Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal private-sector law that dictates how organizations collect and use personal data.
Below, I discuss all things PIPEDA, including who it applies to, the penalties for violating the law, and how it impacts businesses and consumers.
What Is PIPEDA?
PIPEDA is Canada’s federal comprehensive privacy law that outlines the foundation for how organizations can collect, process, and use Canadian private data.
Other laws in Canada protect privacy, including provincial laws and the Privacy Act that protects personal data held by the federal government, but PIPEDA is the primary private sector law.
Brief History of the Law
In November 2020, the Canadian government introduced a bill that would have overhauled PIPEDA and replaced it with new legislation; however, that bill never received Royal Assent.
In September 2021, the government called an election, and all bills not passed (including the one that would have updated PIPEDA) died on the order paper.
As a result, PIPEDA hasn’t been revised or replaced.
Who Does PIPEDA Apply to?
PIPEDA applies to private-sector organizations across Canada that collect, use, or share personal information when conducting commercial activities.
Any Canadian organization that transfers data across provincial and national borders must also comply, regardless of where they operate from and their province’s applicable privacy laws.
The following federally regulated organizations must also comply:
- Airlines and airports
- Banks
- Telecommunications companies
- Inter-provincial and international transportation companies
Who is Exempt?
The following organizations are exempt from PIPEDA unless they engage in commercial activities that aren’t part of their core operations:
- Non-profit organizations
- Charity groups
- Political parties
Additionally, organizations in the following provinces are also exempt from the Act and instead are subject to following provincial private-sector laws that are similar in scope:
- Alberta: Personal Information Protection Act (PIPA)
- British Columbia: Personal Information Protection Act (PIPA)
- Quebec: Quebec’s Law 25
Key Requirements of PIPEDA
Below, I explain some of the key requirements of PIPEDA and their impact on businesses.
The 10 Fair Information Principles
Organizations under PIPEDA must follow the ten fair information principles, which outline consumer rights and the standards for collecting and using personal information.
Legal Definition of Personal Information
Under PIPEDA, personal information refers to any factual or subjective information about an identifiable individual, including:
- Direct identifiers such as age, name, ID numbers
- Subjective information such as opinions, evaluations, and disciplinary actions
- Employment details such as employee files, credit records, and loan records
- Personal health information
- Cookie data
It does not include personal information handled by federal government organizations listed under the Privacy Act or business contact information used for direct communications.
Data Breach Notification Requirements
PIPEDA requires covered businesses to report data breaches that pose a “real risk of significant harm” to the Office of the Privacy Commissioner (OPC) of Canada using a PIPEDA breach report form.
Examples of significant harm include:
- Physical harm
- Reputational damage
- Financial loss
- Employment loss
Organizations must notify affected individuals about the breach as soon as possible and keep records of all data breaches for two years.
Consumer Rights Under PIPEDA
PIPEDA gives Canadians the right to:
- Access the personal information collected about them
- Correct the personal information
- Withdraw consent for the processing of their personal information
- Lodge a complaint with authorities about how their information is processed
PIPEDAs Impact on Businesses
PIPEDA impacts businesses by requiring them to have privacy compliance solutions on their websites and apps, like privacy policies and cookie banners.
These solutions help keep protected users properly informed so your business meets the fair information principles outlined by the law.
To meet notification and transparency requirements, businesses should have:
- An accurate privacy policy
- An updated cookie policy
- A clear way for users to submit requests to follow through on their rights
- A consent banner that obtains and tracks adequate user consent preferences
Enforcement and Penalties for Noncompliance
PIPEDA is enforced by the Office of the Privacy Commissioner (OPC), but they do not issue the actual fines.
They conduct investigations in response to complaints under PIPEDA, then issue recommendations as part of their findings to the federal government.
This can lead to federal prosecution and fines of up to CAD 100,000 ($79,815 USD).
How Termly Helps with PIPEDA Compliance
Businesses can use Termly’s Privacy Policy Generator to make a customized PIPEDA-compliant policy.
Our generator is backed by our legal team and data privacy experts and was built to be easy for anyone to use. It asks simple questions about your business and data processing activities and then makes a unique policy based on your answers.
We also provide a Consent Management Platform that can help you meet the opt-in and opt-out consent requirements described by the law.
Summary
To comply with PIPEDA, organizations must abide by the ten fair information principles, which lay out ground rules for data handling practices.
Businesses should create a privacy policy that addresses their commitment to keeping user data safe and ensure that data breaches are reported to the OPC and any affected users as soon as possible.
To better understand PIPEDA’s compliance requirements, read the PIPEDA legislation or head to the OPC website to check out various resources related to PIPEDA.
More about the author
Written by Anokhy Desai CIPP/US, CIPT, CIPM
Anokhy is a privacy lawyer with prior experience in privacy and cybersecurity in the public and private sectors. As a former Westin Fellow at the IAPP, she published several articles, white papers, and infographics, and led, coordinated, and moderated webinars and panels, all regarding US privacy and privacy technology. Anokhy obtained her masters at Carnegie Mellon University and juris doctor at the University of Pittsburgh. More about the author
