Key Takeaways from the CMAprivacy Morning Event

It’s been an important year on the privacy front.

Here are some key learnings from our sold-out morning event, CMAprivacy.


Sabrina Anzini, VP Legal, goeasy Ltd.
Michael Edwards, Director, Sussex Adrenaline
Moderator: James Smith, Chief Privacy Officer, Environics Analytics

  • The Guidelines for obtaining meaningful consent, released by the OPC earlier this year, raise the bar for consent under the Personal Information and Electronic Documents Act (PIPEDA).
  • The Guidelines articulate more rigorous procedures for consent and require organizations to more explicitly highlight four key elements: what information is being collected; with whom it is being shared; for what purposes it is being collected, used or disclosed; and meaningful residual risk of significant harm.
  • The requirement to disclose significant potential risks of harm will impact open-ended information collection practices.
  • A meaningful risk is one that falls below the balance of probabilities but is more than a minimal or mere possibility.
  • Research has shown that between 20-30% of Canadians read privacy policies.

Read more on consent guidelines.


David Young, David Young Law
Bill Hearn, Foglers LLP
Moderator: Cheri Chevalier, Microsoft Canada

  • The General Data Protection Regulation (GDPR) is not that different from its predecessor, the Directive.
  • GDPR is similar to PIPEDA; amendments to PIPEDA in 2015 bring these two laws even closer.
  • GDPR is more prescriptive, but philosophically the same.
  • OPC guidance reflects legal requirements under GDPR.
  • The scope of the ePrivacy Regulation (ePR) is broader than GDPR: it will apply to any organization that gathers data, provides any online communication, utilizes tracking technology, or engages in electronic direct marketing using data from devices in the EU.
  • The ePR will try to simplify the rules for website cookies and streamline consent for allowing cookies. Consent won’t be needed for non-intrusive cookies aimed at improving user experience.

Read more about GDPR requirements and impact to Canadian organizations.


Suzanne Morin, Vice President, Associate General Counsel, Québec, Sun Life Financial
Deborah Evans, Associate Chief Privacy Officer, Rogers
Moderator: Amanda Maltby, General Manager, Compliance and Chief Privacy Officer, Canada Post

  • PIPEDA has stood the test of time because it is technologically-neutral and based on strong principles that support both privacy and innovation.
  • Any potential changes need to be balanced so that Canadian businesses can compete in the digital economy.
  • Prescriptive laws do not necessarily offer more protection to consumers.
  • The legal and prescriptive requirements of GDPR reduce innovation. 
  • Much of what privacy advocates point to as good in the GDPR has been a mainstay of PIPEDA and Canadian business practices for over 15 years.
  • An express consent model does a disservice to consumers. Opt-in consent should be used for unexpected, non-obvious uses or sensitive information.
  • While some modernization/tweaks may be needed to update PIPEDA, the framework is sound and does not require a major overhaul.
  • Marketers need to ensure digital outreach to consumers does not come across as ‘creepy’.
  • Organizations should be a trusted steward of customer data. Giving consumers transparency and choice are important in building and maintaining trust.
  • Transparency is not necessarily about more words. It is about the right words at the right time.

Read more about potential changes to PIPEDA.

By: Cristina Onosé, Director, Government Relations @ CMA.

Tell Us What You Think
  1. If you haven't left a comment here before, you may need to be approved by CMA before your comment will appear. Until then, it won't appear on the entry.
    Thanks for waiting. View CMA's Blogging Policy.