The Personal Information Protection and Electronic Documents Act or PIPEDA is the Canadian federal privacy law that regulates how the private sector collects, uses and discloses personal information.
Effective from: January 1, 2004
Official text: Personal Information Protection and Electronic Documents Act
What is PIPEDA?
PIPEDA is a federal law that governs the collection, use and disclosure of personal information by organisations and recognises the privacy rights of individuals with respect to their personal information. PIPEDA came into force two decades ago in 2000.
Who does PIPEDA apply to?
PIPEDA applies to private-sector organizations across Canada that collect, use or disclose personal information for ”commercial activity”. It applies only to a commercial activity which is defined as any transaction, act, or conduct of “commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists”.
You are exempted from PIPEDA if you are any of the following:
- A federal government organization listed under the Privacy Act
- A provincial and territorial government.
- A non-profit organization, political party, political association, or charity group.
- A hospital, school, university, or municipality.
Businesses may also be exempt if they are subject to provincial privacy legislation similar to PIPEDA, such as the provincial privacy laws of Quebec, Alberta and British Columbia.
Where does PIPEDA apply?
- PIPEDA applies to organizations within Canada, except in some provinces where there are similar Data Protection laws such as Quebec, British Columbia, and Alberta.
- PIPEDA applies to all federally regulated businesses in Canada such as banks, telephone companies, shipping companies, and railways even in provinces which have enacted similar privacy legislations.
- Businesses are required to protect the personal information that is “collected, used, or disclosed internationally”. Organizations that transfer data across provincial and national borders are subject to PIPEDA, regardless of their provincial privacy laws.
What is personal data in the PIPEDA?
Personal Information Protection and Electronic Documents Act (PIPEDA) defines personal information as “information about an identifiable individual.” Under PIPEDA the following can be considered personal information:
- Age, name, social security numbers, Race, national, or ethnic origin
- Medical, education or employment history
- Biometric information such as fingerprints, DNA
- Social insurance number or driver’s license.
- Employee files, credit records, loan records, medical records, financial information
PIPEDA does not define what constitutes sensitive personal information, it notes that any personal information may be sensitive depending on the context.
What are the principles of data processing in PIPEDA?
PIPEDA outlines 10 information principles for the collection, use, and disclosure of personal information and user’s rights.
- Accountability: Businesses are responsible for the personal information they hold and need to appoint an individual to ensure the organization is compliant with the 10 principles.
- Identifying purposes: Organizations are required to state the purposes for data collection before or at the time of data collection.
- Consent: To collect, use or disclose personal information, organizations need to obtain consent from users.
- Limiting collection: Organizations are required to collect only the necessary amount of information in a fair and lawful manner.
- Limiting use, disclosure, and retention: Organizations need to use personal information only for the purposes they stated during collection unless the users give additional consent.
- Accuracy: Organizations should keep users’ personal information accurate, complete, and up to date.
- Safeguards: Organizations should implement safety measures to protect personal data.
- Openness: Organizations should inform users about their policies and practices in a plain and transparent manner.
- Individual access: Organizations need to respect their users’ right to access, review, and correct personal information.
- Challenging compliance: Individuals have the right to challenge an organization’s compliance with the designated individual such as the compliance officer of the organization.
Meaningful consent under PIPEDA
Office of the Privacy Commissioner of Canada (OPCC) issued seven guiding principles for meaningful consent, based on PIPEDA and the Personal Information Privacy Acts (PIPA) of Alberta and British Columbia.
How to achieve PIPEDA’s meaningful consent with CookieYes
If you own a business website, here’s how you can obtain meaningful consent under PIPEDA and achieve compliance with the help of CookieYes CMP (Consent Management Platform).
7 guiding principles for meaningful consent
01 Emphasize key elements. For consent to be valid or meaningful, businesses must inform individuals of their privacy practices in an easy-to-understand manner. You can implement a cookie banner with brief information on your data collection through cookies.
02 Allow individuals to control the level of detail they get and when
Information should be provided in a manageable and easily accessible way. Businesses should “layer” information in ways that enable individuals to control how much detail they want and when. With CookieYes cookie banner, you can display cookie information in layers, with the detailed cookie list and category information in the second layer.
03 Provide individuals with clear options to say “yes” or “no.” Businesses should ask for consent for only what is necessary to provide the product or service and consumers should be given a choice that is clear and easily accessible. Display a cookie banner with ‘Accept’ and ‘Reject’ buttons so users have an active choice.
04 Be innovative and creative. Businesses should design or adopt innovative consent processes that can be displayed “just-in-time”, interactive and device-appropriate. With CookieYes, you can display a fully customizable, mobile-responsive cookie banner.
06 Make consent a dynamic and ongoing process. Informed consent should be an ongoing process that changes as circumstances change. For this, businesses should provide users with the ability to change or withdraw their consent at any time. For cookie consent, you can implement a consent revisit button on your website.
07 Be accountable. Businesses should be prepared to demonstrate their compliance when asked and should provide proof of valid and meaningful consent. With Consent Log, you can access the historical record of all cookie consents obtained from your website.
Obtain cookie consent and
Sign up for free
minimize your legal risks
14-day free trialNo credit card required
How does PIPEDA provide individual rights?
Under PIPEDA’s principle of individual access, customers have the right to access information from organizations. Individuals can:
- PIPEDA provides that, on the request from an individual, an organization must disclose the existence, use, and disclosure of his or her personal information and grant the individual access to that.
- Organizations should inform individuals of the purpose for collecting any information, at the time or before the time of collection, in writing or orally.
- While PIPEDA does not grant the right to erasure, organizations are required to destroy, erase or anonymise information that is no longer needed to fulfil the purposes for which it was collected.
- PIPEDA allows individuals to withdraw consent at any time but should inform individuals of the implications of withdrawing consent.
What is the penalty for a violation under PIPEDA?
A PIPEDA violation is any violation of Division 1 of the Act (Protection of Personal Information) or any violation of Division 1.1 (Breaches of Security Safeguards) that includes a violation of the data breach notification rule, or the failure to comply with the 10 principles of PIPEDA.
- PIPEDA provides the option for monetary penalties on organizations for committing an offence under PIPEDA.
- Organizations that commit offences may be subject to fines of up to $100,000. PIPEDA does not establish a private right of action, however, failure to comply may result in civil actions, class actions, or private rights of action
5 steps to PIPEDA compliance
01 Obtain consent
As per the principles of identifying purposes and consent, businesses have to obtain consent for the use and disclosure of personal information. Businesses can implement either explicit or implicit and the appropriate form of consent is to be defined based on the sensitivity of the personal information and the reasonable expectations of the data subject.
Cookies are one of the most common ways in which businesses collect and share personal data online. To inform users and obtain their consent, you can implement a simple cookie consent banner and record all your user consents for proof of compliance. CookieYes CMP will help you add a cookie banner on your website in just 3 steps!
03 Implement security safeguards
Businesses should implement physical, organizational, and technical methods to safeguard personal information. It should be ensured that the data is protected from cybersecurity breaches such as unauthorized access, theft, or duplication of data. Encrypting data at entry and exit points, and restricting physical and remote access to data are important security measures that should be in place. While PIPEDA does not have specific guidelines on how organizations should implement safeguards, you can refer to the NIST framework for guidance.
04 Notify during a data breach
Under the PIPEDA’s data breach notification rule, businesses are required to notify the Office of the Privacy Commission (OPC) if there’s any breach of security safeguards that poses a “real risk of significant harm” to an individual. The PIPEDA breach notification rule requires businesses to notify affected individuals in a manner which makes clear the risk of harm and the steps they should take to mitigate the risk. Businesses should also maintain records of all data breaches of security safeguards irrespective of the scope of the breach or the sensitivity of the personal information involved and even if the breach doesn’t pose significant harm to individuals.
05 Provide individual access
To fulfil the obligations of individual access under PIPEDA, an organization must reply to a request for access to personal information in writing within 30 days of receipt of the request. Businesses have to confirm an individual’s request, explain how personal data is used and provide a list of anyone with who the information has been shared with. In addition, organizations must also comply with an individual’s request to challenge the accuracy and completeness of the information and amend it.
FAQ on PIPEDA
When did PIPEDA come into effect?
PIPEDA came into force on 1 January 2001 and came into full effect on 1 January 2004.
Does PIPEDA apply to all provinces?
PIPEDA is a federal law that applies to all provinces and territories in Canada. However, Alberta, British Columbia and Quebec have their own private-sector privacy laws that are deemed substantially similar to PIPEDA. Private-sector organizations that are subject to these provincial privacy laws are generally exempt from PIPEDA with respect to the collection, use or disclosure of personal information that occurs within that province.
Who is the regulator of PIPEDA?
The Office of the Privacy Commissioner (OPC), Canada is the federal supervisory authority under PIPEDA. Each province and territory can also designate its own supervisory authority under the Act. OPC has the investigatory powers and handles complaints lodged by individuals.
What data is exempt from PIPEDA?
- Personal data is handled by federal government organizations listed under the Privacy Act.
- It does not apply to provincial or territorial governments and their agents.
- Business contact information such as an employee’s name, title, business address, telephone number or email address collected, in relation to their employment or profession.
- An individual’s collection, use or disclosure of personal information is strictly for personal purposes.
- Personal data that is collected by an organization solely for journalistic, artistic or literary purposes.
What is the purpose of PIPEDA?
PIPEDA regulates how businesses collect, use or disclose personal information and recognizes the right of the individual to have his or her personal information protected. It is a federal law that applies to organizations in the private sector across Canada. PIPEDA shares this purpose with provincial laws like the Alberta Personal Information Protection Act (PIPA) and the British Columbia Personal Information Protection Act (PIPA).
Does PIPEDA apply to businesses outside Canada?
PIPEDA can apply to organizations outside Canada regardless of where the business is located. As per a ruling by the Canadian court, PIPEDA can apply to conduct that has a “real and substantial” connection to Canada.
The factors that can determine if a business has a substantial connection to Canada include whether a business markets its products or services to Canadians, whether it processes the personal information of Canadians, and whether any misuse or disclosure of personal information would have an impact on Canadians.