The wave of new and updated U.S. state privacy laws is propelling the country towards stronger data protection standards as of January 2025. Evolving state laws are beginning to align with more seasoned privacy regulations of California and other jurisdictions worldwide, creating a unified and robust framework for data privacy.

As a non-profit, you will likely collect and have access to highly sensitive data, be it from members, supported individuals, minors, volunteers or donors – you are privy to quite a lot. You may be exempt from several onerous pieces of legislation however non-profit organizations are not automatically exempt from PIPEDA. The Office of the Privacy Commissioner of Canada (OPC) has said that “Whether an organization is a non-profit business for purposes of taxation is not determinative of whether its collection, use or disclosure of personal information is carried out in the course of commercial activity”. So is it a ”maybe?”. Over the years there have been several cases in Ontario trying to determine this question.

The article discusses the implications of someone filing a privacy complaint with the Office of the Privacy Commissioner of Canada (OPC) and the motivation of naming and shaming companies. It highlights that even if a complaint seems frivolous, it can lead to thorough investigations by the OPC, potentially uncovering compliance gaps within a company's privacy program. The article emphasizes the importance of proactive preparation for businesses, including maintaining updated policies, designating a Privacy Officer, and viewing every decision through the lens of potential regulatory scrutiny. It warns that regardless of the company's size or industry, a single complaint can have significant financial, operational, and reputational consequences, stressing the necessity for vigilance in addressing privacy concerns in the digital age.

The criteria for obtaining lawful consent was discussed in depth in our Law 25 Consent White Paper released late 2023. The CAI published its final consent guidelines (Guidelines 2023-1-Consent: Validity Criteria (“Consent Guidelines”)) providing us with a clearer picture and refined guidance on what is required for consent to be valid.

Can personal data be anonymized for one party while identifiable for another party? This has been a long-standing question and we finally have an answer. Processors who tokenize data should be aware of this new CJEU ruling to determine if they need to comply with the GDPR or any other privacy legislation.

When dealing with privacy and security, everyone jumps straight onto the compliance bandwagon. There are set laws, frameworks, regulations, standards and other checklists that allow you as a business to proudly state that you are compliant. But does ‘to-the-letter’ compliance match the public’s expectations?

Like Europe and the UK, Quebec’s Law 25 has moved closer to ensuring that customers control how, when, and where their personal information is processed. Consent ensures that your customer’s personal information is treated like the precious cargo it is – handled with care and not tossed into the sea of manipulation. Consent allows the customer to set boundaries and feel like they are driving.

With the groundbreaking US adequacy decision, Canadian businesses need to aware of how EU personal data transfers to the US will impact them. This is a summary detailing what the adequacy decision means for Canadian businesses.

Canada’s new federal privacy regime, CPPA, to effectively replace PIPEDA. How small and medium businesses can prepare for this overhaul.

Artificial Intelligence and Motor Vehicle Insurance Claims