March 30, 2020

The Ultimate Guide to Canada PIPEDA Compliance in 2020

In this article we cover the basics for PIPEDA Compliance.

If your business operates in Canada, PIPEDA oversees what you can do with the personal data you collect from consumers.

Primarily, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal regulation that covers companies operating in the private sector. It controls how;

  • Companies gather personal and sensitive information
  • Companies use the personal data they collect
  • Companies operating in Canada disclose personal information.

Who Needs to Comply with PIPEDA

Canada’s data privacy law applies to:

  • organizations that collect, use, or disclose personal information for commercial purposes
  • Foreign organizations that collect, use, or disclose personal information of Canadian citizens for commercial purposes.

It is important to highlight the fact that PIPEDA does not explicitly outline its applicability in relation to foreign companies. 

Nonetheless, some international firms have been penalized for violating PIPEDA requirements, which sets a clear precedent for foreign organizations to become compliant or face similar consequences.

What is Personal Information of PIPEDA?

Under PIPEDA, personal information refers to ‘any information about an identifiable individual.’

The categories of data considered personal information under PIPEDA include;

  • Age, name, ID number, financial data
  • Race, nationality, or ethnicity
  • Blood type
  • DNA
  • Marital status
  • Opinions, assessments, comments, social status, disciplinary actions
  • Medical, education, and employment records
  • Social insurance number or driver’s license
  • Employee files, credit history, and loan details

However, there are specific categories of data that do not fall under the scope of PIPEDA. They include;

  • Personal information processed by federal authorities that are listed under the Privacy Act.
  • Provincial or territorial administrations and their agents
  • Company contact data such as an employee’s name, profession, corporate address, phone number, or email address that is gathered, processed or shared primarily for communicating with the individual in question in connection to their profession or occupation.
  • A person’s gathering, processing, or sharing of personal data for individual use strictly
  • A company’s gathering, utilization, or transfer of personal data for journalistic, artistic, or literary purposes solely

Which Consumer Rights does PIPEDA Protect?

Canada’s data privacy law grants consumers the right to;

  • Know the purposes a business is collecting, using, or sharing their information
  • Expect organizations to gather, process, or share information with accountability and not for any other reason other than what they consented to
  • Access their personal data maintained by a company without restrictions and make modifications where needed.
  • Lodge complaints about a company’s use of their data if they sense that a business is violating their privacy.
  • Expect that their personal information is precise, complete, and updated at all times

Apart from guaranteeing consumer rights, PIPEDA outlines the responsibility of businesses in protecting personal data. Essentially, businesses are expected to;

  • Seek clear, express consent from users before the gathering, processing, or transferring their personal information
  • Make sure that users have access to products or services even when they do not reveal their personal data unless the information is not necessary for the transaction
  • Only gather data using legitimate ways
  • Generate clear, easy to understand, and legible privacy notices

What are the Penalties for Non-Compliance?

The latest amendments to PIPEDA now come with fines of up to $100,000 for companies that fail to meet data protection obligations. 

While this isn't nearly as onerous as GDPR, it's likely to be only the start for more stringent enforcement of PIPEDA.

What Do the Latest Amendments Mean for Data Breach Notification Rules?

As of November 1, 2018, organizations subject to PIPEDA that experience a data breach need to determine whether the access or loss of personal information can cause a "risk of significant harm" to individuals.

The new provisions were approved back in 2015 as part of S-4, the nation's Digital Privacy Act

Under the new amendments, in order to comply with PIPEDA, organizations must:

  • Notify the Privacy Commissioner of Canada  concerning breaches of personal data safety arrangements that significantly endanger individuals
  • Inform affected persons about the breaches in question
  • Alert any other body that can alleviate harm to affected persons; and
  • Track and maintain a database of all breaches for at least 24 months following the date it determined that a breach occurred

 For additional queries or concerns, book a call with us today for personalized support on how to make your company and website compliant with PIPEDA. Check out how to have a PIPEDA-compliant cookie banner.

Check out the 10 PIPEDA Principles here.

Learn about the Bristish Columbia Personal Information Privacy Act, Quebec's Bill 64, and the newly proposed Consumer Privacy Protection Act - CPPA.