At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1.1. What is Personal Information?
- 1.2. The Personal Information Protection and Electronic Documents Act (PIPEDA)
- 1.3. Protection of Personal Information Principles
- 1.3.1. 1. Accountability
- 1.3.2. 2. Identifying Purposes
- 1.3.3. 3. Getting Consent
- 1.3.4. 4. Limiting Collection of Information
- 1.3.5. 5. Limiting Use, Disclosure, and Retention of Information
- 1.3.6. 6. Accuracy
- 1.3.7. 7. Safeguards
- 1.3.8. 8. Openness
- 1.3.9. 9. Individual Access
- 1.3.10. 10. Challenging Compliance
- 2. The Personal Information Protection Act (PIPA)
- 3. The Freedom of Information and Protection of Privacy Act (FIPPA)
- 4. Quebec's Privacy Act
- 5.1. Your Contact Information
- 5.2. What Types of Information You Collect, and How
- 5.3. What You Do With the Information You Collect
- 5.4. Security Measures
- 5.5. How Users Can Access Their Information
- 5.6. Who You Share Information With
- 6.1. Website Footer
- 6.2. Checkout Page
- 6.3. Account Login Page
- 6.4. App Listing/Download Page
- 8. Summary
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's primary federal privacy law designed to protect Canadian residents' personal data.
Businesses that deal with Canadian residents' personal information should also be aware of other Canadian provincial privacy laws that may apply to them, such as Alberta's Personal Information Protection Act (PIPA), British Columbia's Freedom of Information and Protection of Privacy Act (FIPPA), and Quebec's Privacy Act.
Failure to comply with Canadian privacy laws can result in fines of up to $100,000 per violation.
What is Personal Information?
Personal information is a category of information that can be used on its own or in combination with other information to identify an individual. Personal information includes individual's names, ages, ID numbers, ethnicity, and health and financial information.
The Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA applies to most private-sector, for-profit businesses in Canada that handle Canadian resident's personal information, as well as federally regulated organizations that do business within Canada, such as airlines, banks, and telecommunications companies.
Businesses from countries outside of Canada that collect personal information from or sell goods and services to Canadian residents are also legally obligated to comply with PIPEDA.
Protection of Personal Information Principles
There are 10 principles that businesses need to follow in order to comply with the PIPEDA.
This principle requires that businesses designate an individual to be held accountable for the organization's privacy practices. It also requires businesses to protect the personal information that they collect and use, and have a process in place for receiving and responding to consumers' questions and concerns.
2. Identifying Purposes
This principle requires a business to inform its consumers why it is collecting their personal information, either before or at the time that it collects the information.
3. Getting Consent
Except under certain medical, legal, or security circumstances, businesses must get consent from consumers before collecting their personal information.
A business must take steps to ensure that consumers are aware of and agree to the purposes for which it is collecting their personal information. Businesses must also allow consumers to withdraw their consent at any time, and should let them know the consequences of removing consent.
4. Limiting Collection of Information
Businesses need to let consumers know what types of personal information they collect and for what purposes, and only collect information for those purposes.
5. Limiting Use, Disclosure, and Retention of Information
This principle requires businesses to use personal information only for the purposes it was collected, unless they get consent to use the data for other purposes, or are legally required to share the information.
It also requires businesses to keep the information they collect only as long as it is needed to fulfill its purposes. Once a business is finished using personal information, it must destroy or anonymize the data.
Businesses must make sure that the personal information they collect is accurate and up to date.
Businesses need to keep the personal information they collect safe, and take special care with sensitive personal information. Physical, technical, and organizational security measures should be used to keep collected data secure.
This principle requires businesses to make the following information available to and easily accessible by its consumers:
- The name and address of the individual who is accountable for the personal information the business collects
- How consumers can access their personal information
- What kind of information the business collects and what it is used for
- A copy of any information about the business's policies, standards, or codes
- What information the business shares with its subsidiaries
9. Individual Access
This principle allows consumers to request information about whether a business holds their personal information. Businesses must also allow consumers to access and modify their personal information.
10. Challenging Compliance
Businesses must have processes in place for consumers to request information about or file complaints pertaining to their personal information.
The Personal Information Protection Act (PIPA)
The Personal Information Protection Act (PIPA) is Alberta's privacy law, and applies to for-profit businesses that are provincially regulated, as well as some non-profit organizations.
PIPA was created to protect individuals' personal information, and provide them with access to their personal information. It limits the types and amount of personal information that businesses can collect from consumers, as well as data collection methods.
PIPA also requires businesses to only use or disclose the personal information it collects for "reasonable purposes."
Part 4 of the official text of PIPA explains that a business must let individuals know that it is collecting their personal information either before or at the time of collection, and describes the personal information collection limits the business must abide by:
To comply with PIPA, organizations must get consumers' consent before collecting their personal information, and can only collect personal information essential to doing business.
The Freedom of Information and Protection of Privacy Act (FIPPA)
The Freedom of Information and Protection of Privacy Act (FIPPA) is British Coloumbia's privacy law, which governs how public bodies treat personal information, and gives individuals the right to access and change their personal information. FIPPA does not apply to private-sector organizations.
FIPPA requires that public bodies (such as provincial agencies, boards, municipalities, and colleges) protect the personal information they collect, and follow rules around how they collect, use, and disclose personal information.
Quebec's Privacy Act
Quebec's Privacy Act is designed to protect individuals' personal information. It requires private-sector organizations to keep the personal information they collect confidential, and only share the information with third parties under specific circumstances.
The act also requires businesses to give individuals access to their personal information.
The table of contents of the Privacy Act includes sections on protecting and collecting personal information, as well as keeping personal information confidential and granting individuals access to their personal information.
Your Contact Information
What Types of Information You Collect, and How
What You Do With the Information You Collect
It's important to inform consumers about how you use the personal information you collect. Notifying consumers about what you do with their personal information is required by PIPEDA's Identifying Purposes and Limiting Use, Disclosure, and Retention principles.
The Royal Bank of Canada's Privacy Principles includes a How We Use Your Information clause that details the purposes for which it collects personal information:
Letting consumers know how you keep their data secure helps you to comply with PIPEDA's Safeguards principle.
How Users Can Access Their Information
Your business needs to have a process in place that allows consumers to access and edit their personal information as desired, as required by PIPEDA's Openness and Accuracy principles.
Who You Share Information With
Letting consumers know what third parties you share their personal information with helps you to comply with PIPEDA's Openness principle.
Here's an example of how this could look:
Account Login Page
McKesson Corporation's customer registration form includes a link to its Privacy Notice, as well as checkboxes that users must tick signifying that they consent to its legal agreements before completing the sign-up process:
App Listing/Download Page
Many businesses put a link to their Privacy Policies on their app download page, giving users the ability to read about their privacy practices before downloading their app.
Canadian federal and provincial privacy laws require businesses that handle personal information to have practices in place for protecting the information they collect.
- What kind of information you collect and how you collect it
- What you do with the information you collect
- How you keep the information you collect safe
- Your contact information
- How individuals can access and change their personal information
- Any third parties you share information with