Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. About PIPEDA
- 1.1. What is PIPEDA?
- 1.2. Who Needs to Comply with PIPEDA?
- 1.3. Do Non-Canadian Businesses Need to Comply with PIPEDA?
- 2. General Requirements for PIPEDA Privacy Policies
- 3.1. Introduction Section
- 3.2. Your Company's Contact Details
- 3.3. Links to Other Policies
- 3.4. What Personal Information You Collect
- 3.5. How You Collect Personal Information
- 3.6. How You Use Personal Information
- 3.7. Cookies
- 3.8. Consumers' Privacy Choices
- 3.9. How You Share Personal Information
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What is PIPEDA?
PIPEDA is Canada's main private-sector privacy law. It set rules about how businesses collect, process, and share the personal information of people in Canada.
Who Needs to Comply with PIPEDA?
PIPEDA applies to businesses and other private-sector organizations such as charities engaged in "commercial activity." The term "commercial activity" is defined at Section 2 (1) of PIPEDA:
Nonprofits and organizations that are partially publicly-funded can engage in commercial activity, and they must comply with PIPEDA when doing so.
Do Non-Canadian Businesses Need to Comply with PIPEDA?
Yes, according to the Office of the Privacy Commissioner (OPC), the public authority that enforces Canadian privacy law, non-Canadian companies do have to comply with PIPEDA if they have any "real and substantial link to Canada."
General Requirements for PIPEDA Privacy Policies
- United States: California Online Privacy Protection Act (CalOPPA)
- European Union and United Kingdom: General Data Protection Regulation (GDPR)
- Australia: Privacy Act
Your introduction can also set out some of your company's principles when it comes to using and protecting your customers' personal information.
Here's how Optimizely does this:
Note that Optimizely also provides a link to copies of its old Privacy Policies, which is a helpful thing to do.
Your Company's Contact Details
PIPEDA requires that you provide "the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded."
Larger companies should appoint a Privacy Officer who is responsible for overseeing compliance with PIPEDA and other laws and regulations.
Alternatively, you can provide contact details for anyone in your company who will know how to handle privacy inquiries.
Here's how ContactsPlus does this:
Note that ContactsPlus provides the contact details of the Data Protection Officer (DPO). This is a requirement for some companies under the EU's GDPR.
Links to Other Policies
PIPEDA requires that you provide "a copy of any brochures or other information that explain the organization's policies, standards, or codes."
Your other policies might include:
Here's how Sabre Overseas does this:
What Personal Information You Collect
You should explain what personal information you collect. This includes your customers, as well as anyone else whose personal information you might collect, including prospective customers, visitors to your website, etc.
PIPEDA defines "personal information" as "information about an identifiable individual." The Canadian authorities have taken a broad view of what this includes.
Some common examples of personal information include:
- Name or alias
- Shipping or billing address
- ID numbers
- Financial information, such as credit card number or bank details
- Login and account information, including username, account number, or password
- Opinions about a person
- A person's emails to and from your customer services department
- Technical data, such as IP addresses, advertising IDs, device IDs, or cookie data
- Information about a person's appearance, race, ethnicity, or national origin
- Information about a person's health, social status, income, or employment
- Biometric information
Remember that personal information doesn't need to directly identify an individual. It only needs to be about an individual, and so if a piece of information could indirectly identify an individual when combined with other information, then it should be treated as personal information.
Here's how Stripe identifies some of the types of personal information it collects about consumers:
How You Collect Personal Information
Broadly speaking, there are three main ways in which businesses collect personal information:
- When a consumer provides it voluntarily, e.g. by filling in a form, placing an order, or signing up for an account.
- When the business collects it from the consumer automatically, e.g. through the use of website cookies, analytics, or other similar technologies.
- When the business receives it from a third party, e.g. via public sources, lead generators, or marketing companies.
Think carefully about your sources of personal information and the types of personal information you receive via these sources.
Here's how Thrive Therapeutics identifies how it collects personal information directly from consumers:
Here's how the company identifies how it collects personal information from third parties:
How You Use Personal Information
You should identify your purposes for collecting personal information, which means explaining how and why you use it.
Informing consumers about your purposes for collecting personal information is an important obligation under PIPEDA. It's also important that you do not collect any personal information unless you have a specified, legitimate purpose for doing so.
Of course, there are many legitimate purposes for collecting and using personal information. Here are some of the more common ways that online businesses use personal information:
- Order processing, e.g. shipping products, taking payments
- Customer service, e.g. receiving and responding to customers' inquiries or complaints
- Direct marketing
- Analytics, e.g. measuring the success of ad campaigns, or identifying your most popular markets
Here's how News UK explains some of the ways in which it uses personal information:
- Session cookies: Short-term, unintrusive cookies that help with website maintenance and user experience
- Analytics cookies: Set by you or third-parties to monitor website use and measure the effectiveness of your ad campaigns
- Tracking cookies: Monitor your customers' activities on your website and other websites to deliver targeted advertising based on their habits and preferences
- What cookies are and why you use them
- What types of cookies you use
- Details of any third-party cookies
- How long the types of cookies you use are stored on users' devices
- How users can opt out of cookies
First, here's how Twitter explains what cookies are:
Here's how Twitter explains how users can opt out of cookies:
Consumers' Privacy Choices
You should explain how consumers can find out what personal information you hold about them, or exercise control over their personal information.
Unlike certain other privacy laws, such as the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), PIPEDA does not contain an extensive set of consumer rights.
However, PIPEDA does grant consumers the right to:
- Access the personal information you hold about them
- Correct any inaccurate or outdated personal information you hold about them (or, if this is not possible, delete the inaccurate personal information)
- Withdraw consent for any activities for which they have consented (e.g. direct marketing or cookies)
Of course, you can go over and above PIPEDA's requirements by offering consumers greater control over their personal information. This might include the ability to delete their account or to delete user-generated content they have posted on your website.
Here's how Canadian company RedDress Medical explains PIPEDA's basic privacy rights:
How You Share Personal Information
Practically every business needs to share personal information with service providers and other companies.
PIPEDA requires that you disclose "what personal information is made available to related organizations (e.g., subsidiaries)." We'd suggest you don't only list "related organizations." Let consumers know all the different types of third parties with whom you share personal information.
Here are some examples of the types of companies with whom you might share personal information, or who might collect personal information on your company's behalf:
- Analytics providers
- Payment processors
- Web servers
- Shipping companies
- Software companies
Here's an example from LeadersPlus:
You don't need to be specific with the names of the third parties you share data with or may share it with. You can just put categories of parties, such as LeadersPlus did in the above clause.
- On your website's homepage
- On your mobile app
- On your Facebook Page
- When taking payment details
- When requesting an email address for your mailing list
Here's an example from Asana's mobile app.
- An introduction and effective date
- Your company's contact details
- Links to your other policies
- An explanation of what personal information you collect
- An explanation of how you collect personal information
- An explanation of how you use personal information
- Information about the cookies and similar technologies you use on your website and mobile app
- Information about how consumers can access, modify, or delete their personal information
- An explanation of how you share personal information
- Collecting and Using Personal Information
- Usage Data
- Use of Personal Information
- Transfer of Personal Information
- Disclosure of Personal Information
- Security of Personal Information
- Links to Other Websites
- Contact Information
More specific Privacy Templates are available on our blog.