10 things to know about privacy law proposals

Avatar photo

Trucking companies that deliver directly to consumers receive personal information (e.g. names, addresses, and telephone numbers) on a regular basis. And companies with private fleets collect such details to facilitate store-to-home deliveries or e-commerce shipments. Carriers may even collect and use personal information to create efficiencies and monitor operations — identifying trends and issues by collecting data from technologies including dashcams and electronic logging devices (ELDs).

It all needs to be protected.

dash cams
(File photo: Lytx)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is one of the key Canadian statutes that governs carriers which operate beyond a single province or territory, including those crossing into the United States. But the Act also governs the carriers operating exclusively in a province that has not enacted its own privacy legislation.

Changes are being proposed to this privacy regime through Bill C-11, the Consumer Privacy Protection Act (CPPA), introduced on Nov. 17, 2020. Its goal is to modernize federal privacy law. Generally, the CPPA intends to adopt many principles already included in PIPEDA or guidelines, while providing more robust protection. The CPPA follows recent changes to privacy law in Quebec, and consultations related to changes in Ontario and B.C.

Here are some of the key things trucking companies subject to federal privacy laws need to know about CPPA, keeping in mind that some of these obligations already exist under PIPEDA:

1 — The organization that collects the personal information, or has someone collect the information on its behalf, “controls” that personal information and is ultimately responsible for the collection, use and disclosure. However, motor carriers who receive personal information as service providers may have contractually agreed to comply with applicable laws and should still ensure they follow the legislation.

2 — The company must have a privacy management program that includes details about how personal information will be protected, how requests for information and complaints will be dealt with, how the organization will meet other obligations under the legislation, and what training and information will be provided to staff. Materials to implement the program must also be created.

3 — The privacy management program will need to consider the sensitivity of the personal information that the company has under its control.

4 — The carrier will need a written privacy policy that is publicly available, easily accessible, and in language that the average individual can understand. The policy needs to explain the type of personal information under its control and how that personal information is utilized, including how the various consent exceptions are applied. It should also have details about how inquiries and complaints are managed.

5 — Generally, companies need express or implied consent from the applicable individual to collect, use and disclose personal information, but the CPPA has added a number of exceptions allowing the collection and use of personal information without consent. Some of these exceptions include:

  • Situations where the individual would reasonably expect it for the business activity, as long as it is not used to influence the individual’s decisions. A “business activity” includes, among other things: (i) an activity necessary to provide or deliver a product or service that the individual has requested from the organization, and (ii) an activity where obtaining consent would be impracticable because the organization doesn’t have a direct relationship with the individual. Both of these exceptions would likely capture store-to-home or e-commerce deliveries.
  • Transfers of personal information to a service provider. This could also potentially cover the above-noted situations.

6 — Organizations are already required to identify and document the purposes for which personal information is collected, used or disclosed, but now they will also need to record those purposes at or before the time of collection. If the company decides to use the information for a new purpose (and has consent where required), that new purpose must also be recorded prior to using or disclosing the information.

7 — The company must designate at least one individual to be responsible for the organization’s compliance with its privacy obligations, and should include that person’s contact information in its privacy policy.

8 — The company needs to disclose how it uses automated systems to make predictions, recommendations or decisions about individuals, when such conclusions could have a significant impact on the individuals.

9 — The CPPA will create a new private right of action, allowing an individual a basis to start a lawsuit if they feel an organization has breached its privacy obligations.

10 — There will be increased fines and administrative monetary penalties for violations. Carriers in their capacity as service providers could be indirectly responsible for such fines and penalties imposed on customers if they have contractually agreed to indemnify their customers for acts and omissions related to privacy matters.

The CPPA is not yet in force and could still be subject to changes. However, companies can start reviewing existing practices to identify any discrepancies in things like the way they collect, receive or protect personal information; the content of privacy policies and management systems; and contractual obligations relating to how they handle personal information.




Avatar photo

Jaclyne Reive is a lawyer in Miller Thomson’s Transportation & Logistics Group. She can be reached at jreive@millerthomson.com. This article is provided for information purposes only and does not constitute a solicitor-client relationship or legal advice.

Have your say

This is a moderated forum. Comments will no longer be published unless they are accompanied by a first and last name and a verifiable email address. (Today's Trucking will not publish or share the email address.) Profane language and content deemed to be libelous, racist, or threatening in nature will not be published under any circumstances.