Similarities and Differences

· GDPR etc,CPPA,privacy,fines,Canada

There is a great deal of fear mongering going on about Canada’s Bill C11 (ConsumerPrivacy Protection Act [CPPA] & the Personal Information andData Protection Tribunal Act [PIDPTA], we will simply refer to them as CPPA for the sake of this article) and how much damage it could potentially do. It is heavily based on GDPR (the EU privacy directive) that has been in place since 2018. Ironically, the doom and gloom ideas were also put forward at the time about that document. We have decided to look at what makes them similar and what makes them different.

In Canada, PIPEDA is the regulation that handles privacy. It is based heavily on the original EU privacy laws going back to 1995. These were updated and changed dramatically to take advantage of the new internet landscape to become GDPR. Canada made some minor changes to PIPEDA to follow GDPR more closely. It has since become clear it was an interim step until CPPA. It is a tremendous step forward for privacy in Canada, and it has many American, and some Canadian, organisations worried. It should, since under GDPR many American based organisations were fined, in some cases quite heavily. We will get to the penalties later. For now, let’s look at the two documents.

We will list the CPPA and simply check where they intersect or diverge with GDPR. Under the CPPA, the federal privacy commissioner has the power to investigate, and prosecute, if necessary, any organisation that violates the framework imposed by the CPPA, much like GDPR. The penalties are like those under GDPR (discussed later in this article).

Who is Impacted?

*If it is in both GC will appear, if it is in CPPA a C, GDPR a G 

  • Any organisation that collects user data (Data Collector [DC]) must obtain the users (Data Provider [DP]) full consent, in how the data is collected, used or disclosed. (GC)
  • Anindividual would have the right to request access to their personal data that is held by any organisation. (GC)
  • Thedata must be deleted by the organisation, if requested to do so by the provider. (GC)
  • An employer should inform an individual upon request that is holds personal data about them, whether they have used it, and if so, how it has been used. The organisation should also inform the individual if the data has been disclosed. Exceptions apply. (C)

The CPPA is a replacement of the older PIPEDA, and, as noted above, follows closely the rules of GDPR. The one critical aspect of this is that it takes user privacy more seriously, and breaches of that privacy, will be severely penalised.

  • The collection, use and disclosure of personal data requires overt consent. (GC)
  • Consent cannot be “implied” it needs to be explicit. (GC) 
  • The purpose and use of the data must be explained in clear terms. (GC) 
  • There are exemptions from consent under very specific circumstances (GC) 


There are increased transparency requirements imposed regarding the use of algorithms and AI systems, requiring organisations to justify why a specific prediction, recommendation or decision was made by an algorithm. Based on the collection of the data providers personal data. (C ) 

Personal Information and (De)Identifiers

It also includes much clearer guidelines on what makes up data identifiers and what can be done with regards to use or non-use regarding sensitive personal data. (GC) 

Global Application

The CPPA, like the GDPR, clearly makes it the responsibility of the data consumer/organisation to ensure that data is used and stored properly. This includes data that is transferred to another organisation (regardless of the relationship between the organisations). This means that transferring data
interprovincially or internationally have the same implications. (GC) 



  • Minimum: CAD 10 M or 3% of global revenue, whichever is greater.
  • Maximum: CAD 25 M or 5% of global revenue, whichever is greater.


  • Minimum: € 10 M or 2% of global revenue, whichever is greater.
  • Maximum: € 20 M or 4% of global revenue, whichever is greater.

Other Information 

A consumer that has been affected by the violation of CPPA has the right to sue
for damages with a private right of action. A two-year limit would apply, and
proof must be clear on exactly how the organisation violated the CPPA. The
exception is if the organisation was already fined by the CPPA.

Reporting of Breaches 

Under GDPR an organisation must report a detected breach within 72 hours, or face
penalties. From what we can find there is no such specific requirement under CPPA.

Our View 

The two legislations are very similar and provide a great deal more protection for the
consumer. They also make it clear that organisations are not owners of a consumer’s
personal data. They are only custodians of it, with the express consent of the consumer,
which can be revoked at any time.


All Posts

Almost done…

We just sent you an email. Please click the link in the email to confirm your subscription!