I can't recall at this moment whether the CPPA has a power in there for the commissioner to order the deletion of data for data that may have been gathered illegally or not properly consented to.
I can't remember if the commissioner has that power, but it is certainly something that is necessary in the modern world. It could be much more effective in changing business practices, rather than fining a large data platform, a social media platform, hundreds of millions of dollars. If the data is collected illegally, and if the data is used in a significant contravention of the act, requiring a company to delete that data has an enormous effect.
I think of a case that I had when I was the commissioner in the U.K. One government department had illegally collected the biometric data of claimants. They had to provide voice prints, which is biometric data and which is sensitive information under the GDPR. The order was that the government department had to delete all of that data and start over again. That was more significant. Among peer departments in the government, that lesson was learned really quickly. Rather than fine the government department for collecting data illegally, the data had to be destroyed.
You'll see that the U.S. Federal Trade Commission has acted in several cases around data deletion and data disgorgement. At the end of the day, companies want sustainable business practices. They want assurances that they're doing the right thing. That's the lens through which we should be looking in Canada at the powers of the Privacy Commissioner, for example.