Consumer data privacy is now a business imperative for all brands, and a critical advocacy point for ACA. Canada has been a leader in consumer privacy legislation since 2000, when the government introduced the Personal Information Protection and Electronic Documents Act (PIPEDA). We are one of only 12 countries whose privacy regulations are deemed “adequate” under the EU’s General Data Protection Regulation (GDPR).
The Current Landscape
In recent years high-profile data breaches have caused consumers to become more aware of the data they share with companies. This, in concert with the General Data Protection Regulation (GDPR) and the California Privacy Act (CCPA), has fueled Canada’s federal and provincial regulators to revisit their existing privacy legislation and regulations or consider enacting new ones, raising the stakes for all brands.
While ACA staunchly believes in the privacy of the consumer and the opportunity for modernization of current privacy policies, care must be taken to ensure the measures do not stymie business.
Additionally, the marketing industry is faced with the end of third-party cookies and the ability to target consumers using unique identifiers, all under the aegis of privacy. Apple’s new user privacy regulations for iOS 14 and Google’s ending of third-party cookies in Chrome will significantly impact how advertisers target.
The ACA believes that every brand must have a robust data protection and privacy practice, as it has become a central part of consumer brand trust.
(April 27, 2020) – The consumer-data opportunity and the privacy imperative (McKinsey & Co.)
At Issue Now
Apple Does Away With IDFA
In April 2021 Apple implemented sweeping changes to iOS 14, including a feature dubbed App Tracking Transparency (ATT), which prompts users to opt into app tracking on an app-by-app basis. As predicted, opt-in rates have been extremely low, preventing apps from collecting data from a large portion of their users, and stymying advertisers’ ability to target advertising based on user demographics.
In June 2021, Apple announced that their next iOS update – version 15 – will also include changes meant to bolster consumer privacy. These changes include features that will mask email and internet addresses of Apple customers, making them less effective as a unique identifier for online tracking.
Following the release of the iOS 14 news, ACA drafted a letter to Apple together with the Canadian Media Directors Council (CMDC). The letter outlined concerns about the impact of the changes on the entire media ecosystem. The letter further appealed to Apple to listen to the concerns of all industry stakeholders to develop a solution that would protect consumer privacy while preserving a robust ad-supported digital marketplace.
The ACA has a keen eye on how these changes are affecting members’ targeting and personalization efforts within mobile advertising and email on Apple devices. Our staff are on hand to support members in their efforts to adapt to these changes.
This icon means you must be an ACA member to view this content.
Google Kills Third-Party Cookie
In January 2020 Google announced on its blog that it would do away with third-party cookies with the aim of providing more privacy for consumers and to build back consumer trust. In response, many industry stakeholders attempted to develop alternatives to the third-party cookies. However in March 2021, Google announced that they would not use any alternative user-level identifiers, stating: “If digital advertising doesn’t evolve to address the growing concerns people have about their privacy and how their personal identity is being used, we risk the future of the free and open web.”
Google will be using their Federated Learning of Cohorts (FLoC), shifting away from single user IDs to cohort IDs, effectively anonymizing data by targeting ads at large groups of people (instead of individuals) with similar interests. But some concerns have been raised due to its potential for fingerprinting, and Google is now considering using a topic-based approach instead.
In July 2021, Google announced that it would delay their plan to remove support for third-party cookies to the third quarter of 2023, stating: “…it’s become clear that more time is needed across the ecosystem to get this right.” Google shared a timeline for implementation on their blog.
ACA is monitoring the testing Google is doing on FLoC and will explore other proposed alternative solutions.
Bill C-11 (Federal)
In November 2020, the federal government announced its intention to update our federal data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in effect since 2001. Bill C-11, the Digital Charter Implementation Act, 2020, was an attempt to modernize Canada’s existing private sector privacy law.
The aim of this new modernized framework was – according to the government – to increase control and transparency when Canadians’ personal information is handled by companies, and would have included the strongest fines among G7 privacy laws.
With the call of the Federal election, Bill C-11 died on the order paper. However, Innovation, Science and Economic Development Canada (ISED) will bring forth a new bill.
The contents of a new bill will need to be considered by each organization carefully once it is brought forth. The ACA encourages its members to engage early on with in-house counsel, external counsel, compliance teams and/or privacy committees to understand the impact of proposed privacy legislation on organizational marketing practices. The ACA will reach out to ISED to advocate on behalf of marketers.
The ACA has formed a special task force composed of legal and privacy experts from across its member sectors. ACA members will be updated as developments unfold.
(January 12, 2021) – What Marketers Need to Know about Bill C-11, An Update to Canada’s Federal Privacy Law – ACA blog
Bill 64 (Quebec)
In June 2020, the Quebec government tabled Bill 64, An Act to modernize legislative provisions [regarding] the protection of personal information, which includes significant proposed amendments to an Act Respecting the Protection of Personal Information in the Private Sector (the Quebec Privacy Act). A number of the requirements proposed are similar to those within the European Union’s General Data Protection Regulation (GDPR). However, many are more rigorous, and are unique to the province of Quebec.
The ACA prepared a comprehensive submission* to the government on December 2, 2020, which raised key concerns, including:
- the redundancy and complexity of consent provisions
- the premature requirement for data portability
- punitive sanctions and excessive financial penalties.
*Read the full submission in the Resources section below.
Following the feedback submitted by ACA and other industry stakeholders some adjustments were made to the Bill, including:
- clarity and simplification around consent
- the relaxation of some measures related to data portability
- a further clarification of the definition of personal information
The Bill received Royal Ascent on September 22, 2021. The Act will enter into force in three stages, with provisions coming into force over a three-year period, beginning on September 22, 2022.
Members can read the October 1, 2021 Member Alert (listed in the Resources section below) for a list of actions they should take immediately in order to prepare.
This icon means you must be an ACA member to view this content.
Ontario does not currently have a general privacy law that applies to private-sector businesses and organizations. In August 2020, the Government of Ontario launched a consultation to consider improvements to its privacy laws.
In October 2020, ACA submitted a comprehensive paper addressing key areas of reform, including:
- Support for increased transparency and clear consent, with concern for opt-in consent requirements for secondary uses of personal information.
- Recommendation that Ontario’s privacy law forego the inclusion of data erasure and portability due to additional privacy risks that would be introduced as a consequence.
- Support for proportionate penalties for non-compliance that avoids a one-size-fits-all approach and a strengthening of supports for small businesses, in particular.
- Support for the application of the law to both commercial businesses and not-for-profit organizations.
Support for improved clarity to the concept of de-identification.
- Support for improved clarity to the concept of de-identification.
- Support for enabling data sharing while protecting privacy, with the proviso that prescriptive rules for specific sharing models, such as data trusts, could risk stifling innovation.
Personal Information Protection Act (British Columbia)
The B.C. Government formed a special committee in June 2020 to review its Personal Information Protection Act (PIPA). In a Briefing Note, the Office of the Information and Privacy Commissioner for British Columbia (OIPC) confirmed that it would like to see PIPA more closely aligned with other Canadian and international privacy legislation, including the General Data Protection Regulation (GDPR) in the European Union.
ACA is keeping a close eye on developments regarding PIPA and will intervene if necessary.