If you're a business selling anything to Canadian customers, then you must comply with the terms of the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA protects Canadians consumers' rights around who can access their personal data, and for what purposes. It's designed to bring Canadian privacy law into line with other global privacy laws, and it places a number of responsibilities on you regarding how you handle personal data.
Let's consider how the Act regulates personal data processing, and how Privacy Policies fit in.
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
- 1. What is PIPEDA?
- 2. Who Must Comply With PIPEDA?
- 5. What Happens if I Don't Comply With PIPEDA?
- 7.1. Introduction
- 7.2. Contact Information
- 7.3. Cookie Details
- 7.4. Consumer Rights
- 7.5. The Personal Data You Collect
- 7.6. How You Collect Personal Information
- 7.7. Why You Collect This Data
- 7.8. Use of Personal Data
- 7.9. Personal Data Sharing
- 7.10. Links to Your Other Policies
- 8.1. Your Website
- 8.2. Before Completing a Transaction
- 8.3. When Opening a Customer Account
- 8.4. Mobile Apps
- 9. Conclusion
What is PIPEDA?
PIPEDA regulates the collection, handling, processing, and sharing of someone's personal data. The Act defines "personal data" in Section 2 of Part 1 as information relating to an "identifiable individual."
This includes, for example, names, email addresses, and IP addresses.
Under PIPEDA, Canadian consumers have the right to:
- Decide who can access their personal data
- Access the personal data a company holds on them
- Correct any errors in their personal information
What's more, they have the right to assume you will take reasonable steps to safeguard their data while it's in your possession.
In some provinces, PIPEDA doesn't apply because substantially similar provincial laws apply instead. Generally speaking, however, if you engage in any commercial activity involving Canadian consumers, assume PIPEDA applies.
Who Must Comply With PIPEDA?
You must comply with PIPEDA if you're a private business or organization selling goods and services to the people of Canada.
- Private sector charities must be PIPEDA-compliant when they're engaged in commercial activity of any kind.
- It doesn't matter where your business is located. If you target Canadian citizens, you have responsibilities under PIPEDA.
If you're in any doubt as to whether PIPEDA applies, it's better to assume that it does.
In short, yes. PIPEDA gives Canadians the right to know if a business plans on collecting, using, or processing their personal data so they can choose whether or not to consent.
The EU's General Data Protection Regulation (GDPR) is considered one of the world's strictest privacy laws. Although PIPEDA offers consumers fairly comprehensive rights over their personal data, it's a little less stringent than the GDPR.
Secondly, the GDPR gives consumers the "right to be forgotten," or the right to ask a company to delete all their personal data. Under PIPEDA, consumers can ask companies to delete their data, but there's no guarantee they'll be "forgotten."
What Happens if I Don't Comply With PIPEDA?
Luckily, it's pretty simple to comply with the Act's requirements. However, if you knowingly fail to uphold your responsibilities under the Act, you can be fined up to $100,000.
In other words, if you deliberately choose to disregard the Act, you will most likely be penalized. Even if you accidentally violate PIPEDA, though, there's still a chance you will be fined, and you could damage your company's reputation.
- Use clear, simple language and short paragraphs, where possible. It should be easy enough for the average person to understand.
- Structure your Policy in a logical way, and use headers and subheaders to organize information. Again, it all comes down to making the document accessible and readable.
- Make sure it's easy for people to contact you for more information by including a few contact details.
We'll look at how to apply these principles as we work through our template below.
You must include, at minimum, clauses covering a few key areas:
- Your contact details, so consumers can reach you if they have any more questions
- The type of personal data you capture, and how it's used
- How you obtain the data
- Who you share this data with e.g., third parties
- Where consumers can learn more about your other key policies
Set out at least one way for someone to contact you for more information on your Policy, or with questions. Ensure at least one of these methods is free.
Starbucks, for example, includes a contact form and an email address:
- First, explain what cookies are. Remember, we're assuming consumers have no legal or technical knowledge, so explanations are required.
- Then, set out which cookies you use, why they're used, and how users can opt out.
An example will make this more clear.
In just one clause, WestJet clearly sets out what cookies are and why the company uses them:
The company also clearly explains how users can opt out of cookies:
Ensure you inform Canadian users what rights they have over their personal data, meaning the right to:
- Consent to personal data sharing
- Access data held on them
- Amend incorrect data
- Withdraw consent
McDonald's uses short, succinct paragraphs to do this, based on PIPEDA's 10 Privacy Principles. For example, here's how someone's right to offer and withdraw consent is described:
And here's how the company confirms that users have the right to access data it holds:
The Personal Data You Collect
Be clear about what personal information you collect from anyone visiting your website. This information includes, for example:
- Names and email addresses
- Financial details e.g., credit card numbers
- Login details
- Technical information e.g., web beacons or IP addresses
Starbucks, for example, helpfully breaks down the information it collects into three categories:
- Data customers provide
- Details collected automatically
- Data gathered from third-party sources
It also offers some examples to make this more clear.
How You Collect Personal Information
How do you actually capture personal data from your customers? You probably use a few methods, but if we stick with the Starbucks example above, they can, most likely, be grouped into three categories:
- Voluntary: e.g, when customers sign up for an account
- Automated: e.g., if you use tracking technology
- External: e.g., you receive the data from a third party
For example, Tim Hortons acquires some data from its customers voluntarily:
And through device information, when customers use its services:
And, finally, from social media or other freely-accessible third-party sources:
Why You Collect This Data
Canadian Tire begins by saying it doesn't always need personal data to do business with someone, but then sets out some examples of when data collection is necessary.
For example, in the section headed "Why do we need your personal information," different occasions when a customer's data is needed are set out. The company requires some data to complete a sales transaction:
And it needs financial data when opening a credit account for someone:
Use of Personal Data
While it's great practice to set out the details of why you need certain types of information, include a summary clause, too. Remember, it's all about keeping things simple for the average Canadian to understand.
Here's an example from WestJet. First, the company confirms what personal data is:
Then, it briefly sets out when it collects personal data and why:
So, if someone chooses not to read the lengthier, more detailed clauses covering the types of personal data captured in-depth, they're still aware of the most important facts.
Most importantly, they understand their rights.
Personal Data Sharing
Chances are you need to share the data you collect with other service providers, including financial institutions and courier services. You might also share it with other third parties like marketing companies and advertisers.
- Confirm what data you give to third parties
- Explain who you share data with, and why
Links to Your Other Policies
Starbucks has a good example clause for this:
This helps readers find other important and related agreements quickly, and tie in all the agreements together in an organized, streamlined way. If someone is interested in reading about your practices and rules, they will appreciate you making the other agreements and policies so accessible.
Before Completing a Transaction
Here's an example from ASOS:
When Opening a Customer Account
You'll also notice ASOS uses checkboxes for getting consent for marketing purposes. This is a great idea because it's easy for customers to opt-in or opt-out, which puts your audience firmly in control of their personal data.
- Introduction (including the relevant date)
- Your company's contact details
- A description of the cookies you use
- What rights the consumer has over the collection, sharing, and transfer of personal data
- An overview of the personal data you collect
- An explanation of why you collect this data
- Details of how you gather personal information
- Confirmation of who you might share personal data with
- A description of how you use personal data
- Links to your other relevant policies