Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires all businesses to create a Privacy Policy that explains how and why they collect consumers' personal information.

If your business targets Canadian consumers, failing to publish a Privacy Policy could put you in violation of this important privacy law.

In this article, we'll be telling you everything you need to know about creating a PIPEDA-compliant Privacy Policy. We've also put together a Sample PIPEDA Privacy Policy Template that you can use to help write your own.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



About PIPEDA

First, we'll take a brief look at PIPEDA so you can check if you need to create a Privacy Policy under this law. If you already know you need to comply with PIPEDA, you can skip ahead to our guide about how to create your Privacy Policy.

What is PIPEDA?

PIPEDA is Canada's main private-sector privacy law. It set rules about how businesses collect, process, and share the personal information of people in Canada.

Who Needs to Comply with PIPEDA?

PIPEDA applies to businesses and other private-sector organizations such as charities engaged in "commercial activity." The term "commercial activity" is defined at Section 2 (1) of PIPEDA:

Govt of Canada: Justice Laws Website - PIPEDA: Definition of commercial activity clause

Nonprofits and organizations that are partially publicly-funded can engage in commercial activity, and they must comply with PIPEDA when doing so.

Do Non-Canadian Businesses Need to Comply with PIPEDA?

Yes, according to the Office of the Privacy Commissioner (OPC), the public authority that enforces Canadian privacy law, non-Canadian companies do have to comply with PIPEDA if they have any "real and substantial link to Canada."

This means that if your website or business targets Canadian consumers, you must comply with PIPEDA and create a PIPEDA-compliant Privacy Policy.

Do All PIPEDA-Compliant Companies Require a Privacy Policy?

Yes, every organization that falls under the jurisdiction of PIPEDA must give consumers notice of how they collect and use their personal information. The way to do this is by creating a Privacy Policy that conforms to PIPEDA's requirements.

General Requirements for PIPEDA Privacy Policies

General Requirements for PIPEDA Privacy Policies

Here are some tips for producing your Privacy Policy, based on guidance from the OPC:

  • Use plain and simple language. Make sure your customers can understand your Privacy Policy. Avoid using too much "legalese."
  • Make your Privacy Policy specific to your business. We're providing a template with the required sections, but you need to provide detailed information about your practices.
  • Ensure your Privacy Policy is easy to navigate and has a clear structure. Use subheadings, such as "How We Collect Personal Information."
  • Keep your Privacy Policy up to date. Your Privacy Policy is a "living document" that should reflect your practices as your business grows and changes.
  • Make your Privacy Policy accessible. You should display your Privacy Policy on your website, and give consumers the opportunity to read your Privacy Policy whenever you collect personal information. We'll look at how to do this at the end of this guide.

What to Include in Your PIPEDA Privacy Policy

What to Include in Your PIPEDA Privacy Policy

Here are the basic requirements for a Privacy Policy as they appear at PIPEDA Section 4.8.2:

Govt of Canada: Justice Laws Website - PIPEDA: Information  made available clause

If you created a Privacy Policy following PIPEDA's requirements to the letter, you'd end up with a slightly unusual document that didn't provide much value to your customers.

We're going to explain how to create a Privacy Policy that includes everything PIPEDA requires. But it will be presented in a somewhat more logical order, and it will contain some additional information that consumers expect to see in a Privacy Policy.

Before we begin, please note that this basic PIPEDA Privacy Policy will not be sufficient to comply with privacy laws outside of Canada.

If you target consumers in any other markets, take a look at our other guides for creating a Privacy Policy that complies with the laws in those regions. Some other important privacy laws include:

  • United States: California Online Privacy Protection Act (CalOPPA)
  • European Union and United Kingdom: General Data Protection Regulation (GDPR)
  • Australia: Privacy Act

Introduction Section

You should introduce your Privacy Policy by describing the purpose of the document and giving its effective date (i.e. the last date on which you updated the policy).

Your introduction can also set out some of your company's principles when it comes to using and protecting your customers' personal information.

Here's how Optimizely does this:

Optimizely Privacy Policy: Introduction clause

Note that Optimizely also provides a link to copies of its old Privacy Policies, which is a helpful thing to do.

Your Company's Contact Details

PIPEDA requires that you provide "the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded."

Larger companies should appoint a Privacy Officer who is responsible for overseeing compliance with PIPEDA and other laws and regulations.

Alternatively, you can provide contact details for anyone in your company who will know how to handle privacy inquiries.

Here's how ContactsPlus does this:

ContactsPlus Privacy Policy: How to contact us clause

Note that ContactsPlus provides the contact details of the Data Protection Officer (DPO). This is a requirement for some companies under the EU's GDPR.

PIPEDA requires that you provide "a copy of any brochures or other information that explain the organization's policies, standards, or codes."

Your company might not have any "brochures," but it probably has some other policies (or, at least, it should!), and you can provide links to these in your Privacy Policy.

Your other policies might include:

Here's how Sabre Overseas does this:

Sabre Overseas Privacy Policy: Intro clause with Policy links

What Personal Information You Collect

You should explain what personal information you collect. This includes your customers, as well as anyone else whose personal information you might collect, including prospective customers, visitors to your website, etc.

PIPEDA defines "personal information" as "information about an identifiable individual." The Canadian authorities have taken a broad view of what this includes.

Some common examples of personal information include:

  • Name or alias
  • Shipping or billing address
  • ID numbers
  • Financial information, such as credit card number or bank details
  • Login and account information, including username, account number, or password
  • Opinions about a person
  • A person's emails to and from your customer services department
  • Technical data, such as IP addresses, advertising IDs, device IDs, or cookie data
  • Information about a person's appearance, race, ethnicity, or national origin
  • Information about a person's health, social status, income, or employment
  • Biometric information

Remember that personal information doesn't need to directly identify an individual. It only needs to be about an individual, and so if a piece of information could indirectly identify an individual when combined with other information, then it should be treated as personal information.

Here's how Stripe identifies some of the types of personal information it collects about consumers:

Stripe Privacy Policy: Excerpt of Personal data we collect clause

How You Collect Personal Information

Your Privacy Policy should inform consumers about how you collect personal information.

Broadly speaking, there are three main ways in which businesses collect personal information:

  • When a consumer provides it voluntarily, e.g. by filling in a form, placing an order, or signing up for an account.
  • When the business collects it from the consumer automatically, e.g. through the use of website cookies, analytics, or other similar technologies.
  • When the business receives it from a third party, e.g. via public sources, lead generators, or marketing companies.

Think carefully about your sources of personal information and the types of personal information you receive via these sources.

Here's how Thrive Therapeutics identifies how it collects personal information directly from consumers:

Thrive Therapeutic Privacy Policy: Information directly collected clause

Here's how the company identifies how it collects personal information from third parties:

Thrive Therapeutic Privacy Policy: Information indirectly collected clause

How You Use Personal Information

You should identify your purposes for collecting personal information, which means explaining how and why you use it.

Informing consumers about your purposes for collecting personal information is an important obligation under PIPEDA. It's also important that you do not collect any personal information unless you have a specified, legitimate purpose for doing so.

Of course, there are many legitimate purposes for collecting and using personal information. Here are some of the more common ways that online businesses use personal information:

  • Order processing, e.g. shipping products, taking payments
  • Customer service, e.g. receiving and responding to customers' inquiries or complaints
  • Direct marketing
  • Analytics, e.g. measuring the success of ad campaigns, or identifying your most popular markets

Here's how News UK explains some of the ways in which it uses personal information:

News UK Privacy Policy: How we use personal information clause - To provide products and services and improve experience section

Cookies

Your website almost certainly uses cookies of some kind, for example:

  • Session cookies: Short-term, unintrusive cookies that help with website maintenance and user experience
  • Analytics cookies: Set by you or third-parties to monitor website use and measure the effectiveness of your ad campaigns
  • Tracking cookies: Monitor your customers' activities on your website and other websites to deliver targeted advertising based on their habits and preferences

The use of cookies has implications for your customers' privacy. Cookies can be used to collect personal information. The OPC states that your Privacy Policy must disclose your use of cookies.

You can disclose how your website uses cookies via a separate Cookies Policy, or via a section in your main Privacy Policy. You should explain:

  • What cookies are and why you use them
  • What types of cookies you use
  • Details of any third-party cookies
  • How long the types of cookies you use are stored on users' devices
  • How users can opt out of cookies

Let's take a look at how Twitter explains its use of cookies.

First, here's how Twitter explains what cookies are:

Twitter Help Center: What are cookies, pixels and local storage section

Twitter then explains its purposes for using cookies. Here's one of the reasons that Twitter uses cookies:

Twitter Help Center: Why are cookies used - Advertising section

Here's how Twitter explains how users can opt out of cookies:

Twitter Help Center: How to opt out of cookies and interest-based ads section

Consumers' Privacy Choices

You should explain how consumers can find out what personal information you hold about them, or exercise control over their personal information.

Unlike certain other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), PIPEDA does not contain an extensive set of consumer rights.

However, PIPEDA does grant consumers the right to:

  • Access the personal information you hold about them
  • Correct any inaccurate or outdated personal information you hold about them (or, if this is not possible, delete the inaccurate personal information)
  • Withdraw consent for any activities for which they have consented (e.g. direct marketing or cookies)

Of course, you can go over and above PIPEDA's requirements by offering consumers greater control over their personal information. This might include the ability to delete their account or to delete user-generated content they have posted on your website.

Here's how Canadian company RedDress Medical explains PIPEDA's basic privacy rights:

RedDress Privacy Policy: Access to Personal Information clause

How You Share Personal Information

Practically every business needs to share personal information with service providers and other companies.

PIPEDA requires that you disclose "what personal information is made available to related organizations (e.g., subsidiaries)." We'd suggest you don't only list "related organizations." Let consumers know all the different types of third parties with whom you share personal information.

Here are some examples of the types of companies with whom you might share personal information, or who might collect personal information on your company's behalf:

  • Advertisers
  • Analytics providers
  • Payment processors
  • Web servers
  • Shipping companies
  • Software companies

Here's an example from LeadersPlus:

LeadersPlus Privacy Statement: Share personal data clause

You don't need to be specific with the names of the third parties you share data with or may share it with. You can just put categories of parties, such as LeadersPlus did in the above clause.

Where to Display Your Privacy Policy

Where to Display Your Privacy Policy

It's important to prominently display your Privacy Policy:

  • On your website's homepage
  • On your mobile app
  • On your Facebook Page
  • When taking payment details
  • When requesting an email address for your mailing list

Here's how Waterstones displays a link to its Privacy Policy in the footer of its website's homepage:

Waterstones website footer with links and Privacy Policy highlighted

If you have a mobile app, ensure your Privacy Policy is accessible from within the app. You can provide a link within the "Settings," "About," or "Account" menu.

Here's an example from Asana's mobile app.

Asana mobile Account menu with Privacy Policy highlighted

Check out our guidance on creating a Privacy Policy for Mobile Apps for more information, guidance and examples.

Here's how what3words shares a link to its Privacy Policy when requesting consumers' email addresses:

what3words email sign-up form with Privacy Policy highlighted

It's also easy to add your Privacy Policy to your company's Facebook Page.

Summary of Your PIPEDA Privacy Policy

Your PIPEDA Privacy Policy should contain the following sections:

  • An introduction and effective date
  • Your company's contact details
  • Links to your other policies
  • An explanation of what personal information you collect
  • An explanation of how you collect personal information
  • An explanation of how you use personal information
  • Information about the cookies and similar technologies you use on your website and mobile app
  • Information about how consumers can access, modify, or delete their personal information
  • An explanation of how you share personal information

Remember to prominently display your Privacy Policy on your website, mobile app, and whenever you request personal information.

Download Sample PIPEDA Privacy Policy Template

Generate a Privacy Policy in just a few minutes

Our Sample PIPEDA Privacy Policy is available for download, for free. The template includes these sections:

  • Definitions
  • Collecting and Using Personal Information
  • Usage Data
  • Use of Personal Information
  • Transfer of Personal Information
  • Disclosure of Personal Information
  • Security of Personal Information
  • Links to Other Websites
  • Changes to Privacy Policy
  • Contact Information

Sample PIPEDA Privacy Policy Template (HTML Text Download)

You can download the Sample PIPEDA Privacy Policy Template as HTML code below. Copy it from the box field below (right-click > Select All and then Copy-paste) and then paste it on your website pages.

Sample PIPEDA Privacy Policy Template (PDF Download)

Download the Sample PIPEDA Privacy Policy Template as a PDF file

Sample PIPEDA Privacy Policy Template (Word DOCX Download)

Download the Sample PIPEDA Privacy Policy Template as a Word DOCX file

Sample PIPEDA Privacy Policy Template (Google Docs)

Download the Sample PIPEDA Privacy Policy Template as a Google Docs document

Sample PIPEDA Privacy Policy Template

More Privacy Policy Templates

More specific Privacy Templates are available on our blog.

Sample Privacy Policy Template A Privacy Policy Template for all sorts of websites, apps and businesses.
Sample Mobile App Privacy Policy Template A Privacy Policy Template for mobile apps on Apple App Store or Google Play Store.
Sample GDPR Privacy Policy Template A Privacy Policy Template for businesses that need to comply with GDPR.
Sample CCPA Privacy Policy Template A Privacy Policy Template for businesses that need to comply with CCPA.
Sample California Privacy Policy Template A Privacy Policy Template for businesses that need to comply with California's privacy requirements (CalOPPA & CCPA).
Sample Virginia VCDPA Privacy Policy Template A Privacy Policy Template for businesses that need to comply with Virginia's VCDPA.
Sample PIPEDA Privacy Policy Template A Privacy Policy Template for businesses that need to comply with Canada's PIPEDA.
Sample Ecommerce Privacy Policy Template A Privacy Policy Template for ecommerce businesses.
Small Business Privacy Policy Template A Privacy Policy Template for small businesses.
Privacy Policy for Google Analytics (Sample) A Privacy Policy Template for businesses that use Google Analytics.
Sample CalOPPA Privacy Policy Template A Privacy Policy Template for businesses that need to comply with California's CalOPPA.
Sample SaaS Privacy Policy Template A Privacy Policy Template for SaaS businesses.
Sample COPPA Privacy Policy Template A Privacy Policy Template for businesses that need to comply with California's COPPA.
Sample CPRA Privacy Policy Template A Privacy Policy Template for businesses that need to comply with California's CPRA.
Blog Privacy Policy Sample A Privacy Policy Template for blogs.
Sample Email Marketing Privacy Policy Template A Privacy Policy Template for businesses that use email marketing.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy