Learn About PIPEDA and Website Compliance


What is PIPEDA?

What Does PIPEDA Stand For?


PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is Canada’s federal law on personal data protection. Since its enactment in April 2000, PIPEDA has been amended multiple times to make the comprehensive online privacy law aligned with most of the current privacy legislation trends that is now.

What are the PIPEDA Principles?


PIPEDA relies on ten principles:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limited Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

Through the answers to the following questions, we will present you with the way PIPEDA implements these principles in practice.

How does PIPEDA compare to GDPR and CCPA?


Although PIPEDA has its own specifics, it unavoidably resembles other privacy laws. The most recent data protection laws aim to international businesses, hence many have similarities between them.

The Canadian federal law is very similar to the GDPR, so if you are already compliant with it, you may comply with the PIPEDA easily.

If your business focus is not on Europe, but on North America, and you are CCPA-compliant, you’ll have to put some effort into getting compliant with the Canadian PIPEDA.

Do we need to be compliant with Canada’s provinces’ data protection laws?


Yes, you have to comply with province privacy laws, too. Certain collection, use, or disclosure of data can be exempt from compliance with PIPEDA and be subject of compliance only of the province law only if:

  • Your business operates in that province and
  • You collect, use, or disclose personal information of citizens only from that province
  • You collect, use, or disclose personal information only within the province.

In short – only if the data does not leave the province. Only the provinces of Alberta, British Columbia, and Quebec have data protection laws. They are all substantially similar to the PIPEDA, so compliance with the federal law means compliance with the province law as well.

Who does PIPEDA apply to?


PIPEDA applies to:

  • Canadian organizations that collect, use, or disclose personal information for commercial purposes
  • Foreign organizations that collect, use, or disclose personal information of Canadian citizens for commercial purposes.

Although the law itself does not explicitly mention the application to foreign companies, the penalties that some of them have got in the past are a clear signal that they have to comply with it. Foreign companies have to comply with PIPEDA as soon as they get in touch with their first Canadian user.

If you are a Canadian business, then the necessity to comply with PIPEDA is a no-brainer.

 

Who enforces PIPEDA?


The Office of Privacy Commissioner and the Federal Court enforce Canada PIPEDA. The Commissioner will investigate the case and produce a report with the findings. The complainer can use the report in court.

What are the penalties?


The court may impose penalties of up to CAD 100,000 to entities that have violated the law. Remember that the Commissioner may at any time audit your data protection management practices.

What is personal data?


PIPEDA defines personal data as any information that could identify an individual. This includes, but is not limited to name, email address, phone number, ethnic origin, ID number, blood type, loan records, intentions, social status, and others.

Do I have to collect consent for collecting or processing personal data?


In short – It depends on the circumstances, but you better obtain it. If you use the most common tracking technologies and you want to automate the consent management, then obtaining explicit consent is the safe way to go.

In any case, you have to obtain “meaningful consent”. It may mean both implicit and explicit consent.

You have to collect explicit consent if the data you collect or use is:

  • Sensitive
  • Outside of the reasonable expectations of the user or
  • May cause significant harm.

In all other cases, implicit consent is enough. If collecting implied consent, though, you have to be aware of the Canada anti-spam law. They strictly prohibit sending commercial content to users without explicitly obtaining their consent.

It is important to note that sometimes non-sensitive data may be considered sensitive in certain circumstances. The reasonable expectations of the user change from situation to situation, too. There is no clear line between the requirements for implicit and explicit consent.

If there is any possibility of collecting, using or disclosing sensitive data, such as ethnicity, religious views, sexual orientation, financial information, health information, or other sensitive data, make sure you obtain explicit consent.

Social media cookies, in particular, often collect sensitive data. If you are using any of them, then obtaining explicit consent is the safe way to go.

In addition, you must not use or process their data for purposes other than those for which the consent has been given. If you have obtained consent for one purpose, but now you want to use the data for another purpose, you have to request consent again.

Also, you are required to inform your users about the purpose of data collection and use at the time for requesting consent. If they cannot understand why you collect and use their data, the consent is not valid.

What is a Canada PIPEDA-compliant privacy policy?


Your privacy policy is PIPEDA-compliant if it contains at least the following:

  • Information on the collection of data
  • Information on the purpose for data collection, use, or disclosure
  • Description of the type of the personal information that is being collected, used, or disclosed
  • Information on how data subjects can exercise their PIPEDA rights
  • Information on the data being made available to related organizations, such a subsidiaries
  • Information on your policies and practices of data management
  • The name and contact information of the persons responsible for compliance with PIPEDA in the organization.

Although having a privacy policy is by far the most practical way to provide data subjects with this information, it is important to note that you are free to choose the method of informing them as long as you provide them with the information listed here.

What rights do my website visitors or product users have?


Your website visitors or product users have the right, upon request, to:

  • Be informed about the data you collect, use, or disclose
  • Access their data
  • Correct the data
  • Withdraw the consent and opt-out from use or disclosure of data
  • Address a challenge to your compliance with PIPEDA

Ensure to provide your users with means to request and get any of this information. You can do it through a contact form on the website, through an email address, or another mean.

 

Do my users have the right to be forgotten under PIPEDA?


PIPEDA does not specifically prescribe the right to be forgotten. However, if the user withdraws their consent and opt-out from using and disclosure of their data, then you should delete their data because there is no basis to keep it anymore.

How can users address a challenge of our compliance with PIPEDA?


You need to establish procedures for letting your users challenge your compliance with PIPEDA. It may be as simple as providing them a contact form for sending you the challenge. Keep in mind that every organization is obliged to investigate every single challenge they receive.

Can we transfer personal data abroad freely?


There are no specific restrictions for transferring personal data abroad, but the law holds you accountable for anything that could turn wrong with such transferred data. Therefore, it is in your best interest to transfer data only to organizations and countries with adequate levels of data protection.

What should we do in case of a PIPEDA data breach?


As soon as you learn about the breach, you have to notify the Commissioner and the data subjects whose data has been breached. The notification must be made in the prescribed form.

In addition, you have to notify any other body that could alleviate the harm, as well as to keep records of the breach for 24 months.

Do we need a Data Privacy Officer?


You need to designate a person in your organization to take care of your compliance with PIPEDA and its principles. This person is not called a DPO, but their role is similar to that of the DPO under other laws.

 

How can I make our organization Canada PIPEDA-compliant?


Your organization will be PIPEDA-compliant if you implement successfully all the 10 principles of the law.

In short, you should start by putting in place a PIPEDA-compliant privacy policy, ensuring that the data is properly safeguarded, obtain valid consent, and provide data subjects with means to exercise their privacy rights.

How do I make a website PIPEDA-compliant?


Having a PIPEDA-compliant website means that you have taken the necessary measures to protect your users’ privacy before anything goes wrong with their data that you have collected or processed. Being proactive is the way to go toward compliance.

Start by figuring out what the requirements are, assess your risks, and implement the required measures. Ensure that you apply all the PIPEDA principles in your online business activities. As a minimum, you need a PIPEDA-compliant privacy policy and a consent management solution.

Is our website affected by PIPEDA?


Your website is affected by the PIPEDA if:

  • Your business is based in Canada and you collect or process personal data from people from Canada or anywhere in the world
  • Your business is based anywhere in the world and you collect or process personal data of Canadian citizens for commercial purposes.

 

Are you aware of what trackers you have on your website?


Tracking technologies are often necessary for businesses that operate online. Making decisions based on data is impossible without them. Therefore, most website owners opt for using them. If you have installed any plugins on your website, then you may be using them already.

PIPEDA and other data protection laws aim to regulate tracking technologies to prevent irresponsible use of data, so they impose certain obligations to website owners. Fulfilling these obligations require you to be aware of the data trackers your websites use and bring them under compliance with the PIPEDA.

If you were wondering what trackers does your website use, feel free to use our free tool to audit your website. It will provide you with the results in less than 5 minutes at no cost at all.

Are you gathering consent the right way?


Consent may be given in various forms, but obtaining it must meet the following requirements:

  • The user must be informed that their data is being collected and will be used or disclosed and
  • The user must be informed about the purpose of collection and processing of data.

Are your privacy banners affirmative?


In most cases implied consent is not valid under the Canada PIPEDA. Implied consent is when you have a banner stating that you use cookies and that by staying on your website the visitor agrees to them. That’s simply not enough in most cases.

Instead, you should opt for affirmative cookie banners. They should serve the purpose of requesting explicit consent. Explicit consent is provided only if the visitor agrees to the use of cookies by clicking an affirmative button, such as an “Accept” or “Agree” button.

 

Can users withdraw consent?


Users who have given you consent for collecting and processing their own data may want to withdraw the previously given consent at any point in time. If that happens, you should inform them of the implications of the withdrawal.

 

Can visitors contact you for exercising their PIPEDA data subject rights?


PIPEDA grants your visitors the right to access or correct data, withdraw the consent, or address a challenge to your PIPEDA compliance. You have to provide them with the tools to contact you to exercise these rights. This may be a contact form on your website, an email address, a phone number, or another communication channel.

Do you have evidence of valid consent?


PIPEDA requires you to keep records of all the collected consents. Aside from being an obligation under the law, it will save you from serious legal troubles if at any point in time you need to prove that you collect data upon obtained consent.

Have you updated your data and privacy policies?


Chances are that you have a privacy policy in place already, but have you updated it in line with the PIPEDA? The Canada federal data protection law prescribes certain elements that each privacy policy must contain. It is impossible to comply with the law if your privacy policy is not compliant.

 

Have you cleaned up your mailing lists?


If you’ve just realized that PIPEDA applies to you, but you have mailing lists with contacts from which you have not obtained consent or have obtained it for the right purpose, then it is about time to clean it. Keeping those email addresses on your lists may bring trouble with the law in the future.

Are you collecting too much information?


If you collect personal information that is not necessary for your processing purposes, then you are collecting too much of it. PIPEDA, as well as other personal data protection laws you may comply with, require data minimization, which means to collect the minimum necessary information.