What is PIPEDA?
Are you aware of what PIPEDA is, and who it applies to? Read all about what PIPEDA stands for, PIPEDA penalties, and what to do in case of data breach.
What Does PIPEDA Stand For?
PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is Canada’s federal law on personal data protection. Since its enactment in April 2000, PIPEDA has been amended multiple times to make the comprehensive online privacy law aligned with most of the current privacy legislation trends that is now.
What Are PIPEDA Principles?
- Identifying Purposes
- Limiting Collection
- Limited Use, Disclosure, and Retention
- Individual Access
- Challenging Compliance
Through the answers to the following questions, we will present you with the way PIPEDA implements these principles in practice.
How Does PIPEDA Compare To GDPR And CCPA?
Although PIPEDA has its own specifics, it unavoidably resembles other privacy laws. The most recent data protection laws aim to international businesses, hence many have similarities between them.
If your business focus is not on Europe, but on North America, and you are CCPA-compliant, you’ll have to put some effort into getting compliant with the Canadian PIPEDA.
Do We Need To Be Compliant With Canadian Provinces' Data Protection Laws?
Yes, you have to comply with province privacy laws, too. Certain collection, use, or disclosure of data can be exempt from compliance with PIPEDA and be subject of compliance only of the province law only if:
- Your business operates in that province and
- You collect, use, or disclose personal information of citizens only from that province
- You collect, use, or disclose personal information only within the province.
In short - only if the data does not leave the province. Only the provinces of Alberta, British Columbia, and Quebec have data protection laws. They are all substantially similar to the PIPEDA, so compliance with the federal law means compliance with the province law as well. Read about Canada's newly proposed Consumer Privacy Protection Act - CPPA.
Who Does PIPEDA Apply To?
PIPEDA applies to:
- Canadian organizations that collect, use, or disclose personal information for commercial purposes
- Foreign organizations that collect, use, or disclose personal information of Canadian citizens for commercial purposes.
Although the law itself does not explicitly mention the application to foreign companies, the penalties that some of them have got in the past are a clear signal that they have to comply with it. Foreign companies have to comply with PIPEDA as soon as they get in touch with their first Canadian user.
If you are a Canadian business, then the necessity to comply with PIPEDA is a no-brainer.
Who Enforces PIPEDA?
The Office of Privacy Commissioner and the Federal Court enforce Canada PIPEDA. The Commissioner will investigate the case and produce a report with the findings. The complainer can use the report in court.
What Are The Penalties?
The court may impose penalties of up to CAD 100,000 to entities that have violated the law. Remember that the Commissioner may at any time audit your data protection management practices.
What Is Personal Data?
PIPEDA defines personal data as any information that could identify an individual. This includes, but is not limited to name, email address, phone number, ethnic origin, ID number, blood type, loan records, intentions, social status, and others.
Do I Have To Collect Consent For Collecting Or Processing Personal Data?
In short - It depends on the circumstances, but you better obtain it. If you use the most common tracking technologies and you want to automate the consent management, then obtaining explicit consent is the safe way to go.
In any case, you have to obtain “meaningful consent”. It may mean both implicit and explicit consent.
You have to collect explicit consent if the data you collect or use is:
- Outside of the reasonable expectations of the user or
- May cause significant harm.
In all other cases, implicit consent is enough. If collecting implied consent, though, you have to be aware of the Canada anti-spam law. They strictly prohibit sending commercial content to users without explicitly obtaining their consent.
It is important to note that sometimes non-sensitive data may be considered sensitive in certain circumstances. The reasonable expectations of the user change from situation to situation, too. There is no clear line between the requirements for implicit and explicit consent.
If there is any possibility of collecting, using or disclosing sensitive data, such as ethnicity, religious views, sexual orientation, financial information, health information, or other sensitive data, make sure you obtain explicit consent.
Social media cookies, in particular, often collect sensitive data. If you are using any of them, then obtaining explicit consent is the safe way to go. Check out how to have a PIPEDA-compliant cookie banner.
In addition, you must not use or process their data for purposes other than those for which the consent has been given. If you have obtained consent for one purpose, but now you want to use the data for another purpose, you have to request consent again.
Also, you are required to inform your users about the purpose of data collection and use at the time for requesting consent. If they cannot understand why you collect and use their data, the consent is not valid.
- Information on the collection of data
- Information on the purpose of data collection, use, or disclosure
- Description of the type of personal information that is being collected, used, or disclosed
- Information on how data subjects can exercise their PIPEDA rights
- Information on the data being made available to related organizations, such a subsidiaries
- Information on your policies and practices of data management
- The name and contact information of the persons responsible for compliance with PIPEDA in the organization.
What Rights Do My Website Visitors Or Product Users Have?
Your website visitors or product users have the right, upon request, to:
- Be informed about the data you collect, use, or disclose
- Access their data
- Correct the data
- Withdraw the consent and opt-out from use or disclosure of data
- Address a challenge to your compliance with PIPEDA
Ensure to provide your users with means to request and get any of this information. You can do it through a contact form on the website, through an email address, or another mean.
Do My Visitors Have The Right To Be Forgotten Under PIPEDA?
PIPEDA does not specifically prescribe the right to be forgotten. However, if the user withdraws their consent and opt-out from using and disclosure of their data, then you should delete their data because there is no basis to keep it anymore.
How Can Users Address A Challenge Of Our Compliance With PIPEDA?
You need to establish procedures for letting your users challenge your compliance with PIPEDA. It may be as simple as providing them a contact form for sending you the challenge. Keep in mind that every organization is obliged to investigate every single challenge they receive.
Can We Transfer Personal Data Abroad Freely?
There are no specific restrictions for transferring personal data abroad, but the law holds you accountable for anything that could turn wrong with such transferred data. Therefore, it is in your best interest to transfer data only to organizations and countries with adequate levels of data protection.
What Should We Do In Case Of A PIPEDA Data Breach?
As soon as you learn about the breach, you have to notify the Commissioner and the data subjects whose data has been breached. The notification must be made in the prescribed form.
In addition, you have to notify any other body that could alleviate the harm, as well as to keep records of the breach for 24 months.
Do We Need A Data Protection Officer?
You need to designate a person in your organization to take care of your compliance with PIPEDA and its principles. This person is not called a DPO, but their role is similar to that of the DPO under other laws.
How Can I Make Our Organization Canada PIPEDA Compliant?
Your organization will be PIPEDA-compliant if you implement successfully all the 10 principles of the law.
Schedule a demo and make your website PIPEDA-compliant today.
Do You Really Need A Cookie Preference Center? Here's What You Should Know
- Cookie Consent
Understanding the Key Differences Between GDPR And CPRA
As the world of data security and privacy evolves, it is important to stay abreast of the latest developments. This article will examine the key differences between the EU's General Data Protection Regulation (GDPR) and California's Consumer Privacy Rights Act (CPRA). Learn how these two privacy regulations interact with each other and how their requirements might affect your business.
- Data Protection
Prepare for a Cookie-Free Future: A Look at Third-Party Cookies in 2023
This blog post will look at third-party cookies in 2023 and how marketers can prepare for the upcoming shift. We'll talk about the effects of browsing without cookies, new technologies that could replace them, and ways to keep your marketing efforts effective in a world without third-party cookies.
- Cookie Consent