Practical steps for businesses to comply with Bill C-27: Part 1

Canada Publication August 16, 2022

The House of Commons recently introduced Bill C-27, which introduces three new acts: the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act (AIDA), which would replace the current Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-27 is the successor to Bill C-11, which died on the docket when Parliament was dissolved in the fall of 2021.

For more information on the AIDA, please see our recent update on the matter. 

In this update, we take a closer look at the key elements businesses should know about the proposed requirements under CPPA and provide practical tips for complying with these requirements.

While certain broad themes of PIPEDA are reproduced and clarified in the CPPA, many best practices suggested by the Office of the Privacy Commissioner of Canada have been codified. Given the increased enforcement and sanction powers proposed by Bill C-27, businesses should carefully revise their privacy programs to comply with these new obligations. 


As under PIPEDA, businesses remain accountable for information under their control. What constitutes “control” has been clarified under the CPPA – a business will have control of personal information when it (1) decides whether or not to collect it, and (2) determines the purposes for the collection, use or disclosure. 

To this effect, the CPPA introduces the notion of “service provider,” a third party that processes personal information on behalf of another business. It is important to note that generally speaking, the CPPA obligations will not directly apply to service providers, but rather to the controlling businesses.

Proposed next step for businesses: Identify and catalog the types of personal information the business collects, uses, discloses or stores to identify and differentiate between circumstances whereby the business acts as a service provider versus controller.

Privacy management program

One of Bill C-27’s most significant changes is the obligation for businesses to implement and maintain a privacy management program. This program must include the policies, practices and procedures put in place by a business to comply with statutory requirements, including for protecting personal information, processing requests and complaints made by individuals and employee training procedures. When developing their program, businesses will need to consider the volume and sensitivity of personal information the business controls. 

An addition introduced by the CPPA is the possibility for the Office of the Privacy Commissioner of Canada (OPC) to request access to a business’ privacy management program and provide guidance and corrective measures. This change appears to be aimed at providing the OPC with enhanced enforcement powers. 

Proposed next steps for businesses:

  • If your business does not currently have a privacy management program in place, consider developing and implementing one to align with proposed CPPA requirements. 
  • To the extent a privacy management program already exists, review and revise as needed to ensure alignment with CPPA requirements, including review of all relevant policies and processes. 

Use of service providers 

The CPPA requires a business to ensure any service providers engaged to process personal information on the business’ behalf provide an equivalent level of protection as required of the business itself. While this is commonly recommended by the OPC to ensure compliance with PIPEDA, the specific requirement is now included as a requirement under the CPPA. 

Proposed next steps for businesses:

As a customer, 

  • Review existing service provider agreements to ensure equivalent protection is offered for any personal information processed by the service provider.
  • As needed, re-negotiate existing agreements to bind service providers to contractual obligations.
  • Prepare a vendor due diligence program as part of the business’ onboarding process regarding third parties.
  • Prepare template clauses and technical specification sheets that can be used for future agreements.

As a service provider, 

  • Consider if your policies and practices align with applicable requirements. 
  • Revise template agreements to ensure inclusion of clauses around data protection and compliance with laws to ensure alignment with CPPA requirements. 

Retention periods 

The CPPA is very clear on retention periods – businesses can only keep personal information for as long as is required to fulfill the purposes for which it was collected, or to comply with statutory requirements. Furthermore, businesses must be able to justify why personal information should be retained for the proposed period of time. 

Businesses will be required to consider the sensitivity of personal information when determining its retention period. As soon as feasible after this period of time, personal information must be destroyed – either by permanently and irreversibly deleting information, or anonymizing it. Personal information should be anonymized as well as permanently and irreversibly anonymized in such a way that no individual can be identified from the information.

Proposed next steps for businesses:

  • Review retention periods for categories of personal information collected and processed, taking into consideration the sensitive nature of the information.
  • Implement or review and revise data retention policies as needed.
  • Ensure destruction or anonymization mechanisms are permanent and irreversible.
  • Review contractual obligations of service providers so they are similarly required to destroy the personal information you control, or return it to you.

Security safeguards

As under PIPEDA, businesses must use appropriate physical, organizational and technological security safeguards to protect personal information under their control. The CPPA introduces a new requirement, in that businesses must have a way of authenticating an individual to whom personal information relates. Further guidance regarding manner of required authentication is not currently included. 

PIPEDA’s requirements on reporting to the OPC and notifying affected individuals of breaches of these security safeguards remain generally unchanged, and the real risk of significant harm test (RROSH test) still applies when considering whether notification obligations have been triggered. 

An important addition under CPPA, however, is that service providers will be required to notify controlling businesses of a breach of their security safeguards affecting personal information processed on behalf of such businesses. 

Proposed next steps for businesses:

  • Review existing security safeguards: the main consideration should be the sensitivity of personal information, but also consider elements such as the quantity, format and storage method of personal information.
  • Ensure you have means of authenticating individuals or consider processes that may need to be implemented in order to comply with this requirement.
  • Review your existing breach response plan and related processes to make sure it complies with legal requirements.
  • As a customer, ensure contractual obligations are in place that require service providers to provider proper notifications. As a service provider, ensure policies and processes are in place to allow for such notifications.


Businesses need to make information regarding the steps taken to comply with the CPPA available to the public. Most businesses can comply with this requirement by providing a detailed privacy policy, including elements such as the types of personal information under their control and how they are used, whether or not any interprovincial/international data transfers occur, and retention periods. This publicly available information should be provided in “plain language,” meaning it must be reasonably expected to be understood by regular individuals.

Proposed next steps for businesses:

  • Prepare a public-facing privacy policy, or review your current one to ensure all required elements are included. 
  • Make sure your policies are drafted using clear and plain language.
  • Update your website to ensure this information is easily accessible.


Partner, Canadian Co-Head of Information Governance, Privacy and Cybersecurity
Partner, Head of Technology, Co-Head of Information Governance, Privacy and Cybersecurity

Recent publications

Subscribe and stay up to date with the latest legal news, information and events...