The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal private-sector data privacy law.
Private-sector organizations need to comply with PIPEDA if they collect or use personal information when carrying out commercial activities.
Here are the definitions of two key terms:
- Private sector organization: An association, corporation, partnership, or trade union that is privately owned rather than government-controlled.
- Commercial activities: Any transaction or act that is of commercial character, such as selling, buying, or trading.
Read on to find out more about what PIPEDA is, who it applies to, and what its compliance requirements are.
What Is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s national private-sector data privacy law, which is enforced by the Office of the Privacy Commissioner (OPC).
PIPEDA aims to protect internet users’ privacy rights by mandating organizations to inform users of their data handling practices, and get consent for the collection, use, and disclosure of personal information.
PIPEDA violations may result in fines of up to CAD$100,000 (~$75,000) if the government decides to prosecute.
What Is Personal Information Under PIPEDA?
Under PIPEDA, personal information refers to any factual or subjective information about an identifiable individual.
Examples of personal information under PIPEDA include:
- Direct identifiers such as age, name, ID numbers
- Subjective information such as opinions, evaluations and disciplinary actions
- Employment details such as employee files, credit records, and loan records
- Personal health information
- Cookie data
Personal information under PIPEDA does not include personal information handled by federal government organizations listed under the Privacy Act, or business contact information used for job-related communications.
Who Does PIPEDA Apply To?
PIPEDA applies to private-sector organizations across Canada that collect, use, or share personal information when conducting commercial activities.
Federally-regulated organizations must also comply with PIPEDA, including:
- Airlines and airports
- Banks
- Telecommunications companies
- Inter-provincial and international transportation companies
Who Does PIPEDA Not Apply To?
PIPEDA does not apply to non-profit organizations, charity groups, and political parties, unless they engage in commercial activities that aren’t part of their core operations.
Organizations in Alberta, British Columbia, and Quebec are also exempt from PIPEDA, as they’re subject to comply with provincial private-sector privacy laws similar to PIPEDA.
However, Canadian organizations that transfer data across provincial and national borders are subject to comply with PIPEDA, regardless of where they operate from and their province’s applicable privacy laws.
PIPEDA Compliance Requirements
To comply with PIPEDA, your organization must follow PIPEDA’s 10 fair information principles, which outline the standards for the collection, use and disclosure of personal information, as well as users’ rights.
Here are the 10 PIPEDA fair information principles:
1. Accountability
Organizations are responsible for the personal information they store, and must appoint someone to ensure the organization’s compliance with the 10 principles.
2. Identifying Purposes
Organizations must state the purposes for data collection before or at the time of data collection.
3. Consent
Organizations must obtain implicit or explicit “meaningful consent” in order to collect, use, and share users’ personal information.
4. Limiting Collection
Organizations must only collect the necessary amount of information for processing purposes.
5. Limiting Use, Disclosure, and Retention
Organizations must use personal information only for stated purposes, unless affected users give additional consent.
6. Accuracy
Organizations must keep personal information accurate, complete, and up-to-date.
7. Safeguards
Organizations must implement security measures to protect personal data.
8. Openness
Organizations must be transparent about their data handling practices to the public.
9. Individual Access
Organizations must honor users’ rights in accessing, reviewing, and correcting personal information.
10. Challenging Compliance
Individuals have the right to challenge an organization’s compliance with the 10 principles. Inquiries should be addressed to the person responsible for the organization’s compliance with PIPEDA, often their chief privacy officer.
PIPEDA Compliance Examples
Let’s take a look at some examples of PIPEDA-compliant websites to see how they address the above requirements.
The Ontario Psychological Association’s PIPEDA page details how the organization follows the 10 fair information principles in their data collecting and processing practices.
You can follow this example’s approach by listing the 10 fair information principles and explaining how your organization applies these principles when collecting and using personal information.
As another example, insurance software company Indio’s PIPEDA page goes over what information is collected, how information is used, and how it’s shared.
It also explains how cross-border data transfers work, how users can access or request to erase their data, and how they can file reports for PIPEDA violations.
While this PIPEDA page doesn’t explicitly refer to the 10 fair information principles, it addresses users’ rights based on the fair information principles, such as consent, access, and challenging compliance.
You can follow this example by using questions as headings for readers’ convenience, as long as you cover the required information under PIPEDA.
To demonstrate that your organization is meeting PIPEDA’s requirements, dedicate a separate webpage or a section in your privacy policy to PIPEDA compliance.
PIPEDA Breaches
According to PIPEDA, a data breach refers to the loss of, unauthorized access to, or unauthorized disclosure of personal information.
Whenever there’s a data breach that poses a “real risk of significant harm” to individuals, organizations need to report it to the Office of the Privacy Commissioner (OPC) of Canada by sending a PIPEDA breach report form.
Examples of significant harm include:
- Physical harm
- Reputational damage
- Financial loss
- Employment loss
Additionally, organizations must notify affected individuals about the breach as soon as possible, and keep records of all data breaches for two years.
Not following proper data breach notification procedures counts as a PIPEDA violation.
Comparing PIPEDA and GDPR
Canada’s PIPEDA and Europe’s General Data Protection Regulation (GDPR) are comparable laws, as they both govern data privacy and give users more control over their data. However, there are some key differences between the two:
- Applicability: PIPEDA applies to private-sector organizations processing personal data for commercial purposes, whereas GDPR applies to any business that collects and uses personal data of European Economic Area (EEA) residents.
- Jurisdiction: The GDPR applies to all EEA businesses, as well as non-EEA businesses that serve or monitor the behavior of EEA residents. PIPEDA doesn’t apply in every Canadian province, and only applies to foreign organizations that have a “real and substantial connection to Canada,” states the OPC.
- Consent: The GDPR requires active consent from users for data collection and processing, whereas PIPEDA allows either implied or explicit consent depending on the sensitivity of the data collected.
While the two privacy laws differ in scope and compliance requirements, they both emphasize accountability and transparency.
Whether your business operates in Europe or Canada, you need to follow the applicable privacy law requirements to avoid legal and financial penalties.
Comply With PIPEDA Now
So far you’ve learned what PIPEDA is, who it applies to, and how to comply. Let’s go over the main points:
- PIPEDA is Canada’s federal privacy protection law, which applies to private-sector organizations that collect, use, and share personal data when carrying out commercial activities.
- To comply with PIPEDA, organizations must abide by the 10 fair information principles, which lay out ground rules for data handling practices.
- Businesses should create a privacy policy that addresses their commitment to keeping user data safe.
- Data breaches must be reported to the OPC and users must be notified as soon as possible.
To better understand PIPEDA’s compliance requirements, read the PIPEDA legislation or head to the OPC website to check out various resources related to PIPEDA.
To operate your organization lawfully in Canada, make sure that your website meets PIPEDA’s requirements now.