Back to Bills

Strong Privacy Law and Free Credit Freezes

Full Title:
Privacy and Credit Protection Act

Summary#

This bill creates new privacy rights in Nova Scotia and adds strong rules for how companies handle your personal data. It also lets you place a free “security freeze” on your credit file to help stop identity theft. It takes effect on January 1, 2026.

Key changes:

  • Makes it a legal wrong to invade someone’s privacy, even if they can’t show financial harm.
  • Lists actions that likely violate privacy without consent: surveillance or eavesdropping, recording calls or messages, using someone’s name, image, or voice (including AI-made imitations) for ads or gain, sharing private documents, and sharing intimate images (including AI‑generated “deepfakes”).
  • Treats many data breaches by businesses as privacy violations, especially for social insurance numbers and banking data.
  • Requires organizations to protect personal data, limit how long they keep it, and securely destroy it under rules set by government.
  • Gives consumers the right to place a free security freeze with credit bureaus; during a freeze, the bureau cannot share your credit or personal info unless you direct it.
  • Sets heavy fines for companies that break the data‑security or credit‑freeze rules (up to $30 million, or 4% of worldwide revenue, whichever is higher).
  • Other provincial privacy and health‑information laws still take priority if there is a conflict.

What it means for you#

  • Consumers

    • You can sue someone who invades your privacy. You do not need to prove you lost money to bring a case.
    • A court can order money damages, stop the behavior, make the offender give up profits, or return items taken.
    • You are protected against non‑consensual sharing of intimate images, including AI‑generated images made to look like you.
    • If a company’s data breach exposes your personal data that should have been kept private, you may have a privacy claim.
    • You can place a free security freeze on your credit file. During a freeze, lenders and others cannot access your credit or personal info from the bureau unless you say so.
    • A freeze can help stop new accounts opened in your name. But it may slow or block your own applications for credit, phone plans, or leases until you lift it.
    • Freezes are free to place and lift. Using a freeze cannot hurt your credit score.

  • Parents and youth

    • Stronger tools against sharing of intimate images and AI “deepfakes” of a minor or adult without consent.

  • Workers and job seekers

    • If your data held by a company is breached, you may have new options to seek relief, especially for sensitive data like banking info.

  • Small and medium businesses, nonprofits, and public bodies

    • You must protect personal data with security measures (physical, organizational, and tech) that will be set by regulation.
    • You must set and follow retention periods and securely destroy personal data when the period ends. Do not keep data longer than needed.
    • Using a person’s name, image, or voice (including AI-made likenesses) in ads or for advantage requires consent.
    • If you are a credit grantor, a customer’s freeze may prevent you from getting their credit report unless they direct the bureau to share it.

  • Journalists, artists, and publishers

    • Publishing on matters of public interest and fair comment remains protected. Data collected only for journalistic, artistic, or literary purposes is excluded from the “data breach” privacy claim.

  • Law enforcement and public officers

    • Actions done lawfully, proportionately, and without trespass during investigations are not privacy violations.

  • Everyone

    • Privacy claims end if the person whose privacy was violated dies; they do not continue after death.
    • The government will set detailed rules on security measures, retention periods, and how freezes work (deadlines, allowed disclosures, and identity checks).

Expenses#

No publicly available information.

Proponents' View#

  • Strengthens privacy rights by letting people sue even without financial loss, which helps victims of surveillance, doxxing, and intimate-image abuse.
  • Cracks down on AI “deepfakes” that use someone’s voice or image without consent, especially in ads.
  • Reduces identity theft and fraud by allowing free credit freezes and banning fees.
  • Pushes companies to improve data security and delete data they no longer need, which should lower breach risks.
  • Strong fines give large companies a real reason to comply, not just treat breaches as a cost of doing business.
  • Aligns local practices with modern privacy standards and consumer expectations.

Opponents' View#

  • Compliance could be costly and complex, especially for small and medium organizations that must build security programs and data‑retention systems.
  • The broad privacy tort and “reasonable in the circumstances” test may lead to more lawsuits and uncertainty about what is allowed.
  • Credit freezes could slow legitimate lending and services when consumers forget to lift a freeze, adding delays for mortgages, car loans, or phone contracts.
  • Heavy fines tied to worldwide revenue may deter investment or be seen as disproportionate for technical mistakes.
  • Overlap with existing privacy laws could create confusion about which rules apply and when, until regulations and guidance are clear.
  • Some worry the rules on using a person’s likeness or voice could chill creative or satirical works if consent rules are unclear, despite the public‑interest and journalism protections.