What is PIPEDA?
Are you aware of what PIPEDA is, and who it applies to? Read all about what PIPEDA stands for, PIPEDA penalties, and what to do in case of data breach.
What Does PIPEDA Stand For?
PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is Canada’s federal law on personal data protection. Since its enactment in April 2000, PIPEDA has been amended multiple times to make the comprehensive online privacy law aligned with most of the current privacy legislation trends that is now.
What Are PIPEDA Principles?
- Identifying Purposes
- Limiting Collection
- Limited Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Through the answers to the following questions, we will present you with the way PIPEDA implements these principles in practice.
How Does PIPEDA Compare To GDPR And CCPA?
Although PIPEDA has its own specifics, it unavoidably resembles other privacy laws. The most recent data protection laws aim to international businesses, hence many have similarities between them.
If your business focus is not on Europe, but on North America, and you are CCPA-compliant, you’ll have to put some effort into getting compliant with the Canadian PIPEDA.
Do We Need To Be Compliant With Canadian Provinces' Data Protection Laws?
Yes, you have to comply with province privacy laws, too. Certain collection, use, or disclosure of data can be exempt from compliance with PIPEDA and be subject of compliance only of the province law only if:
- Your business operates in that province and
- You collect, use, or disclose personal information of citizens only from that province
- You collect, use, or disclose personal information only within the province.
In short - only if the data does not leave the province. Only the provinces of Alberta, British Columbia, and Quebec have data protection laws. They are all substantially similar to the PIPEDA, so compliance with the federal law means compliance with the province law as well.
Who Does PIPEDA Apply To?
PIPEDA applies to:
- Canadian organizations that collect, use, or disclose personal information for commercial purposes
- Foreign organizations that collect, use, or disclose personal information of Canadian citizens for commercial purposes.
Although the law itself does not explicitly mention the application to foreign companies, the penalties that some of them have got in the past are a clear signal that they have to comply with it. Foreign companies have to comply with PIPEDA as soon as they get in touch with their first Canadian user.
If you are a Canadian business, then the necessity to comply with PIPEDA is a no-brainer.
Who Enforces PIPEDA?
The Office of Privacy Commissioner and the Federal Court enforce Canada PIPEDA. The Commissioner will investigate the case and produce a report with the findings. The complainer can use the report in court.
What Are The Penalties?
The court may impose penalties of up to CAD 100,000 to entities that have violated the law. Remember that the Commissioner may at any time audit your data protection management practices.
What Is Personal Data?
PIPEDA defines personal data as any information that could identify an individual. This includes, but is not limited to name, email address, phone number, ethnic origin, ID number, blood type, loan records, intentions, social status, and others.
Do I Have To Collect Consent For Collecting Or Processing Personal Data?
In short - It depends on the circumstances, but you better obtain it. If you use the most common tracking technologies and you want to automate the consent management, then obtaining explicit consent is the safe way to go.
In any case, you have to obtain “meaningful consent”. It may mean both implicit and explicit consent.
You have to collect explicit consent if the data you collect or use is:
- Outside of the reasonable expectations of the user or
- May cause significant harm.
In all other cases, implicit consent is enough. If collecting implied consent, though, you have to be aware of the Canada anti-spam law. They strictly prohibit sending commercial content to users without explicitly obtaining their consent.
It is important to note that sometimes non-sensitive data may be considered sensitive in certain circumstances. The reasonable expectations of the user change from situation to situation, too. There is no clear line between the requirements for implicit and explicit consent.
If there is any possibility of collecting, using or disclosing sensitive data, such as ethnicity, religious views, sexual orientation, financial information, health information, or other sensitive data, make sure you obtain explicit consent.
Social media cookies, in particular, often collect sensitive data. If you are using any of them, then obtaining explicit consent is the safe way to go. Check out how to have a PIPEDA-compliant cookie banner.
In addition, you must not use or process their data for purposes other than those for which the consent has been given. If you have obtained consent for one purpose, but now you want to use the data for another purpose, you have to request consent again.
Also, you are required to inform your users about the purpose of data collection and use at the time for requesting consent. If they cannot understand why you collect and use their data, the consent is not valid.
- Information on the collection of data
- Information on the purpose of data collection, use, or disclosure
- Description of the type of personal information that is being collected, used, or disclosed
- Information on how data subjects can exercise their PIPEDA rights
- Information on the data being made available to related organizations, such a subsidiaries
- Information on your policies and practices of data management
- The name and contact information of the persons responsible for compliance with PIPEDA in the organization.
What Rights Do My Website Visitors Or Product Users Have?
Your website visitors or product users have the right, upon request, to:
- Be informed about the data you collect, use, or disclose
- Access their data
- Correct the data
- Withdraw the consent and opt-out from use or disclosure of data
- Address a challenge to your compliance with PIPEDA
Ensure to provide your users with means to request and get any of this information. You can do it through a contact form on the website, through an email address, or another mean.
Do My Visitors Have The Right To Be Forgotten Under PIPEDA?
PIPEDA does not specifically prescribe the right to be forgotten. However, if the user withdraws their consent and opt-out from using and disclosure of their data, then you should delete their data because there is no basis to keep it anymore.
How Can Users Address A Challenge Of Our Compliance With PIPEDA?
You need to establish procedures for letting your users challenge your compliance with PIPEDA. It may be as simple as providing them a contact form for sending you the challenge. Keep in mind that every organization is obliged to investigate every single challenge they receive.
Can We Transfer Personal Data Abroad Freely?
There are no specific restrictions for transferring personal data abroad, but the law holds you accountable for anything that could turn wrong with such transferred data. Therefore, it is in your best interest to transfer data only to organizations and countries with adequate levels of data protection.
What Should We Do In Case Of A PIPEDA Data Breach?
As soon as you learn about the breach, you have to notify the Commissioner and the data subjects whose data has been breached. The notification must be made in the prescribed form.
In addition, you have to notify any other body that could alleviate the harm, as well as to keep records of the breach for 24 months.
Do We Need A Data Protection Officer?
You need to designate a person in your organization to take care of your compliance with PIPEDA and its principles. This person is not called a DPO, but their role is similar to that of the DPO under other laws.
How Can I Make Our Organization Canada PIPEDA Compliant?
Your organization will be PIPEDA-compliant if you implement successfully all the 10 principles of the law.
Schedule a demo and make your website PIPEDA-compliant today.
Five Problems that GDPR DPOs Face and How to Solve Them
DPOs often have more than one job in an organization, so it's clear that they can't always keep up with the latest legal and technological changes that are important to their work. Even though they aren't lawyers, they are expected to know the GDPR inside and out. Though they may lack technical expertise, these individuals are frequently tasked with advising on how organizations should use cutting-edge security measures to secure sensitive data. In other words, it's not a simple task.
- Data Protection
Three Free DPIA Templates and How to Use Them
In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide.
- Data Protection
What is a Consent Management Platform?
Consent Management Platform (CMP) is a software tool that makes it easy for websites to follow cookie regulations. Before a user gives consent, your website needs to block cookies. In this article, we'll discuss how websites can use CMPs to keep track of the consent they ask for.
- Data Protection