Trucking companies that deliver directly to consumers receive personal information (e.g. names, addresses, and telephone numbers) on a regular basis. And companies with private fleets collect such details to facilitate store-to-home deliveries or e-commerce shipments. Carriers may even collect and use personal information to create efficiencies and monitor operations — identifying trends and issues by collecting data from technologies including dashcams and electronic logging devices (ELDs).
It all needs to be protected.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is one of the key Canadian statutes that governs carriers which operate beyond a single province or territory, including those crossing into the United States. But the Act also governs the carriers operating exclusively in a province that has not enacted its own privacy legislation.
Changes are being proposed to this privacy regime through Bill C-11, the Consumer Privacy Protection Act (CPPA), introduced on Nov. 17, 2020. Its goal is to modernize federal privacy law. Generally, the CPPA intends to adopt many principles already included in PIPEDA or guidelines, while providing more robust protection. The CPPA follows recent changes to privacy law in Quebec, and consultations related to changes in Ontario and B.C.
Here are some of the key things trucking companies subject to federal privacy laws need to know about CPPA, keeping in mind that some of these obligations already exist under PIPEDA:
1 — The organization that collects the personal information, or has someone collect the information on its behalf, “controls” that personal information and is ultimately responsible for the collection, use and disclosure. However, motor carriers who receive personal information as service providers may have contractually agreed to comply with applicable laws and should still ensure they follow the legislation.
2 — The company must have a privacy management program that includes details about how personal information will be protected, how requests for information and complaints will be dealt with, how the organization will meet other obligations under the legislation, and what training and information will be provided to staff. Materials to implement the program must also be created.
3 — The privacy management program will need to consider the sensitivity of the personal information that the company has under its control.
5 — Generally, companies need express or implied consent from the applicable individual to collect, use and disclose personal information, but the CPPA has added a number of exceptions allowing the collection and use of personal information without consent. Some of these exceptions include:
- Situations where the individual would reasonably expect it for the business activity, as long as it is not used to influence the individual’s decisions. A “business activity” includes, among other things: (i) an activity necessary to provide or deliver a product or service that the individual has requested from the organization, and (ii) an activity where obtaining consent would be impracticable because the organization doesn’t have a direct relationship with the individual. Both of these exceptions would likely capture store-to-home or e-commerce deliveries.
- Transfers of personal information to a service provider. This could also potentially cover the above-noted situations.
6 — Organizations are already required to identify and document the purposes for which personal information is collected, used or disclosed, but now they will also need to record those purposes at or before the time of collection. If the company decides to use the information for a new purpose (and has consent where required), that new purpose must also be recorded prior to using or disclosing the information.
8 — The company needs to disclose how it uses automated systems to make predictions, recommendations or decisions about individuals, when such conclusions could have a significant impact on the individuals.
9 — The CPPA will create a new private right of action, allowing an individual a basis to start a lawsuit if they feel an organization has breached its privacy obligations.
10 — There will be increased fines and administrative monetary penalties for violations. Carriers in their capacity as service providers could be indirectly responsible for such fines and penalties imposed on customers if they have contractually agreed to indemnify their customers for acts and omissions related to privacy matters.
The CPPA is not yet in force and could still be subject to changes. However, companies can start reviewing existing practices to identify any discrepancies in things like the way they collect, receive or protect personal information; the content of privacy policies and management systems; and contractual obligations relating to how they handle personal information.
Have your say
We won't publish or share your data