one of only 12 countries whose privacy regulations are deemed “adequate” under the EU’s General Data Protection Regulation (GDPR).

The Current Landscape

In recent years high-profile data breaches have caused consumers to become more aware of the data they share with companies. This, in concert with the General Data Protection Regulation (GDPR) and the California Privacy Act (CCPA), has fueled Canada’s federal and provincial regulators to revisit their existing privacy legislation and regulations or consider enacting new ones, raising the stakes for all brands.

While ACA staunchly believes in the privacy of the consumer and the opportunity for modernization of current privacy policies, care must be taken to ensure the measures do not stymie business.

Additionally, the marketing industry is faced with the end of third-party cookies and the ability to target consumers using unique identifiers, all under the aegis of privacy. Apple’s new user privacy regulations for iOS 14 and Google’s ending of third-party cookies in Chrome will significantly impact how advertisers target.

The ACA believes that every brand must have a robust data protection and privacy practice, as it has become a central part of consumer brand trust.

Related Resources

(April 27, 2020) – The consumer-data opportunity and the privacy imperative (McKinsey & Co.)

At Issue Now

Apple Does Away With IDFA

In January 2021 Apple confirmed that it would implement sweeping changes to iOS 14, including a feature dubbed App Tracking Transparency (ATT), which prompts users to opt into app tracking on an app-by-app basis. Industry experts predict that over 60 percent of users will opt out of tracking, which significantly impacts the amount of consumer data available for ad targeting and measurement.

ACA Action

Following the release of this news, ACA drafted a letter to Apple together with the Canadian Media Directors Council (CMDC). The letter outlined concerns about the impact of the changes on the entire media ecosystem. The letter further appealed to Apple to listen to the concerns of all industry stakeholders to develop a solution that would protect consumer privacy while preserving a robust ad-supported digital marketplace.

Apple rolled out changes to its iOS operating system in April 2021. The ACA has a keen eye on how this is affecting members’ targeting and personalization efforts within mobile advertising on Apple devices. Our staff are on hand to support members in their efforts to adapt to these changes.

members onlyThis icon means you must be an ACA member to view this content.

Related Resources


Google Kills Third-Party Cookie

In January 2020 Google announced on its blog that it would do away with third-party cookies with the aim of providing more privacy for consumers and to build back consumer trust. In response, many industry stakeholders attempted to develop alternatives to the third-party cookies. However in March 2021, Google announced that they would not use any alternative user-level identifiers, stating: “If digital advertising doesn’t evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.”

Google will be using their Federated Learning of Cohorts (FLoC), shifting away from single user IDs to cohort IDs, effectively anonymizing data by targeting ads at large groups of people (instead of individuals) with similar interests. But some industry stakeholders have raised concerns over the move, stating antitrust issues.

ACA Action

ACA will monitor the testing Google is doing on FLoC, and will explore other proposed alternative solutions.


Bill C-11 (Federal)

In November 2020, the federal government announced its intention to update our federal data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in effect since 2000. Bill C-11, the Digital Charter Implementation Act, 2020, will create the Consumer Privacy Protection Act (CPPA), which will modernize Canada’s existing private sector privacy law, and will also create the new Personal Information and Data Protection Tribunal Act, which will establish the Personal Information and Data Tribunal. The Tribunal will be able to impose administrative monetary penalties for privacy violations.

The new modernized framework will – according to the government – increase control and transparency when Canadians’ personal information is handled by companies, and will have the strongest fines among G7 privacy laws.

The contents of Bill C-11 will need to be considered by each organization carefully. The ACA encourages its members to engage early on with in-house counsel, external counsel, compliance teams and/or privacy committees to understand the impact of Bill C-11 on organizational marketing practices.

Although Bill C-11 has not yet been considered by Parliamentary committee, the ACA has formed a special task force composed of legal and privacy experts from across its member sectors. ACA members will be updated as developments unfold.

Related Resources

(January 12, 2021) – What Marketers Need to Know about Bill C-11, An Update to Canada’s Federal Privacy Law – ACA blog


Bill 64 (Quebec)

In June 2020, the Quebec government tabled Bill 64, An Act to “modernize legislative provisions as regards the protection of personal information,” which includes significant proposed amendments to an Act Respecting the Protection of Personal Information in the Private Sector (the Quebec Privacy Act). A number of the requirements proposed are similar to those within the European Union’s General Data Protection Regulation (GDPR). However, many are more rigorous, and are unique to the province of Quebec.

If passed the way it is currently written, the Bill would produce significant costs to comply and significant penalties for non-compliance. This could force many companies to withdraw their products or services from the Quebec market.

ACA Actions

The ACA prepared a comprehensive submission to the government on December 2, 2020, which raised key concerns, including:

  • excessive monetary penalties
  • the lack of clarity around consent provisions
  • the premature requirement for data portability

members onlyThis icon means you must be an ACA member to view this content.

Related Resources


Ontario Privacy Law

Ontario does not currently have a general privacy law that applies to private-sector businesses and organizations. In August 2020, the Government of Ontario launched a consultation to consider improvements to its privacy laws.

ACA Action

In October 2020, ACA submitted a comprehensive paper addressing key areas of reform, including:

  • Support for increased transparency and clear consent, with concern for opt-in consent requirements for secondary uses of personal information.
  • Recommendation that Ontario’s privacy law forego the inclusion of data erasure and portability due to additional privacy risks that would be introduced as a consequence.
  • Support for proportionate penalties for non-compliance that avoids a one-size-fits-all approach and a strengthening of supports for small businesses, in particular.
  • Support for the application of the law to both commercial businesses and not-for-profit organizations.
    Support for improved clarity to the concept of de-identification.
  • Support for improved clarity to the concept of de-identification.
  • Support for enabling data sharing while protecting privacy, with the proviso that prescriptive rules for specific sharing models, such as data trusts, could risk stifling innovation.

Related Resources


Personal Information Protection Act (British Columbia)

The B.C. Government formed a special committee in June 2020 to review its Personal Information Protection Act (PIPA). In a Briefing Note, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) confirmed that it would like to see PIPA more closely aligned with other Canadian and international privacy legislation, including the General Data Protection Regulation (GDPR) in the European Union.

ACA Action

ACA is keeping a close eye on developments regarding PIPA and will intervene if necessary.