What Canada can learn from the United States when it comes to taking on Data Brokers

Canada's new privacy bill fails to follow the lead of our biggest trading partner.

This article was written by Ali Aghaamoo, an OpenMedia summer student from the University of Ottawa’s Faculty of Law

What’s happening?

On June 16, 2022, Canada’s federal government proposed new federal privacy legislation: the Digital Charter Implementation Act (Bill C-27). It’s a three-tiered piece of legislation aimed at private sector personal information protection practices and, if passed, it would repeal Part 1 of the Personal Information and Electronic Documents Act (PIPEDA) and replace it with the Consumer Privacy Protection Act (CPPA). The CPPA is the faithful successor to former privacy Bill C-11, which died on the order paper before last year’s federal election. 

What’s not happening? 

The federal government has attempted to tackle some of the controversial challenges that arose under PIPEDA, but there are still gaps between this bill’s provisions and the best practices in privacy law. The increasing number of privacy violations requires a golden privacy standard to ensure people in Canada can trust that their personal information is handled in ways consistent with their consent.

One area that needs more scrutiny is the activities of data brokers – those who profit from the exploitation of our personal information (for more information about what a data broker is, check out this blog post.) It’s worth exploring the new federal bill’s approach to the data brokers’ activities in comparison with the recent US approach at the federal and state levels to show what we’re missing in Canada.

What’s happening in the United States?

The CPPA would take the same approach as PIPEDA to regulate data brokers – which is to take no approach at all, as they’re not directly addressed or defined under Bill C-27. Instead, general rules regarding the collection, use, and disclosure of personal information would be applicable to data brokers with no new regulations or restrictions on this sector of the digital economy. Like PIPEDA, Bill C-27 also excludes some information like publicly available information (section 51) and non-commercial activities (section 6), from certain legal protections, including the activities of data brokers. Meaning, for certain types of information, and for certain kinds of activities, no protections or regulations will exist at all for data brokers. (For reading more about the current approach to data brokers in Canada see The Evolution of Canada’s Data Broker Industry.)

Unlike in Canada, there is no comprehensive federal law in the United States that regulates privacy. However, last July a new federal privacy bill named the American Data Privacy and Protection Act (ADPPA) was passed by the House Energy and Commerce Committee in the US.This Bill would represent a significant step towards data protection and privacy. Unlike PIPEDA and Bill C-27, the ADPPA recognizes the data broker as a “Third-party Collecting Entity” that does not collect personal information directly from individuals, which is a helpful definition. The proposed US privacy law would also force data brokers who have a principal source of revenue in data collection to register with the Federal Trade Commission, and provide information like “[a] description of the categories of data the third-party collecting entity processes and transfers.” A searchable registry of data brokers would then be made publicly available on the Internet, giving people the ability to learn more about this shadowy industry. 

At the state level, there are some laws to protect the personal data of US residents against data brokers’ activities. In 2018, the State of Vermont passed an Act relating to data brokers, which requires that data brokers register annually with the Secretary of State and disclose the information regarding their data collection activities, a purchaser credentialing process, the number of security breaches, and possession of sensitive information like personal information of minors. This Act also requires data brokers to have different security standards such as developing, implementing, and maintaining a comprehensive security program and designating one or more employees to maintain the program.

In 2019, a California law also took the same approach and requires data brokers to register with the Attorney General on its publicly accessible website, providing the opportunity for residents to opt-out from the data broker economy. The California Consumer Privacy Actalso has comprehensive rules to protect against businesses who sell personal information, like data brokers. 

What should Canada do about data brokers?

Leaving the situation unchanged, Bill C-27 fails to address the harms that come from the non-consensual trade and profit of our sensitive personal information. Looking at examples from the US, we can see some jurisdictions are tackling this issue, and arrive upon a few good ideas that might help to improve digital privacy protections in Canada.

For example, to tackle concerns regarding the data brokers’ behaviour, Bill C-27 would be improved if it: 

1. Recognized and clearly defined data brokers;
2. Required that data brokers register under a platform;
3. Made data brokers’ information publicly available and searchable;
4. Provide individuals with the ability to opt-out from data brokers and have their information deleted;
5. Required that data brokers disclose the information such as their data collection activities and possession of sensitive information.

This won’t do everything to address the problem with data brokers, but it will give people in Canada some options to learn more about the secretive companies that profit from the trade of their data, and the ability to opt-out from this secretive economy. 

If you’re sick and tired of having your personal data treated like a commodity that can be bought and sold, sign the petition to Stop the Harvest!

Image credit: chapay via Pixabay