By Paul McCormack, VP of Privacy Law Innovation at Privitar

Canada is currently in the process of overhauling its existing Federal data privacy law (the Personal Information Protection and Electronic Documents Act, or as PIPEDA) which has been effective and in force since April 2000.  

Bill C-27 has been proposed, combining three new laws in one: 1) the Consumer Privacy Protection Act (CPPA); 2) the Personal Information and Data Protection Tribunal Act;  and 3) the Artificial Intelligence and Data Act.  The CPPA is set to repeal and evolve PIPEDA by introducing updated provisions to govern the protection of personal information of individuals while taking into account the need of organizations to collect, use or disclose personal information in the course of commercial activities. 

Bill C-27 was introduced on June 16, 2022 when it had its first reading in the House of Commons.  As at the time of writing, Bill C-27 has to complete the approval process of the House of Commons (currently in its second reading) and thereafter, approval of the House of Senate.  

Within this post, we explore consent for using personal information and how de-identification can assist companies in leveraging their information.  

How does the CPPA deal with lawful collection of personal information?

The CPPA requires that organizations obtain valid consent from an individual to collect and use their personal information.1 There are some exceptions to this. These exceptions include (but are not limited to) where the collection and/or use is in the legitimate interests of the organization2, it is to a service provider3 or the personal information has been de-identified4.  

What is valid consent under CPPA?

Valid consent is required for the collection, use or disclosure of personal information5.  For consent to be valid under CPPA, the individual must have expressly provided consent either at or before collection of the personal information6 and a privacy notice must be provided, setting out the purposes for collection / uses, manner of collection / use, any reasonably foreseeable consequences of the collection / use, type of personal information and so on, all in plain language7.

What is de-identification under CPPA? 

When an organization takes measures to ensure that an individual cannot be directly identified from the information (even though a risk of re-identification remains) this is deemed to be de-identified. De-identification methods / techniques taken should be based upon the sensitivity of the personal information.  

Where an organization takes measures to de-identify information from the original person it relates to, this is deemed to be “de-identified.”  

How does de-identification support consent under CPPA? 

De-identified personal information is not considered personal information for the purpose of certain sections of the CPPA.  This means that where de-identification has taken place, certain aspects of the CPPA (including consent and notice to the individual) are no longer required.  

There are some limitations to what the organization can and cannot use this de-identified information for.  Permitted uses of de-identified personal information include9

  • internal research 
  • analysis and development 
  • prospective deals (e.g. mergers and acquisitions) 
  • socially beneficial purposes  

The process of de-identification of personal information does not require the consent or notice of the individual.10   

How else does de-identification play a key role in CPPA?  

By de-identifying personal information, this can help to implement security safeguards as required by s.57 CPPA to protect personal information. The sensitivity of the personal information should be considered when determining the level of de-identification / technique to deploy.  

How can Privitar help?

Privitar can help you de-identify personal information in line with the CPPA. The Privitar Modern Data Provisioning Platform enables organizations to maximize their use of data, effectively and responsibly, within their organizations and beyond. It takes a privacy-centric approach, embedding privacy and security in data movement flows and real-time access controls to accelerate data access. Controls are managed in policies to protect data based on context and enable responsible use without compromising on utility, risk, compliance, or customer trust. Privitar’s comprehensive set of privacy-enhancing computation (PEC) techniques— including dynamic and static data masking, tokenization, and generalization— transforms sensitive data into safe data. PEC techniques can be used in any combination to tune data resolution for each analysis, enabling  users to tailor protections to maximize the business value of data and minimize the risk of exposing identifiable attributes.

How can I find out more information about Bill C-27?

Want to learn more about upcoming legislation in North America? 
Register for our panel “2023 & Beyond: What’s next in Data Privacy Legislation?” on September 27th with Kate Lucente, DLA Piper, Justin Yedor, BakerHostleter and Paul McCormack, Privitar. 


Privitar does not provide or offer formal legal or other advice.  You should not rely on any of its content or this blog as formal legal advice.  Privitar should be viewed as providing practical advice based upon data compliance requirements around the world.  You should consult your legal advisor for formal legal advice and Privitar does not accept any liability to any person who does rely on the content of this as formal legal advice.  Any inclusion of links to third parties / websites of third parties does not constitute or otherwise indicate any association with, endorsement of or other affiliation with such party or the information provided.  These links are included as information which we have identified and consider these to be good sources of information for the purpose of internal diligence and analysis.  

1 s.15(1) CPPA
2 s.18 CPPA
3 s.19 CPPA
4 s.21 CPPA
5 s.15(1) CPPA
6 s.15(4) CPPA
7 s.15(3) CPPA
8 s.2 CPPA
9 s.21, s.22 and s.39 CPPA
10 s.20 CPPA