PIPEDA Privacy Policy Template

by Jennifer L. Legal writer.
PIPEDA Privacy Policy Template

If you're a business selling anything to Canadian customers, then you must comply with the terms of the Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA protects Canadians consumers' rights around who can access their personal data, and for what purposes. It's designed to bring Canadian privacy law into line with other global privacy laws, and it places a number of responsibilities on you regarding how you handle personal data.

Let's consider how the Act regulates personal data processing, and how Privacy Policies fit in.


What is PIPEDA?

PIPEDA regulates the collection, handling, processing, and sharing of someone's personal data. The Act defines "personal data" in Section 2 of Part 1 as information relating to an "identifiable individual."

This includes, for example, names, email addresses, and IP addresses.

Under PIPEDA, Canadian consumers have the right to:

  • Decide who can access their personal data
  • Access the personal data a company holds on them
  • Correct any errors in their personal information

What's more, they have the right to assume you will take reasonable steps to safeguard their data while it's in your possession.

In some provinces, PIPEDA doesn't apply because substantially similar provincial laws apply instead. Generally speaking, however, if you engage in any commercial activity involving Canadian consumers, assume PIPEDA applies.

Who Must Comply With PIPEDA?

Who Must Comply With PIPEDA?

You must comply with PIPEDA if you're a private business or organization selling goods and services to the people of Canada.

  • Private sector charities must be PIPEDA-compliant when they're engaged in commercial activity of any kind.
  • It doesn't matter where your business is located. If you target Canadian citizens, you have responsibilities under PIPEDA.

If you're in any doubt as to whether PIPEDA applies, it's better to assume that it does.

Does PIPEDA Require me to Have a Privacy Policy?

In short, yes. PIPEDA gives Canadians the right to know if a business plans on collecting, using, or processing their personal data so they can choose whether or not to consent.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. PrivacyPolicies.com: Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. PrivacyPolicies.com: Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. PrivacyPolicies.com: Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate".

    PrivacyPolicies.com: Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

The easiest and most practical way to comply with this requirement is through a Privacy Policy.

Will a PIPEDA Privacy Policy Meet GDPR Standards?

The EU's General Data Protection Regulation (GDPR) is considered one of the world's strictest privacy laws. Although PIPEDA offers consumers fairly comprehensive rights over their personal data, it's a little less stringent than the GDPR.

Here's why:

Firstly, statements like, "By signing up for an account you agree to our Privacy Policy" are PIPEDA-compliant, but insufficient for the GDPR. That's because the GDPR requires express, not implied, consent.

Secondly, the GDPR gives consumers the "right to be forgotten," or the right to ask a company to delete all their personal data. Under PIPEDA, consumers can ask companies to delete their data, but there's no guarantee they'll be "forgotten."

Essentially, if you plan on selling to consumers outside Canada, you must ensure your Privacy Policy meets the applicable global standards.

What Happens if I Don't Comply With PIPEDA?

Luckily, it's pretty simple to comply with the Act's requirements. However, if you knowingly fail to uphold your responsibilities under the Act, you can be fined up to $100,000.

In other words, if you deliberately choose to disregard the Act, you will most likely be penalized. Even if you accidentally violate PIPEDA, though, there's still a chance you will be fined, and you could damage your company's reputation.

How to Write a PIPEDA-Compliant Privacy Policy

While every Privacy Policy looks a little different, there are a few principles you should bear in mind when you're drafting your own Policy:

  • Ensure your Privacy Policy is up-to-date. Review it regularly and make changes when necessary.
  • Use clear, simple language and short paragraphs, where possible. It should be easy enough for the average person to understand.
  • Structure your Policy in a logical way, and use headers and subheaders to organize information. Again, it all comes down to making the document accessible and readable.
  • Make sure it's easy for people to contact you for more information by including a few contact details.

We'll look at how to apply these principles as we work through our template below.

The Clauses Every PIPEDA Privacy Policy Needs

The Clauses Every PIPEDA Privacy Policy Needs

You must include, at minimum, clauses covering a few key areas:

  • Your contact details, so consumers can reach you if they have any more questions
  • The type of personal data you capture, and how it's used
  • How you obtain the data
  • Who you share this data with e.g., third parties
  • Where consumers can learn more about your other key policies

Let's now look at how you might cover these points in your own Privacy Policy.

Introduction

Start your Privacy Policy with a clause explaining what the document's all about and include the date when you last updated the Policy. If it's a new document, use the date it was created.

To illustrate, here's how Tim Hortons starts its Privacy Policy:

Tim Hortons Privacy Policy: Introduction clause and effective date

Contact Information

Set out at least one way for someone to contact you for more information on your Policy, or with questions. Ensure at least one of these methods is free.

Starbucks, for example, includes a contact form and an email address:

starbucks-privacy-policy-contact-clause

If you use cookies of any kind to collect personal information, you must disclose this.

  • First, explain what cookies are. Remember, we're assuming consumers have no legal or technical knowledge, so explanations are required.
  • Then, set out which cookies you use, why they're used, and how users can opt out.

An example will make this more clear.

In just one clause, WestJet clearly sets out what cookies are and why the company uses them:

WestJet Privacy Policy: Cookies and other technology clause - Definition and uses of cookies section

The company also clearly explains how users can opt out of cookies:

WestJet Privacy Policy: Cookies and other technology clause - Opt out information highlighted

Consumer Rights

Ensure you inform Canadian users what rights they have over their personal data, meaning the right to:

  • Consent to personal data sharing
  • Access data held on them
  • Amend incorrect data
  • Withdraw consent

McDonald's uses short, succinct paragraphs to do this, based on PIPEDA's 10 Privacy Principles. For example, here's how someone's right to offer and withdraw consent is described:

McDonalds Privacy Policy and Principles: Principle 3 - Consent clause

And here's how the company confirms that users have the right to access data it holds:

McDonalds Privacy Policy and Principles: Principle 9 - Right to access personal information clause

The Personal Data You Collect

Be clear about what personal information you collect from anyone visiting your website. This information includes, for example:

  • Names and email addresses
  • Financial details e.g., credit card numbers
  • Login details
  • Technical information e.g., web beacons or IP addresses

Starbucks, for example, helpfully breaks down the information it collects into three categories:

  • Data customers provide
  • Details collected automatically
  • Data gathered from third-party sources

Starbucks Privacy Policy: Information We Collect clause

It also offers some examples to make this more clear.

How You Collect Personal Information

How do you actually capture personal data from your customers? You probably use a few methods, but if we stick with the Starbucks example above, they can, most likely, be grouped into three categories:

  • Voluntary: e.g, when customers sign up for an account
  • Automated: e.g., if you use tracking technology
  • External: e.g., you receive the data from a third party

Think of these as the three stages when you acquire personal data. In your Privacy Policy, set out how you gather data at each stage.

For example, Tim Hortons acquires some data from its customers voluntarily:

Tim Hortons Privacy Policy: Information We Collect clause

And through device information, when customers use its services:

Tim Hortons Privacy Policy: Information Collected About Your Use of the Services clause

And, finally, from social media or other freely-accessible third-party sources:

Tim Hortons Privacy Policy: Information Collected From Third-Party Sources clause

Why You Collect This Data

You need a justifiable reason to collect someone's data e.g., you need their name and address to complete an online order. So, it's important you set out your justifications in your Privacy Policy.

Canadian Tire begins by saying it doesn't always need personal data to do business with someone, but then sets out some examples of when data collection is necessary.

For example, in the section headed "Why do we need your personal information," different occasions when a customer's data is needed are set out. The company requires some data to complete a sales transaction:

Canadian Tire Privacy Policy: Why do we need your personal information clause - Retail Services section

And it needs financial data when opening a credit account for someone:

Canadian Tire Privacy Policy: Why do we need your personal information clause - Financial Services section

Use of Personal Data

While it's great practice to set out the details of why you need certain types of information, include a summary clause, too. Remember, it's all about keeping things simple for the average Canadian to understand.

Here's an example from WestJet. First, the company confirms what personal data is:

WestJet Privacy Policy: What is personal information clause

Then, it briefly sets out when it collects personal data and why:

WestJet Privacy Policy: Consent clause

So, if someone chooses not to read the lengthier, more detailed clauses covering the types of personal data captured in-depth, they're still aware of the most important facts.

Most importantly, they understand their rights.

Personal Data Sharing

Chances are you need to share the data you collect with other service providers, including financial institutions and courier services. You might also share it with other third parties like marketing companies and advertisers.

In short, if you share any personal data with an external party, you must declare this in your Privacy Policy.

  • Confirm what data you give to third parties
  • Explain who you share data with, and why

McDonald's sets out its policies in Principle 5 of the Privacy Policy. It strikes a balance between giving just enough details to comply with PIPEDA, without being too dense or difficult to read:

McDonalds Privacy Policy and Principles: Principle 5 - Limit the use and disclosing of personal information clause

Include links to other key policies, such as your Terms of Use and Return Policy, within the Privacy Policy document.

Starbucks has a good example clause for this:

Starbucks Privacy Policy: Overview section with links to other agreements highlighted

This helps readers find other important and related agreements quickly, and tie in all the agreements together in an organized, streamlined way. If someone is interested in reading about your practices and rules, they will appreciate you making the other agreements and policies so accessible.

Where to Display the Privacy Policy

Where to Display the Privacy Policy

It's not enough to just write a PIPEDA Privacy Policy. You must display it somewhere obvious so people can read it before buying goods or services from you.

Your Website

Make sure there's an obvious link to your Privacy Policy somewhere on your website, whether it's in the header, footer, or sidebar.

Tim Hortons, for example, includes a link to its Privacy Policy in the website footer. You'll note it's conveniently located above their other key policies, too:

Tim Hortons website footer with Privacy Policy highlighted

What's important is that it's easy for customers to find and read your Privacy Policy before making any purchases or signing up for an account. Basically, before sharing any personal information with you.

Before Completing a Transaction

Draw a consumer's attention to your Privacy Policy before they complete a purchase through your website.

Here's an example from ASOS:

ASOS checkout form with legal agreements highlighted

When Opening a Customer Account

Ensure customers can read your Privacy Policy before they open an account with you. That way, you can assume they consent to how you plan on using their personal details.

When you register for an ASOS account, you can quickly read the Privacy Policy before signing up:

ASOS create an account form with contact preferences and legal agreements highlighted

You'll also notice ASOS uses checkboxes for getting consent for marketing purposes. This is a great idea because it's easy for customers to opt-in or opt-out, which puts your audience firmly in control of their personal data.

Mobile Apps

If you have a mobile app, don't forget to include a link to your Privacy Policy somewhere obvious, such as the account registration screen like we just examined, or within a menu, such as a Legal or About menu.

Also, make sure it's easy for people to view your Privacy Policy before they download your app. A simple way to do this is by including a link on the download page or within the app store's description (which is required in many cases).

Conclusion

If you sell goods or services to Canadian consumers, you need to write a PIPEDA-compliant Privacy Policy and display it somewhere obvious on your website and mobile app.

Every Privacy Policy must contain, at a minimum, the following clauses:

  • Introduction (including the relevant date)
  • Your company's contact details
  • A description of the cookies you use
  • What rights the consumer has over the collection, sharing, and transfer of personal data
  • An overview of the personal data you collect
  • An explanation of why you collect this data
  • Details of how you gather personal information
  • Confirmation of who you might share personal data with
  • A description of how you use personal data
  • Links to your other relevant policies

Remember, though, that a PIPEDA Privacy Policy doesn't necessarily comply with other privacy laws around the world. Always check if there are any additional Privacy Policy requirements before selling goods or services beyond Canada.

Last updated on 26 March 2021

Article categories

Jennifer L.

Legal writer.