PIPEDA Privacy Policy Template
If you're a business selling anything to Canadian customers, then you must comply with the terms of the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA protects Canadians consumers' rights around who can access their personal data, and for what purposes. It's designed to bring Canadian privacy law into line with other global privacy laws, and it places a number of responsibilities on you regarding how you handle personal data.
Let's consider how the Act regulates personal data processing, and how Privacy Policies fit in.
Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:
- Click on "Start creating your Privacy Policy" on our website.
- Select the platforms where your Privacy Policy will be used and go to the next step.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
-
Enter your email address where you'd like your Privacy Policy sent and click "Generate".
And you're done! Now you can copy or link to your hosted Privacy Policy.
- 1. What is PIPEDA?
- 2. Who Must Comply With PIPEDA?
- 3. Does PIPEDA Require me to Have a Privacy Policy?
- 4. Will a PIPEDA Privacy Policy Meet GDPR Standards?
- 5. What Happens if I Don't Comply With PIPEDA?
- 6. How to Write a PIPEDA-Compliant Privacy Policy
- 7. The Clauses Every PIPEDA Privacy Policy Needs
- 7.1. Introduction
- 7.2. Contact Information
- 7.3. Cookie Details
- 7.4. Consumer Rights
- 7.5. The Personal Data You Collect
- 7.6. How You Collect Personal Information
- 7.7. Why You Collect This Data
- 7.8. Use of Personal Data
- 7.9. Personal Data Sharing
- 7.10. Links to Your Other Policies
- 8. Where to Display the Privacy Policy
- 8.1. Your Website
- 8.2. Before Completing a Transaction
- 8.3. When Opening a Customer Account
- 8.4. Mobile Apps
- 9. Conclusion
What is PIPEDA?
PIPEDA regulates the collection, handling, processing, and sharing of someone's personal data. The Act defines "personal data" in Section 2 of Part 1 as information relating to an "identifiable individual."
This includes, for example, names, email addresses, and IP addresses.
Under PIPEDA, Canadian consumers have the right to:
- Decide who can access their personal data
- Access the personal data a company holds on them
- Correct any errors in their personal information
What's more, they have the right to assume you will take reasonable steps to safeguard their data while it's in your possession.
In some provinces, PIPEDA doesn't apply because substantially similar provincial laws apply instead. Generally speaking, however, if you engage in any commercial activity involving Canadian consumers, assume PIPEDA applies.
Who Must Comply With PIPEDA?
You must comply with PIPEDA if you're a private business or organization selling goods and services to the people of Canada.
- Private sector charities must be PIPEDA-compliant when they're engaged in commercial activity of any kind.
- It doesn't matter where your business is located. If you target Canadian citizens, you have responsibilities under PIPEDA.
If you're in any doubt as to whether PIPEDA applies, it's better to assume that it does.
Does PIPEDA Require me to Have a Privacy Policy?
In short, yes. PIPEDA gives Canadians the right to know if a business plans on collecting, using, or processing their personal data so they can choose whether or not to consent.
The easiest and most practical way to comply with this requirement is through a Privacy Policy.
Will a PIPEDA Privacy Policy Meet GDPR Standards?
The EU's General Data Protection Regulation (GDPR) is considered one of the world's strictest privacy laws. Although PIPEDA offers consumers fairly comprehensive rights over their personal data, it's a little less stringent than the GDPR.
Here's why:
Firstly, statements like, "By signing up for an account you agree to our Privacy Policy" are PIPEDA-compliant, but insufficient for the GDPR. That's because the GDPR requires express, not implied, consent.
Secondly, the GDPR gives consumers the "right to be forgotten," or the right to ask a company to delete all their personal data. Under PIPEDA, consumers can ask companies to delete their data, but there's no guarantee they'll be "forgotten."
Essentially, if you plan on selling to consumers outside Canada, you must ensure your Privacy Policy meets the applicable global standards.
What Happens if I Don't Comply With PIPEDA?
Luckily, it's pretty simple to comply with the Act's requirements. However, if you knowingly fail to uphold your responsibilities under the Act, you can be fined up to $100,000.
In other words, if you deliberately choose to disregard the Act, you will most likely be penalized. Even if you accidentally violate PIPEDA, though, there's still a chance you will be fined, and you could damage your company's reputation.
How to Write a PIPEDA-Compliant Privacy Policy
While every Privacy Policy looks a little different, there are a few principles you should bear in mind when you're drafting your own Policy:
- Ensure your Privacy Policy is up-to-date. Review it regularly and make changes when necessary.
- Use clear, simple language and short paragraphs, where possible. It should be easy enough for the average person to understand.
- Structure your Policy in a logical way, and use headers and subheaders to organize information. Again, it all comes down to making the document accessible and readable.
- Make sure it's easy for people to contact you for more information by including a few contact details.
We'll look at how to apply these principles as we work through our template below.
The Clauses Every PIPEDA Privacy Policy Needs
You must include, at minimum, clauses covering a few key areas:
- Your contact details, so consumers can reach you if they have any more questions
- The type of personal data you capture, and how it's used
- How you obtain the data
- Who you share this data with e.g., third parties
- Where consumers can learn more about your other key policies
Let's now look at how you might cover these points in your own Privacy Policy.
Introduction
Start your Privacy Policy with a clause explaining what the document's all about and include the date when you last updated the Policy. If it's a new document, use the date it was created.
To illustrate, here's how Tim Hortons starts its Privacy Policy:
Contact Information
Set out at least one way for someone to contact you for more information on your Policy, or with questions. Ensure at least one of these methods is free.
Starbucks, for example, includes a contact form and an email address:
Cookie Details
If you use cookies of any kind to collect personal information, you must disclose this.
- First, explain what cookies are. Remember, we're assuming consumers have no legal or technical knowledge, so explanations are required.
- Then, set out which cookies you use, why they're used, and how users can opt out.
An example will make this more clear.
In just one clause, WestJet clearly sets out what cookies are and why the company uses them:
The company also clearly explains how users can opt out of cookies:
Consumer Rights
Ensure you inform Canadian users what rights they have over their personal data, meaning the right to:
- Consent to personal data sharing
- Access data held on them
- Amend incorrect data
- Withdraw consent
McDonald's uses short, succinct paragraphs to do this, based on PIPEDA's 10 Privacy Principles. For example, here's how someone's right to offer and withdraw consent is described:
And here's how the company confirms that users have the right to access data it holds:
The Personal Data You Collect
Be clear about what personal information you collect from anyone visiting your website. This information includes, for example:
- Names and email addresses
- Financial details e.g., credit card numbers
- Login details
- Technical information e.g., web beacons or IP addresses
Starbucks, for example, helpfully breaks down the information it collects into three categories:
- Data customers provide
- Details collected automatically
- Data gathered from third-party sources
It also offers some examples to make this more clear.
How You Collect Personal Information
How do you actually capture personal data from your customers? You probably use a few methods, but if we stick with the Starbucks example above, they can, most likely, be grouped into three categories:
- Voluntary: e.g, when customers sign up for an account
- Automated: e.g., if you use tracking technology
- External: e.g., you receive the data from a third party
Think of these as the three stages when you acquire personal data. In your Privacy Policy, set out how you gather data at each stage.
For example, Tim Hortons acquires some data from its customers voluntarily:
And through device information, when customers use its services:
And, finally, from social media or other freely-accessible third-party sources:
Why You Collect This Data
You need a justifiable reason to collect someone's data e.g., you need their name and address to complete an online order. So, it's important you set out your justifications in your Privacy Policy.
Canadian Tire begins by saying it doesn't always need personal data to do business with someone, but then sets out some examples of when data collection is necessary.
For example, in the section headed "Why do we need your personal information," different occasions when a customer's data is needed are set out. The company requires some data to complete a sales transaction:
And it needs financial data when opening a credit account for someone:
Use of Personal Data
While it's great practice to set out the details of why you need certain types of information, include a summary clause, too. Remember, it's all about keeping things simple for the average Canadian to understand.
Here's an example from WestJet. First, the company confirms what personal data is:
Then, it briefly sets out when it collects personal data and why:
So, if someone chooses not to read the lengthier, more detailed clauses covering the types of personal data captured in-depth, they're still aware of the most important facts.
Most importantly, they understand their rights.
Personal Data Sharing
Chances are you need to share the data you collect with other service providers, including financial institutions and courier services. You might also share it with other third parties like marketing companies and advertisers.
In short, if you share any personal data with an external party, you must declare this in your Privacy Policy.
- Confirm what data you give to third parties
- Explain who you share data with, and why
McDonald's sets out its policies in Principle 5 of the Privacy Policy. It strikes a balance between giving just enough details to comply with PIPEDA, without being too dense or difficult to read:
Links to Your Other Policies
Include links to other key policies, such as your Terms of Use and Return Policy, within the Privacy Policy document.
Starbucks has a good example clause for this:
This helps readers find other important and related agreements quickly, and tie in all the agreements together in an organized, streamlined way. If someone is interested in reading about your practices and rules, they will appreciate you making the other agreements and policies so accessible.
Where to Display the Privacy Policy
It's not enough to just write a PIPEDA Privacy Policy. You must display it somewhere obvious so people can read it before buying goods or services from you.
Your Website
Make sure there's an obvious link to your Privacy Policy somewhere on your website, whether it's in the header, footer, or sidebar.
Tim Hortons, for example, includes a link to its Privacy Policy in the website footer. You'll note it's conveniently located above their other key policies, too:
What's important is that it's easy for customers to find and read your Privacy Policy before making any purchases or signing up for an account. Basically, before sharing any personal information with you.
Before Completing a Transaction
Draw a consumer's attention to your Privacy Policy before they complete a purchase through your website.
Here's an example from ASOS:
When Opening a Customer Account
Ensure customers can read your Privacy Policy before they open an account with you. That way, you can assume they consent to how you plan on using their personal details.
When you register for an ASOS account, you can quickly read the Privacy Policy before signing up:
You'll also notice ASOS uses checkboxes for getting consent for marketing purposes. This is a great idea because it's easy for customers to opt-in or opt-out, which puts your audience firmly in control of their personal data.
Mobile Apps
If you have a mobile app, don't forget to include a link to your Privacy Policy somewhere obvious, such as the account registration screen like we just examined, or within a menu, such as a Legal or About menu.
Also, make sure it's easy for people to view your Privacy Policy before they download your app. A simple way to do this is by including a link on the download page or within the app store's description (which is required in many cases).
Conclusion
If you sell goods or services to Canadian consumers, you need to write a PIPEDA-compliant Privacy Policy and display it somewhere obvious on your website and mobile app.
Every Privacy Policy must contain, at a minimum, the following clauses:
- Introduction (including the relevant date)
- Your company's contact details
- A description of the cookies you use
- What rights the consumer has over the collection, sharing, and transfer of personal data
- An overview of the personal data you collect
- An explanation of why you collect this data
- Details of how you gather personal information
- Confirmation of who you might share personal data with
- A description of how you use personal data
- Links to your other relevant policies
Remember, though, that a PIPEDA Privacy Policy doesn't necessarily comply with other privacy laws around the world. Always check if there are any additional Privacy Policy requirements before selling goods or services beyond Canada.
