There are a number that are actually quite substantive. PIPEDA is very principles-based. Organizations have been able to scale what they do according to the circumstance.
The CPPA takes inspiration from the GDPR and the law in Quebec, and some of the key concepts are very prescriptive. Some of those can be very.... It can take a lot to implement. For example, relating to the automated decision system, this is a provision that goes beyond what the GDPR and Quebec do. Both Quebec and GDPR only focus on scenarios that are exclusively automated, and the organization would need to tell the individual when a decision is solely automated.
Under the CPPA, organizations will have to consider all of the automated systems, which could be AI systems or even an Excel spreadsheet that is automated, and have an understanding of whether they assist in the decision-making or in making a prediction or a recommendation. There's a lot.... The organization would need to take a look at almost everything they do and be prepared to provide explanations to individuals. With respect to training and understanding all of these processes, it can be quite cumbersome.
That's one element.