Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act or PIPEDA is the Canadian federal privacy law that regulates how the private sector collects, uses and discloses personal information.

Effective from: January 1, 2004

Official text: Personal Information Protection and Electronic Documents Act

PIPEDA is a federal law that governs the collection, use and disclosure of personal information by organisations and recognises the privacy rights of individuals with respect to their personal information. PIPEDA came into force two decades ago in 2000.

Who does PIPEDA apply to? 

PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information for ”commercial activity”.  It applies only to a commercial activity which is defined as any transaction, act, or conduct of “commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”. 

You are exempted from PIPEDA if you are any of the following:

• A federal government organization listed under the Privacy Act 
• A provincial and territorial government.
• A non-profit organization, political party, political association, or charity group.
• A hospital, school, university, or municipality.

Businesses may also be exempt if they are subject to provincial privacy legislation similar to PIPEDA, such as the provincial privacy laws of Quebec, Alberta and British Columbia.

• PIPEDA applies to organizations within Canada, except in some provinces where there are similar Data Protection laws such as Quebec, British Columbia, and Alberta. 
• PIPEDA applies to all federally regulated businesses in Canada such as banks, telephone companies, shipping companies, and railways even in provinces which have enacted similar privacy legislations.
• Businesses are required to protect the personal information that is “collected, used, or disclosed internationally”. Organizations that transfer data across provincial and national borders are subject to PIPEDA, regardless of their provincial privacy laws.

Personal Information Protection and Electronic Documents Act (PIPEDA) defines personal information as “information about an identifiable individual.” Under PIPEDA the following can be considered personal information:

• Age, name, social security numbers, Race, national, or ethnic origin
• Medical, education or employment history
• Biometric information such as fingerprints, DNA
• Social insurance number or driver’s license.
• Employee files, credit records, loan records, medical records, financial information

PIPEDA does not define what constitutes sensitive personal information, it notes that any personal information may be sensitive depending on the context.

PIPEDA outlines 10 information principles for the collection, use, and disclosure of personal information and user’s rights. 

• Accountability: Businesses are responsible for the personal information they hold and need to appoint an individual to ensure the organization is compliant with the 10 principles.
• Identifying purposes: Organizations are required to state the purposes for data collection before or at the time of data collection.
• Consent: To collect, use or disclose personal information, organizations need to obtain consent from users. 
• Limiting collection: Organizations are required to collect only the necessary amount of information in a fair and lawful manner. 
• Limiting use, disclosure, and retention: Organizations need to use personal information only for the purposes they stated during collection unless the users give additional consent.
• Accuracy: Organizations should keep users’ personal information accurate, complete, and up to date.
• Safeguards: Organizations should implement safety measures to protect personal data.
• Openness: Organizations should inform users about their policies and practices in a plain and transparent manner. 
• Individual access: Organizations need to respect their users’ right to access, review, and correct personal information.
• Challenging compliance: Individuals have the right to challenge an organization’s compliance with the designated individual such as the compliance officer of the organization.

Office of the Privacy Commissioner of Canada (OPCC) issued seven guiding principles for meaningful consent, based on PIPEDA and the Personal Information Privacy Acts (PIPA) of Alberta and British Columbia.

If you own a business website, here’s how you can obtain meaningful consent under PIPEDA and achieve compliance with the help of CookieYes CMP (Consent Management Platform). 

7 guiding principles for meaningful consent

01 Emphasize key elements.  For consent to be valid or meaningful, businesses must inform individuals of their privacy practices in an easy-to-understand manner. You can implement a cookie banner with brief information on your data collection through cookies.

02 Allow individuals to control the level of detail they get and when

Information should be provided in a manageable and easily accessible way.  Businesses should “layer” information in ways that enable individuals to control how much detail they want and when. With CookieYes cookie banner, you can display cookie information in layers, with the detailed cookie list and category information in the second layer.

03 Provide individuals with clear options to say “yes” or “no.”  Businesses should ask for consent for only what is necessary to provide the product or service and consumers should be given a choice that is clear and easily accessible.  Display a cookie banner with ‘Accept’ and ‘Reject’ buttons so users have an active choice.

04 Be innovative and creative.  Businesses should design or adopt innovative consent processes that can be displayed “just-in-time”, interactive and device-appropriate. With CookieYes, you can display a fully customizable, mobile-responsive cookie banner.

05 Consider the consumer’s perspective.  Consent processes should be user-friendly and customized for your target audience’s understanding. This includes clear explanations, language suitable to a diverse audience and displaying information in an accessible way. With CookieYes, you can link the privacy and cookie policy on your banner for easy access to detailed policy pages.

06 Make consent a dynamic and ongoing process.  Informed consent should be an ongoing process that changes as circumstances change. For this, businesses should provide users with the ability to change or withdraw their consent at any time. For cookie consent, you can implement a consent revisit button on your website.

07 Be accountable. Businesses should be prepared to demonstrate their compliance when asked and should provide proof of valid and meaningful consent. With Consent Log, you can access the historical record of all cookie consents obtained from your website.

Under PIPEDA’s principle of individual access, customers have the right to access information from organizations. Individuals can:

• PIPEDA provides that, on the request of an individual, an organization must disclose the existence, use, and disclosure of his or her personal information and grant the individual access to that.
• Organizations should inform individuals of the purpose for collecting any information, at the time or before the time of collection, in writing or orally. 
• While PIPEDA does not grant the right to erasure, organizations are required to destroy, erase or anonymise information that is no longer needed to fulfil the purposes for which it was collected.
• PIPEDA allows individuals to withdraw consent at any time but should inform individuals of the implications of withdrawing consent.

A PIPEDA violation is any violation of Division 1 of the Act (Protection of Personal Information) or any violation of Division 1.1 (Breaches of Security Safeguards) that includes a violation of the data breach notification rule, or the failure to comply with the 10 principles of PIPEDA.

• PIPEDA provides the option for monetary penalties on organizations for committing an offence under PIPEDA. 
• Organizations that commit offences may be subject to fines of up to $100,000. PIPEDA does not establish a private right of action, however, failure to comply may result in civil actions, class actions, or private rights of action

01 Obtain consent 

As per the principles of identifying purposes and consent, businesses have to obtain consent for the use and disclosure of personal information. Businesses can implement either explicit or implicit and the appropriate form of consent is to be defined based on the sensitivity of the personal information and the reasonable expectations of the data subject.

Cookies are one of the most common ways in which businesses collect and share personal data online. To inform users and obtain their consent, you can implement a simple cookie consent banner and record all your user consents for proof of compliance. CookieYes CMP will help you add a cookie banner on your website and instantly get started with PIPEDA compliance.

02 Update privacy policy

To fulfil the principle of identifying purposes and openness, businesses should disclose how they collect, use, share, secure and process users’ personal data. An up-to-date and detailed privacy policy can outline this and help you achieve compliance. The policy should include all information about personally identifiable information, along with the organization’s PIPEDA practices and how individuals can request access to their data. You can easily generate a privacy policy with our FREE privacy policy generator. 

03 Implement security safeguards

Businesses should implement physical, organizational, and technical methods to safeguard personal information. It should be ensured that the data is protected from cybersecurity breaches such as unauthorized access, theft, or duplication of data. Encrypting data at entry and exit points, and restricting physical and remote access to data are important security measures that should be in place. While PIPEDA does not have specific guidelines on how organizations should implement safeguards, you can refer to the NIST framework for guidance. 

04 Notify during a data breach 

Under the PIPEDA’s data breach notification rule, businesses are required to notify the Office of the Privacy Commission (OPC) if there’s any breach of security safeguards that poses a “real risk of significant harm” to an individual. The PIPEDA breach notification rule requires businesses to notify affected individuals in a manner which makes clear the risk of harm and the steps they should take to mitigate the risk. Businesses should also maintain records of all data breaches of security safeguards irrespective of the scope of the breach or the sensitivity of the personal information involved and even if the breach doesn’t pose significant harm to individuals. 

05 Provide individual access

To fulfil the obligations of individual access under PIPEDA, an organization must reply to a request for access to personal information in writing within 30 days of receipt of the request. Businesses have to confirm an individual’s request, explain how personal data is used and provide a list of anyone with who the information has been shared with. In addition, organizations must also comply with an individual’s request to challenge the accuracy and completeness of the information and amend it.

PIPEDA came into force on 1 January 2001 and came into full effect on 1 January 2004. 

PIPEDA is a federal law that applies to all provinces and territories in Canada. However, Alberta, British Columbia and Quebec have their own private-sector privacy laws that are deemed substantially similar to PIPEDA. Private-sector organizations that are subject to these provincial privacy laws are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.

The Office of the Privacy Commissioner (OPC), Canada is the federal supervisory authority under PIPEDA.  Each province and territory can also designate its own supervisory authority under the Act. OPC has the investigatory powers and handles complaints lodged by individuals.

• Personal data is handled by federal government organizations listed under the Privacy Act.
• It does not apply to provincial or territorial governments and their agents.
• Business contact information such as an employee’s name, title, business address, telephone number or email address collected, in relation to their employment or profession.
• An individual’s collection, use or disclosure of personal information is strictly for personal purposes.
• Personal data that is collected by an organization solely for journalistic, artistic or literary purposes.

PIPEDA regulates how businesses collect, use or disclose personal information and recognizes the right of the individual to have his or her personal information protected. It is a federal law that applies to organizations in the private sector across Canada.  PIPEDA shares this purpose with provincial laws like the Alberta Personal Information Protection Act (PIPA) and the British Columbia Personal Information Protection Act (PIPA).

Does PIPEDA apply to businesses outside Canada? 

PIPEDA can apply to organizations outside Canada regardless of where the business is located. As per a ruling by the Canadian court, PIPEDA can apply to conduct that has a “real and substantial” connection to Canada. 

The factors that can determine if a business has a substantial connection to Canada include whether a business markets its products or services to Canadians, whether it processes the personal information of Canadians, and whether any misuse or disclosure of personal information would have an impact on Canadians.