The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's main private-sector privacy law.
Compliance with PIPEDA is essential for private sector organizations operating in Canada. Violation of PIPEDA can lead to a court action brought by individuals or by the Office of the Privacy Commissioner (OPC).
This overview of PIPEDA will give you a clear understanding of your obligations under this important law.
- 1. Who is Covered by PIPEDA?
- 1.1. What Counts as a Private Sector Organization?
- 1.2. Does PIPEDA Apply to Non-Canadian Businesses?
- 1.3. Does PIPEDA Apply Across the Whole of Canada?
- 2. PIPEDA's Ten Fair Information Principles
- 3. What is Personal Information Under PIPEDA?
- 4. What is Valid Consent Under PIPEDA?
- 4.1. Express vs. Implied Consent
- 4.2. Consent Under Canada's Anti-Spam Legislation (CASL)
- 4.3. The OPC's Seven Guiding Principles for Meaningful Consent
- 6. What Rights Do Canadians Have Over Their Personal Information?
- 6.1. Right to Access
- 6.1.1. Exemptions to the Right to Access
- 6.2. Right to Correction/Limited Right to Deletion
- 7. Summary
Who is Covered by PIPEDA?
PIPEDA applies to "private sector organizations." Public sector organizations must comply with a different Canadian law, the Privacy Act (available here).
PIPEDA does not normally apply to nonprofits. However, there are circumstances under which the activities of nonprofits are covered by PIPEDA.
What Counts as a Private Sector Organization?
PIPEDA considers a "private sector organization" as an organization or person engaged in "commercial activity."
Here's how PIPEDA defines "commercial activity:"
Some organizations sit between the "private" and "public" sector. In such cases, the Canadian courts and the Office of the Privacy Commissioner (OPC) may decide that the organization is covered by PIPEDA.
For example, the following organizations and people were deemed to fall under PIPEDA:
- A daycare center even though it received government funding
- A non-profit that was engaged in commercial activity
- A public-sector doctor undertaking an examination for an insurance company
This means that if a non-profit or semi-public organization collects personal information in the course of conducting commercial activity, it will need to comply with PIPEDA's rules in respect of that personal information.
Does PIPEDA Apply to Non-Canadian Businesses?
Yes, much like other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA), PIPEDA applies to companies operating in its jurisdiction regardless of where the company is based.
One of our many testimonials:
This is known as "extraterritorial application."
While there has been some debate about the extraterritorial application of PIPEDA, there have been several occasions recently on which the Act has been applied to foreign businesses.
The OPC states that non-Candian companies with "a real and substantial connection to Canada" must comply with PIPEDA. And in 2017, Canada's Federal Court applied PIPEDA to a Romanian company with no physical presence in Canada.
Does PIPEDA Apply Across the Whole of Canada?
Several Canadian provinces have privacy laws that are "substantially similar" to PIPEDA. Some private-sector organizations in these provinces are exempt from PIPEDA, so long as they comply with provincial privacy law. They include
- Alberta: Personal Information Privacy Act (PIPA, available here)
- British Columbia: Personal Information Protection Act (PIPA, available here)
- Quebec: Act Respecting the Protection of Personal Information in the Private Sector (English version available here)
Healthcare providers in certain provinces also follow laws that override PIPEDA with respect to health data:
- Ontario: Personal Health Information Protection Act (guidance available here)
- New Brunswick: Personal Health Information Custodians in New Brunswick Exemption Order (available here)
- Newfoundland and Labrador: Personal Health Information Custodians in Newfoundland and Labrador Exemption Order (available here)
- Nova Scotia: Personal Health Information Act (available here)
There are exceptions to these exemptions. Regardless of which province in which they are based, the following types of organizations must comply with PIPEDA:
- Private-sector organizations that handle personal information that crosses provincial or national borders
Federally-regulated organizations, for example:
- Airports and airlines
- National and international transportation companies
- Offshore drilling operations
- Radio and TV broadcasters
- Telecommunications companies
PIPEDA's Ten Fair Information Principles
PIPEDA is constructed around ten "fair information principles." Private-sector organizations must adhere to these principles at all times.
Here's a brief overview of the ten principles:
- Accountability: You are responsible for any personal information you control. You must appoint someone who is accountable for PIPEDA compliance (often known as a "Privacy Officer").
- Identifying Purposes: You must identify the purposes for which you are collecting personal information, before or at the time of collection.
- Consent: Where appropriate, you must obtain consent for the collection, use, or disclosure of personal information.
- Limiting Collection: You must only collect the amount of personal information that is necessary for the identified purposes for which you are collecting it.
- Limiting Use, Disclosure, and Retention: You may only use or share personal information for the purposes for which it was collected (unless you have consent or you are legally obliged to use or share it for another purpose). You must not store personal information for longer than necessary.
- Accuracy: Personal information must be accurate, complete, and up-to-date.
- Safeguards: You must take appropriate security measures to protect personal information.
- Individual Access: Individuals have the right to access and correct their personal information.
- Challenging Compliance: Individuals must be able to challenge your compliance with PIPEDA by making a complaint.
What is Personal Information Under PIPEDA?
PIPEDA defines personal information as "information about an identifiable individual."
The Candian authorities generally apply a broad interpretation of this definition. This means that businesses must apply PIPEDA's protections to many different types of data.
Here are some examples of personal information from the OPC:
The OPC also considers that the following types of data can be "personal information:"
- An IP address. Bear this in mind if you log the IP addresses of visitors to your website.
- Cookie data: This has implications for behavioral advertising campaigns.
- Device identifiers: These can be collected by mobile apps.
What is Valid Consent Under PIPEDA?
Under certain circumstances, you will need to obtain the consent of an individual before you can collect, use, or share their personal information. Since the GDPR's stricter consent requirements, what counts as valid consent has changed around the world.
Here's the definition of "valid consent," at Section 6.1 of PIPEDA:
Under PIPEDA, it's particularly important to provide consumers with clear information about what they are consenting to.
Express vs. Implied Consent
PIPEDA recognizes two forms of consent:
- Express consent (also known as "opt-in" consent): The individual actively agrees to something. For example, they tick a box labeled "I agree."
- Implied consent (also known as "opt-out" consent): The individual is offered the opportunity to refuse something, and they do not refuse. For example, they are presented with a pre-ticked box labeled "I agree" and they do not untick it.
According to the OPC, you must obtain express consent when:
The personal information is sensitive.
- PIPEDA doesn't contain a clear list of sensitive personal information. Take a cautious approach: financial, health, or biometric information is probably sensitive in most contexts.
Your intended use of the personal information might fall outside of individuals' reasonable expectations.
- Activities such as sharing information for marketing purposes, accessing contact lists, or tracking location might be unexpected in certain contexts.
When there is a "meaningful residual risk of significant harm."
- Considering the sensitivity of the personal information and your intended uses of the personal information, how serious is the risk of harm to the individual's rights, reputation, or material circumstances?
You may be able to rely on implied consent in situations that don't meet this threshold.
Consent Under Canada's Anti-Spam Legislation (CASL)
Consent in Canadian privacy law is also governed by a separate law called Canada's Anti-Spam Legislation (CASL).
It's important to get to know this law if you plan on engaging in direct marketing via electronic means (such as email).
CASL allows businesses to send direct marketing emails if they have an individual's implied consent. There are three circumstances in which implied consent arises.
You have an "active business relationship" with the individual.
- The individual has made a purchase within the past two years, or
- The individual has expressed an interest in your business in the past six months
You have an "active non-business relationship" with the individual. This applies to nonprofits such as clubs and charities.
- This individual has made a donation or membership payment within the past two years, or
- The individual has expressed an interest in your organization in the past six months
The individual's email address is available in the public domain or has been shared with you.
- You can only send direct marketing that is related to the individual's business or their interests.
- You can't send an individual direct marketing if you know they don't want to receive it.
Here's an example from Ocean Elements that appears to meet the standard for implied consent:
You must let individuals opt out of direct marketing once you have their implied consent, for example via an "unsubscribe" link.
The OPC's Seven Guiding Principles for Meaningful Consent
PIPEDA emphasizes that you must ensure individuals understand what they are consenting to.
The OPC provides seven principles that businesses should apply when obtaining consent. These are relevant whether you're collecting consent via an "opt in" or "opt out" mechanism.
Emphasize key elements. When requesting consent, provide clear information about:
- What personal information you are collecting
- Who you might share the personal information with
- Your purposes for collecting, using, and sharing the personal information
- Any meaningful risks of harm that might occur as a result of the collection
- Allow individuals to control the level of detail they get and when. Take a "layered" approach. Provide a summary of the four key elements above at the point of collection, together with a link to more detailed information.
- Provide individuals with clear options to say "yes" or "no." Make sure the individual has a simple choice.
Be innovative and creative. Use technological solutions that make it easier to accept, reject, or withdraw consent such as:
- "Just-in-time" notices: Request consent at the most appropriate time. If your mobile app uses a location permission, don't request this on installation or account setup. Request it when your app needs it.
- Interactive tools: Consider using walkthroughs, videos, and infographics to explain your privacy settings.
- Customized mobile interfaces: Integrate privacy controls or a privacy dashboard into the settings of your mobile app.
- Consider the consumer's perspective. Think about how you can make it easier for individuals to provide meaningful consent. Consider running pilots of new consent solutions, and consulting with your customers and/or privacy experts.
- Be accountable: Stand ready to demonstrate compliance. You must be able to demonstrate that you have taken steps to request consent in a meaningful, PIPEDA-compliant way.
- Contact details of the person accountable for your policies (e.g. your Privacy Officer)
- Details about how to exercise the right of access
- A description of the personal information you hold and an explanation of what you use it for
- A copy of any other information that explains your policies
- An explanation of what personal information you make available to related organizations, such as subsidiaries
Here's the list as it appears in PIPEDA, at Section 4.8.2:
This is quite a short list compared to many other privacy laws.
What Rights Do Canadians Have Over Their Personal Information?
Compared to other privacy laws such as the GDPR and the California Consumer Privacy Act (CCPA), PIPEDA's personal information rights are quite limited.
This part of PIPEDA is likely to be expanded in the future. For more information, see our article Canada's New Digital Charter and Changes to PIPEDA.
Right to Access
PIPEDA provides individuals with the right to access the personal information you hold about them.
An access request must be made in writing. Upon receiving a request under the right to access, you must be prepared to:
- Confirm whether you have the requested information
- Explain how you have used the information
- Provide a list of anyone with whom the information has been shared
- Provide a copy of the information in an accessible format, and make alternative formats available for people with disabilities
You must fulfill the request:
As soon as possible, within 30 calendar days at the latest. An extension of an additional 30 calendar is available in exceptional circumstances, such as when:
- Responding on time would present an unreasonable interference with your business activities
- You are making consultations regarding the request and this has caused a delay
- You need to provide the information in an alternative format and this has caused a delay
- For free, unless it would be reasonable to charge a small fee. In this case, you must provide an estimate and ensure the individual is happy to proceed.
Exemptions to the Right to Access
Under certain circumstances, you may be exempt (or prohibited) from fulfilling an access request.
There are six main exemptions to the right of access. You may not be required or permitted to provide the personal information if to do so would:
- Breach solicitor (attorney)-client privilege
- Reveal confidential commercial information
- Threaten life or security
Or, if the personal information requested was:
- Collected in the context of "an investigation of a breach of an agreement or a contravention of the laws of Canada or a province" (you must inform the OPC if you refuse a request on this basis)
- Generated as part of a dispute-resolution process
- Created for the purposes of the Public Servants Disclosure Protection Act (the "whistleblowing law")
Here are the exemptions in full:
Item (c.1) above refers to paragraph 7(1)(b). Here's that paragraph in full:
If you refuse an access request, you must:
- Explain your reasons to the individual, and
- Let them know that they can make a complaint to the OPC
There is one further partial exemption to the right of access. Sometimes a data set will contain multiple individuals' personal information. If providing the personal information would expose another individual's personal information, you should either:
- Omit the other individual's personal information from the data set, or
- Refuse the request (if omitting the other personal information is not possible)
Right to Correction/Limited Right to Deletion
If an individual can demonstrate that the personal information you hold on them is inaccurate, they can request that you correct it or delete it.
If you agree to correct or delete an individual's personal information, you may need to notify any third parties with whom you have shared the personal information.
Private-sector organizations must understand their obligations under PIPEDA to ensure they avoid legal and reputational consequences of non-compliance.
- Check whether you need to comply with PIPEDA or other provincial laws.
- Implement PIPEDA's ten principles.
- Understand what personal information you hold.
- Collect consent in a way that complies with PIPEDA and CASL.
- Be prepared to provide access to individuals' personal information.