PIPEDA Explained: The Impact of Canada's Privacy Law

Canada is one of the countries lucky enough to have a federal privacy law that covers private sector organizations. This gives its residents greater rights when it comes to data privacy, as well as placing new requirements on relevant organizations.

In this guide, we’ll take you through the basics of PIPEDA. We’ll cover what it means, who needs to comply with it, and what your responsibilities are if it applies to your business. We’ll also share a user-friendly tool to help you stay compliant with PIPEDA and other privacy laws.

We intend for this resource to be your all-inclusive guide to PIPEDA. That's why we've included the following chapters for you to understand the law from start to finish.

Chapter 1: Explaining PIPEDA's Privacy Impact Assessments

Chapter 2: Everything You Need To Know About PIPEDA Compliance

Chapter 3: Penalties for PIPEDA Non-Compliance & Enforcement Mechanisms

Chapter 4: PIPEDA International Data Transfers & How They Work

Chapter 5: PIPEDA vs GDPR and Other Data Privacy Laws  

What is PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal law that governs how private sector companies interact with Canadians’ personal data. Think of PIPEDA as Canada’s equivalent to the EU’s well-known General Data Protection Regulation (GDPR).

Since coming into law in 2000, this privacy legislation has given users new rights and controls over their personal information, and placed new responsibilities on organizations required to comply. PIPEDA requires private sector companies to take more care over how they handle personal information, and adhere to ten key principles. These principles cover how personal data is collected, used, and disclosed to others.

When Was PIPEDA Introduced?

The Personal Information Protection and Electronic Documents Act was first introduced to Canadian Parliament on April 13, 2000. Its mission was to promote consumer trust in eCommerce as well as provide confidence to the European Union that Canada could protect the data of European citizens. It was extended to organizations in Canada in January 2004.

Today, PIPEDA directs how organizations can collect, use, and disclose personal information over the course of a commercial transaction. Personal information is defined as “information that is identifiable to an individual.” This does not extend to the title, name, or business contact information (phone number, address) of an employee of that organization.

What is the Purpose of PIPEDA? 

The purpose of PIPEDA, according to the Office of Privacy Commissioner of Canada is:

“To govern the collection, use, and disclosure of personal information by private sector organizations in a manner that recognizes both the right of the individual to have his or her personal information protected and the need of organizations to collect, use, and disclose personal information for purposes that a reasonable person would consider appropriate.”

Who Needs to Comply With PIPEDA?

PIPEDA applies to all Canadian private sector companies that engage in commercial activity, which is defined as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership, or other fundraising list.”

PIPEDA requires organizations to:

• Obtain consent when they collect, use, or disclose personal information.
• Supply an individual with a service or product regardless of whether they consent to the collection, use, or disclosure of personal information (unless that information is essential to a transaction).
• Provide personal information policies that are readily available and easy to understand.
• Collect information by fair and lawful means.

In essence, PIPEDA compliance protects consumer data while those consumers shop online, and adherence to PIPEDA guidelines guarantees that organizations are held to a certain high standard.

PIPEDA also gives consumers several rights that include, but are not limited to, being able to know why an organization is collecting their data, that an organization will not use that data for purposes other than those the consumer has consented to, and that they can file a complaint about how an organization handles their data.

All of this is an incentive for an organization to comply with PIPEDA guidelines and to be an example for data privacy practices. Consumers trust companies that are transparent about their data security, and they return to companies that have tried-and-tested data privacy strategies.

As a result, the vast majority of businesses that operate in Canada or provide services to its citizens are required to comply with PIPEDA. Some examples include:

• Airports, aircraft and airlines
• Banks and authorized foreign banks
• Inter-provincial or international transportation companies
• Telecommunications companies
• Offshore drilling operations
• Radio and television broadcasters

Canadian government entities, non-profit organizations that do not engage in commercial activities, political and charitable organizations, and public service organizations are not required to comply with PIPEDA.

Exceptions to PIPEDA Compliance

There are always some exceptions to the rules, and PIPEDA lists several exemptions for organizations and groups that are not covered by the legislation. These mostly cover federal organizations or organizations based in specific territories. 

Examples of instances not covered by PIPEDA include:

• Personal information held by federal government organizations that are already covered by the Privacy Act
• Nonprofits, charity organizations, and political parties and associations — unless being used in a commercial way outside their usual scope of activity
• Territorial and provincial governments and their agents
• An employee’s or business’ contact information used solely for the purpose of contacting them about their profession — e.g. title, business, email address
• The collection, use, or sharing of personal information for literary, artistic, or journalistic purposes
• Individuals that are collecting and using personal information for personal purposes only — for example to send birthday party invitations

While not always, hospitals, universities, schools, and municipalities are typically exempt from PIPEDA. This is because their activities and use of personal data is already covered by provincial laws.  

If you’re ever unsure about whether or not PIPEDA applies to your situation, it’s always best to get in touch with the Office of the Privacy Commissioner of Canada (OPC). 

How does PIPEDA Define Personal Information?

While most privacy laws generally use personal information to mean a similar group of data, it’s helpful to understand exactly how PIPEDA interprets the term. That way, you’re not caught out by your own personal idea of what personal data means. 

Under PIPEDA, personal information covers any “factual or subjective information, recorded or not, about an identifiable individual.” What’s interesting here is that the definition includes subjective information — which can be as simple as an opinion shared about an individual. 

Examples of personal information covered by PIPEDA include: 

• Name, age, ethnic origin, nationality, marital status
• Income, credit records, loan records
• Blood type, DNA, personal health information records
• Opinions, disciplinary actions, and assessment records
• ID numbers, driver’s license number, social insurance number

As you can see from the list above, PIPEDA covers a mix of personal information — including sensitive data like health records and credit records. That’s why it’s so crucial that organizations which PIPEDA applies to take great care to secure this data and to inform users over how it’s collected, used, and shared. 

How Does PIPEDA Define Commercial Activity?

Simply collecting, using, or sharing personal information isn’t enough to make an organization subject to PIPEDA. They also need to do this in the course of commercial activities. 

PIPEDA defines commercial activity as: 

“Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

This means that PIPEDA not only covers obviously commercial activities like buying and selling goods and services but also the less obvious — like leasing a membership list. It’s also key to remember that the commercial aspect applies to how you intend to or do collect, use, or disclose the personal information — not the nature of the information itself.

The Rights of Individuals Under PIPEDA

PIPEDA is designed to balance the need for organizations to collect personal information for commercial purposes with the right of individuals to protect that data. Understanding the rights of individuals under PIPEDA is crucial to ensuring privacy.

Let's take a closer look a the rights of individuals under this Canadian federal law:

1. Access: Individuals have the right to access their personal information held by organizations and to request changes to that information if it is inaccurate or incomplete. Organizations must provide access to personal information within a reasonable time and at a minimal or no cost to the individual.
   
   

2. Consent: Organizations must obtain meaningful consent from individuals for the collection, use, and disclosure of personal information, except in specific circumstances where the act allows for collection, use, or disclosure without consent. Individuals must be informed of the purposes for which their personal information will be used and must agree to those uses.
   
   

3. Challenging Compliance: Individuals have the right to challenge an organization's compliance with PIPEDA. If an individual believes that an organization has not handled their personal information in accordance with the act, they can file a complaint with the Privacy Commissioner of Canada. The Commissioner will then investigate the complaint and make recommendations to the organization on how to resolve the issue.
   
   

4. Portability: Individuals have the right to request a copy of their personal information in a format that allows for easy transfer to another organization.

The privacy act grants several rights to individuals in Canada when it comes to the protection of their personal information, and security safeguards against financial loss, data breach, identity theft, and other certain circumstances that impact how private sector organizations disclose personal information. Understanding and exercising these rights is crucial to ensuring privacy and accountability of an organization's security safeguards.

Responsibilities of Businesses Under PIPEDA

PIPEDA sets out ten fair information principles that cover how organizations should collect, use, and disclose personal information if they’re subject to the legislation. These principles not only cover an organization’s PIPEDA requirements but help you to understand how they protect users’ rights too. 

1. Accountability

This principle states that businesses must take responsibility for the personal information that they hold as well as when said data is transferred to a third party for processing.  

Organizations should appoint someone to oversee PIPEDA compliance across the entire organization. This person should develop a program that regularly conducts privacy data handling and threat assessment, and he or she should have the authority to make changes to the organization when data handling issues arise.

2. Identify Purposes

PIPEDA requires businesses to identify and state the purposes for data collection. Organizations should be able to properly explain why personal information is collected, at the time of collection — so it's recommended to have a document like a terms of service or privacy policy.

Also, consumers should be notified if an organization decides to use data collected in the past for new reasons that haven’t been previously disclosed.

3. Consent

Organizations that fall under PIPEDA are generally required to collect “meaningful consent” for any collection, use, or sharing of personal information. Meaningful consent is where someone understands exactly what they’re consenting to and the consequences of that — so it needs to be presented in a straightforward, easy-to-understand way. 

Sometimes consent is required for an activity or transaction to take place. In cases where it’s not essential, people must be given the choice over whether they want to agree to data collection and processing or not. 

There’s some flexibility over exactly how to obtain consent. Businesses need to be mindful of the sensitivity of personal data, and seek to gain explicit consent for the collection and use of this personal information. 

It’s also important to realize that people can withdraw their consent at any moment. This might have an impact on how they access products and services, so you need to make it clear if this is the case. A great way to do this is to cover this fully within your privacy policy. 

4. Limit Collection

Under this principle, organizations should only seek to collect the personal information they need to fulfill a defined, legitimate purpose. This discourages organizations from collecting irrelevant personal information and helps users keep greater control over how much of their personal data is out there in the world. 

This principle also sets out a requirement for organizations to collect information by “fair and lawful means.” It’s a statement that helps protect users against their information being collected for purposes other than what they thought — through the use of misdirection or deception. 

5. Limiting Use, Disclosure, and Retention

Following on from the requirement to limit data collection to only what’s necessary, this principle states that this information should then only be used for the intended purposes. This prevents organizations from collecting one piece of personal information for one purpose, then reusing it for another without adequate consent. 

This principle also places a requirement on organizations to only keep personal information for as long as is required to fulfill its purpose. Organizations shouldn’t hold personal data indefinitely should have minimum and maximum retention periods in place that match the purpose. 

When personal information is no longer required, organizations should dispose of it safely. This includes destroying personal data fully from devices before they are discarded or disposed of, and that any physical records are properly shredded or destroyed. Not only does this safeguard user data, but it helps to protect against potential privacy breaches. 

6. Accuracy

Organizations that collect, use, and disclose personal information should make sure that the data they hold is accurate, up to date, and as complete as possible. This is to prevent organizations from using the wrong information when making decisions — for example about suitability for a job or loan. 

It can be challenging to know whether a piece of information is out of date or not. To make this easier, consider recording the date of collection or update alongside personal information. This can help you decide whether you may need to review its suitability for decision-making or not. 

7. Safeguards

Under PIPEDA, organizations are required to safeguard personal information. This means that all personal information should be protected against threats like loss or theft. It should also be protected against unauthorized access, use, copying, disclosure, or modification. 

While PIPEDA notes that you should safeguard personal information, there are no explicit data protection methods that are required or recommended. Data security is a responsibility that falls on your organization, as you’re better placed to understand your unique ways of operating, risks, and threats. 

Should a data breach occur, there are several steps an organization must take. You should report any breaches that represent a “real risk of significant harm” to the OPC and notify any affected individuals and relevant third parties. You should also keep records of all breaches — even those that don’t pose significant risk. 

8. Openness

Every user should be able to easily understand exactly what PIPEDA means to them, and how an organization wants to collect, use, or disclose their personal information. That’s why there’s a principle of openness that states your information management practices should be readily available and clear to understand. 

Organizations should avoid the use of complicated legal language and jargon when explaining how they manage personal information. Instead, a simple, clear, and accessible privacy policy is the preferred way to communicate this information to the public. 

Within your privacy policy, you should cover the following: 

• Contact details for the individual responsible for privacy compliance and responding to data requests within your organization — including either their name or title
• The types of personal information collected
• Your purposes for collecting, using, and disclosing this personal information
• Details about which personal information is disclosed to third parties, and for what purpose
• The process for a user to access their personal information
• The process for a user to make a complaint

This is just a starting point, as you may wish to go into further detail about your approach to data privacy and how you manage personal information. Whichever information you choose to share beyond this, stick to this principle’s requirement for it to be in a clear, easy-to-understand format. 

9. Individual Access

This principle is one of the simplest, as it gives users the right to access their personal information. Alongside this, users also gain the right to request amendments to the personal data you hold —  or to challenge the accuracy of it at any time. 

Under this principle, users can make a request for organizations for the disclosure of personal information relating to them. You need to confirm which information you hold, how it was obtained, how it’s used, and with which organizations it has been shared. 

There’s a 30 day response time limit for these access requests, although it may be extended in special circumstances. There should be no charge or a minimal relevant cost to users to exercise this right, with the charge clearly explained before the start of the process if there is one. 

If someone makes a request for their personal information to be updated or amended, this should be respected and actioned. If it’s relevant, this updated information should then be shared with third parties who already hold it so they can also ensure their data is accurate. 

10. Challenging Compliance

There may be cases where a user feels an organization hasn’t or isn’t complying with the key principles set out in PIPEDA. This principle sets out the right for individuals to challenge whether an organization is compliant or not, by making a complaint or challenge to the person responsible for compliance at the organization. 

To comply with this, organizations need a clear approach to handling complaints and challenges. You should have a robust complaints process and policy, and investigate any and all complaints received to the same standard. Information about how you handle complaints should be clearly provided to users — for example as part of your privacy policy. 

Ensure PIPEDA Compliance with Enzuzo

PIPEDA compliance isn’t hard, but it can be complex. There’s a lot that goes into data privacy law, and even more comes out of a data privacy breach in terms of resources, money, and lost consumer trust.

It’s beneficial to partner with a tried-and-tested compliance expert like Enzuzo to guarantee compliance. We’ll give you peace of mind, help modernize your technology, and educate your employees.

Enzuzo specialists are experts in:

• PIPEDA compliance
• GDPR compliance
• CPRA compliance
• CalOPPA compliance
• CCPA compliance
• And much, much more

Manage data privacy with Enzuno on your side. Book a demo today to get started!