November 9, 2021

What is PIPEDA?

Are you aware of what PIPEDA is, and who it applies to? Read all about what PIPEDA stands for, PIPEDA penalties, and what to do in case of data breach.

What Does PIPEDA Stand For?

PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is Canada’s federal law on personal data protection. Since its enactment in April 2000, PIPEDA has been amended multiple times to make the comprehensive online privacy law aligned with most of the current privacy legislation trends that is now.

What Are PIPEDA Principles?

PIPEDA relies on ten principles:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limited Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

Through the answers to the following questions, we will present you with the way PIPEDA implements these principles in practice.

How Does PIPEDA Compare To GDPR And CCPA?

Although PIPEDA has its own specifics, it unavoidably resembles other privacy laws. The most recent data protection laws aim to international businesses, hence many have similarities between them.

The Canadian federal law is very similar to the GDPR, so if you are already compliant with it, you may comply with the PIPEDA easily.

If your business focus is not on Europe, but on North America, and you are CCPA-compliant, you’ll have to put some effort into getting compliant with the Canadian PIPEDA.

Do We Need To Be Compliant With Canadian Provinces' Data Protection Laws?

Yes, you have to comply with province privacy laws, too. Certain collection, use, or disclosure of data can be exempt from compliance with PIPEDA and be subject of compliance only of the province law only if:

  • Your business operates in that province and
  • You collect, use, or disclose personal information of citizens only from that province
  • You collect, use, or disclose personal information only within the province.

In short - only if the data does not leave the province. Only the provinces of Alberta, British Columbia, and Quebec have data protection laws. They are all substantially similar to the PIPEDA, so compliance with the federal law means compliance with the province law as well. Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.

Who Does PIPEDA Apply To?

PIPEDA applies to:

  • Canadian organizations that collect, use, or disclose personal information for commercial purposes
  • Foreign organizations that collect, use, or disclose personal information of Canadian citizens for commercial purposes.

Although the law itself does not explicitly mention the application to foreign companies, the penalties that some of them have got in the past are a clear signal that they have to comply with it. Foreign companies have to comply with PIPEDA as soon as they get in touch with their first Canadian user.

If you are a Canadian business, then the necessity to comply with PIPEDA is a no-brainer.

Who Enforces PIPEDA?

The Office of Privacy Commissioner and the Federal Court enforce Canada PIPEDA. The Commissioner will investigate the case and produce a report with the findings. The complainer can use the report in court.


What Are The Penalties?

The court may impose penalties of up to CAD 100,000 to entities that have violated the law. Remember that the Commissioner may at any time audit your data protection management practices.

What Is Personal Data?

PIPEDA defines personal data as any information that could identify an individual. This includes, but is not limited to name, email address, phone number, ethnic origin, ID number, blood type, loan records, intentions, social status, and others.

Do I Have To Collect Consent For Collecting Or Processing Personal Data?

In short - It depends on the circumstances, but you better obtain it. If you use the most common tracking technologies and you want to automate the consent management, then obtaining explicit consent is the safe way to go.

In any case, you have to obtain “meaningful consent”. It may mean both implicit and explicit consent.

You have to collect explicit consent if the data you collect or use is:

  • Sensitive
  • Outside of the reasonable expectations of the user or
  • May cause significant harm.

In all other cases, implicit consent is enough. If collecting implied consent, though, you have to be aware of the Canada anti-spam law. They strictly prohibit sending commercial content to users without explicitly obtaining their consent.

It is important to note that sometimes non-sensitive data may be considered sensitive in certain circumstances. The reasonable expectations of the user change from situation to situation, too. There is no clear line between the requirements for implicit and explicit consent.

If there is any possibility of collecting, using or disclosing sensitive data, such as ethnicity, religious views, sexual orientation, financial information, health information, or other sensitive data, make sure you obtain explicit consent.

Social media cookies, in particular, often collect sensitive data. If you are using any of them, then obtaining explicit consent is the safe way to go. Check out how to have a PIPEDA-compliant cookie banner.

In addition, you must not use or process their data for purposes other than those for which the consent has been given. If you have obtained consent for one purpose, but now you want to use the data for another purpose, you have to request consent again.

Also, you are required to inform your users about the purpose of data collection and use at the time for requesting consent. If they cannot understand why you collect and use their data, the consent is not valid.

What Is A Canada PIPEDA Compliant Privacy Policy?

Your privacy policy is PIPEDA-compliant if it contains at least the following:

  • Information on the collection of data
  • Information on the purpose of data collection, use, or disclosure
  • Description of the type of personal information that is being collected, used, or disclosed
  • Information on how data subjects can exercise their PIPEDA rights
  • Information on the data being made available to related organizations, such a subsidiaries
  • Information on your policies and practices of data management
  • The name and contact information of the persons responsible for compliance with PIPEDA in the organization.

Although having a privacy policy is by far the most practical way to provide data subjects with this information, it is important to note that you are free to choose the method of informing them as long as you provide them with the information listed here.

What Rights Do My Website Visitors Or Product Users Have?

Your website visitors or product users have the right, upon request, to:

  • Be informed about the data you collect, use, or disclose
  • Access their data
  • Correct the data
  • Withdraw the consent and opt-out from use or disclosure of data
  • Address a challenge to your compliance with PIPEDA

Ensure to provide your users with means to request and get any of this information. You can do it through a contact form on the website, through an email address, or another mean.

Do My Visitors Have The Right To Be Forgotten Under PIPEDA?

PIPEDA does not specifically prescribe the right to be forgotten. However, if the user withdraws their consent and opt-out from using and disclosure of their data, then you should delete their data because there is no basis to keep it anymore.

How Can Users Address A Challenge Of Our Compliance With PIPEDA?

You need to establish procedures for letting your users challenge your compliance with PIPEDA. It may be as simple as providing them a contact form for sending you the challenge. Keep in mind that every organization is obliged to investigate every single challenge they receive.

Can We Transfer Personal Data Abroad Freely?

There are no specific restrictions for transferring personal data abroad, but the law holds you accountable for anything that could turn wrong with such transferred data. Therefore, it is in your best interest to transfer data only to organizations and countries with adequate levels of data protection.

What Should We Do In Case Of A PIPEDA Data Breach?

As soon as you learn about the breach, you have to notify the Commissioner and the data subjects whose data has been breached. The notification must be made in the prescribed form.

In addition, you have to notify any other body that could alleviate the harm, as well as to keep records of the breach for 24 months.

Do We Need A Data Protection Officer?

You need to designate a person in your organization to take care of your compliance with PIPEDA and its principles. This person is not called a DPO, but their role is similar to that of the DPO under other laws.

How Can I Make Our Organization Canada PIPEDA Compliant?

Your organization will be PIPEDA-compliant if you implement successfully all the 10 principles of the law.

In short, you should start by putting in place a PIPEDA-compliant privacy policy, ensuring that the data is properly safeguarded, obtain valid consent, and provide data subjects with means to exercise their privacy rights.

Schedule a demo and make your website PIPEDA-compliant today.