Protecting Your Online Business from PIPEDA Privacy Complaints
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the data privacy law in Canada. It applies to the operators of websites conducting commercial activity that collect, use, and disclose personal information about site users.
- 1. What is PIPEDA and What Does It Require?
- 1.1. Allowing Customer Inquiries
- 1.2. Request to Receive, Transfer or Delete Data
- 2. PIPEDA Complaint Process
- 2.1. File a Complaint about a Business
- 2.2. File a Complaint about a Federal Institution
- 4. Remember
What is PIPEDA and What Does It Require?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian law that regulates data privacy. The act governs how businesses in the private sector collect, use, and disclose the personally identifiable information they collect from their consumers in the course of conducting commercial business.
The law was enacted in April 2000 to promote consumer trust in e-commerce and to reassure the European Union (EU) that Canada's law on data privacy was sufficient to safeguard the personal information of European citizens.
Any commercial activity (such as an online store) based in Canada that uses, collects, or discloses any kind of personal information is covered by PIPEDA. Commercial activity includes any form of act, conduct, or transaction that is commercial in nature.
Based on this definition, websites, web apps, mobile app, and desktop apps that conduct commercial activities and use, collect, or disclose personal information are covered by PIPEDA.
According to PIPEDA, covered organizations and other commercial businesses are required to get their user's consent before they can collect, use, or disclose the user's personal information.
In addition to this, PIPEDA also states that whatever information you collect should only be used for the express purpose for which you collected it. In other words, if a user provides consent to collect their data for a specific purpose such as an email newsletter, you cannot use that email address for any other purpose.
PIPEDA also requires you to let your customers know you will take reasonable measures to protect their personally identifiable information.
How you use data is another disclosure mandated by PIPEDA.
One of the most important aspects of PIPEDA is a requirement for safeguarding personal information. This includes information your site collects, as well as information any third parties might be collecting through your site, such as analytics providers or others.
Furthermore, you may only collect, use, and disclose personal information for reasonable purposes, such as to provide your services.
PIPEDA's Schedule I also mentions 10 Fair Information Principles that you must meet in order to remain compliant with the act. We'll look at them in the context of protecting your online business from PIPEDA privacy complaints.
Allowing Customer Inquiries
PIPEDA's Schedule I states that you must provide a way for your customers and end users to file a complaint against your business. It also states that all complaints filed must be investigated to a reasonable capacity and that, if warranted, corrective action must be taken.
PIPEDA requires you to be accountable for the personal information you collect, use, and disclose. To help ensure you do this correctly, it is recommended that you assign an individual or department to monitor PIPEDA compliance.
Usually, the individual responsible for monitoring PIPEDA compliance also is responsible for ensuring your customers have a way of contacting you for inquiries.
Request to Receive, Transfer or Delete Data
According to PIPEDA, individuals whose personally identifiable information you're collecting have a right to access that information at any time.
Once an individual requests a copy of their information, you are required by PIPEDA to inform the individual of the information you have on them, and give them a complete and accurate account of how that information is being used.
PIPEDA Complaint Process
The Office of the Privacy Commissioner of Canada provides clear instructions on its website for filing a formal privacy complaint under PIPEDA. According to the text, individuals who believe their personal information has been mishandled in any way are encouraged to directly approach the organization holding their personal information.
However, if the individual is unable to resolve the privacy issue directly with the organization, then they have the option to file a complaint with the Office of the Privacy Commissioner of Canada.
It's important to note that the Office of the Privacy Commissioner of Canada can only accept the following complaints:
- Complaints about how federal institutions subject to the Privacy Act handle their consumers' personal information.
- Complaints about how businesses subject to PIPEDA handle their consumers' personal information.
The resource also itemizes three circumstances in which an individual can file an official complaint:
- If the individual feels that their personal information has been wrongfully collected, used or disclosed.
- If the individual was refused access to their personal information.
- If the individual feels there was an unreasonable delay in accessing their information.
If any of these conditions exists, your customers are encouraged to proceed with filing a formal complaint against your business.
The Office of the Privacy Commissioner of Canada provides two different scenarios for filing a complaint - File a complaint about a business or File a complaint about a federal institution. Both scenarios have slightly different procedures.
File a Complaint about a Business
When your customers file a complaint against your business, the Office of the Privacy Commissioner of Canada (OPC) determines whether the matter is covered by PIPEDA or not. If it is, the OPC will determine how the investigation will be conducted.
The Guide to the PIPEDA complaint process explains what happens when an individual files a formal complaint under PIPEDA, what the OPC can investigate, what happens during the investigation process, and how long it can take.
File a Complaint about a Federal Institution
If an individual files a complaint about a federal institution, it is regulated under the Privacy Act. Similar to filing a complaint against a business, when a customer files a complaint about a federal institution, the OPC determines whether the matter is covered by the Privacy Act or not. If it is, the OPC will determine how the investigation will be conducted.
The OPC also explains what you can expect during a complaint investigation filed against a federal institution. It details the Privacy Commissioner's role, how the OPC conducts investigations, what kind of court action is possible, what your role is as the complainant, etc.
The PIPEDA compliance help page links to a number of resources to help online business owners better understand the requirements of PIPEDA and their obligations under it.
These 10 tips are:
- Limit the amount of information you collect and how long you retain it, while also getting consent for it
- Train your staff on privacy issues
- Limit and monitor access to the personal information your business has
- Don't arbitrarily collect sensitive personal information
- Disclose any video surveillance your brick and mortar business engages in
- Use encryption and password protection when applicable to protect personal information
- Always respond to and address user requests to access their personal information
- Have processes in place to safeguard against and report data breaches
- Provide a point of contact for your users to speak with about privacy issues and concerns
As an online business owner running a company covered under PIPEDA, you should be aware that an individual can file an official complaint:
- If the individual believes their personal information has been wrongfully collected, used or disclosed.
- If the individual was refused access to their personal information.
- If the individual believes there was an unreasonable delay in accessing their information.