Protecting Your Online Business from PIPEDA Privacy Complaints

by Maria P. Legal writer.
Protecting Your Online Business from PIPEDA Privacy Complaints

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the data privacy law in Canada. It applies to the operators of websites conducting commercial activity that collect, use, and disclose personal information about site users.

In this article, we'll take a look at what PIPEDA is and its requirements in the context of protecting your business from privacy complaints. We'll also review how your end users can file a formal complaint against your business under PIPEDA, and how you can use your Privacy Policy to mitigate the risk of a complaint.

What is PIPEDA and What Does It Require?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the Canadian law that regulates data privacy. The act governs how businesses in the private sector collect, use, and disclose the personally identifiable information they collect from their consumers in the course of conducting commercial business.

Definitions of Organizations under PIPEDA from Canada

The law was enacted in April 2000 to promote consumer trust in e-commerce and to reassure the European Union (EU) that Canada's law on data privacy was sufficient to safeguard the personal information of European citizens.

Any commercial activity (such as an online store) based in Canada that uses, collects, or discloses any kind of personal information is covered by PIPEDA. Commercial activity includes any form of act, conduct, or transaction that is commercial in nature.

Based on this definition, websites, web apps, mobile app, and desktop apps that conduct commercial activities and use, collect, or disclose personal information are covered by PIPEDA.

According to PIPEDA, covered organizations and other commercial businesses are required to get their user's consent before they can collect, use, or disclose the user's personal information.

In addition to this, PIPEDA also states that whatever information you collect should only be used for the express purpose for which you collected it. In other words, if a user provides consent to collect their data for a specific purpose such as an email newsletter, you cannot use that email address for any other purpose.

PIPEDA also requires you to let your customers know you will take reasonable measures to protect their personally identifiable information.

How you use data is another disclosure mandated by PIPEDA.

One of the most important aspects of PIPEDA is a requirement for safeguarding personal information. This includes information your site collects, as well as information any third parties might be collecting through your site, such as analytics providers or others.

Furthermore, you may only collect, use, and disclose personal information for reasonable purposes, such as to provide your services.

PIPEDA's Schedule I also mentions 10 Fair Information Principles that you must meet in order to remain compliant with the act. We'll look at them in the context of protecting your online business from PIPEDA privacy complaints.

Allowing Customer Inquiries

PIPEDA's Schedule I states that you must provide a way for your customers and end users to file a complaint against your business. It also states that all complaints filed must be investigated to a reasonable capacity and that, if warranted, corrective action must be taken.

PIPEDA requires you to be accountable for the personal information you collect, use, and disclose. To help ensure you do this correctly, it is recommended that you assign an individual or department to monitor PIPEDA compliance.

Usually, the individual responsible for monitoring PIPEDA compliance also is responsible for ensuring your customers have a way of contacting you for inquiries.

Request to Receive, Transfer or Delete Data

According to PIPEDA, individuals whose personally identifiable information you're collecting have a right to access that information at any time.

Once an individual requests a copy of their information, you are required by PIPEDA to inform the individual of the information you have on them, and give them a complete and accurate account of how that information is being used.

PIPEDA Complaint Process

The Office of the Privacy Commissioner of Canada provides clear instructions on its website for filing a formal privacy complaint under PIPEDA. According to the text, individuals who believe their personal information has been mishandled in any way are encouraged to directly approach the organization holding their personal information.

However, if the individual is unable to resolve the privacy issue directly with the organization, then they have the option to file a complaint with the Office of the Privacy Commissioner of Canada.

It's important to note that the Office of the Privacy Commissioner of Canada can only accept the following complaints:

  • Complaints about how federal institutions subject to the Privacy Act handle their consumers' personal information.
  • Complaints about how businesses subject to PIPEDA handle their consumers' personal information.

The resource also itemizes three circumstances in which an individual can file an official complaint:

  • If the individual feels that their personal information has been wrongfully collected, used or disclosed.
  • If the individual was refused access to their personal information.
  • If the individual feels there was an unreasonable delay in accessing their information.

If any of these conditions exists, your customers are encouraged to proceed with filing a formal complaint against your business.

The Office of the Privacy Commissioner of Canada provides two different scenarios for filing a complaint - File a complaint about a business or File a complaint about a federal institution. Both scenarios have slightly different procedures.

File a Complaint about a Business

When your customers file a complaint against your business, the Office of the Privacy Commissioner of Canada (OPC) determines whether the matter is covered by PIPEDA or not. If it is, the OPC will determine how the investigation will be conducted.

Procedure for filing a PIPEDA complaint against a business

The Guide to the PIPEDA complaint process explains what happens when an individual files a formal complaint under PIPEDA, what the OPC can investigate, what happens during the investigation process, and how long it can take.

PIPEDA complaint process guide

File a Complaint about a Federal Institution

If an individual files a complaint about a federal institution, it is regulated under the Privacy Act. Similar to filing a complaint against a business, when a customer files a complaint about a federal institution, the OPC determines whether the matter is covered by the Privacy Act or not. If it is, the OPC will determine how the investigation will be conducted.

PIPEDA process for filing a complaint against a federal institution

The OPC also explains what you can expect during a complaint investigation filed against a federal institution. It details the Privacy Commissioner's role, how the OPC conducts investigations, what kind of court action is possible, what your role is as the complainant, etc.

How a Privacy Policy Can Mitigate Risk of Complaints

Publishing a compliant Privacy Policy to your website can help mitigate the risk of complaints. The website of the OPC offers a number of helpful resources to help you ensure your online business is compliant with PIPEDA.

The PIPEDA compliance help page links to a number of resources to help online business owners better understand the requirements of PIPEDA and their obligations under it.

PIPEDA compliance help page

Included are 10 Privacy Tips for Businesses that explain how you can use your Privacy Policy to stay compliant with PIPEDA and mitigate the risk of receiving formal complaints from the OPC.

These 10 tips are:

  • Limit the amount of information you collect and how long you retain it, while also getting consent for it
  • Train your staff on privacy issues
  • Limit and monitor access to the personal information your business has
  • Don't arbitrarily collect sensitive personal information
  • Disclose any video surveillance your brick and mortar business engages in
  • Have a Privacy Policy
  • Use encryption and password protection when applicable to protect personal information
  • Always respond to and address user requests to access their personal information
  • Have processes in place to safeguard against and report data breaches
  • Provide a point of contact for your users to speak with about privacy issues and concerns

If you offer a Privacy Center to your users, make sure you link your full Privacy Policy within it.

Remember

As an online business owner running a company covered under PIPEDA, you should be aware that an individual can file an official complaint:

  • If the individual believes their personal information has been wrongfully collected, used or disclosed.
  • If the individual was refused access to their personal information.
  • If the individual believes there was an unreasonable delay in accessing their information.

Having a Privacy Policy published on your website that complies with PIPEDA can help you mitigate the risk of a formal complaint against the OPC.

Last updated on 12 March 2020
Article categories
Maria P.

Legal writer.