Complying With PIPEDA

Complying With PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's main federal law relating to privacy in the private sector. It covers personal information collected, used or disclosed while carrying out commercial activities.

When handling this personal information you must follow 10 fair information principles. The overall effect of these principles is that individuals:

  • Give consent to the use of their personal information
  • Can access it
  • Can correct it
  • Know it will be safeguarded

Individuals can formally complain about your business breaching PIPEDA.

Normally these complaints go to mediation but some cases may go to the Office of the Privacy Commissioner for recommendations, or even to the Federal Court for a court order. Some serious breaches of PIPEDA are automatically a criminal offense.

Let's get into some specifics about PIPEDA.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

Does PIPEDA Affect You?

In simple terms, PIPEDA applies to any situation where:

  • You are handling personal information,
  • You are doing it in the course of a commercial activity, and
  • The situation isn't covered by an exemption

Let's break these down in detail.

Personal Information

The legislative text of PIPEDA itself simply defines personal information as "information about an identifiable individual."

Meanwhile, the Office of the Privacy Commissioner clarifies that this information can be factual or subjective. It goes on to give a wide range of examples.

The most important thing to understand is that "personal information" is not restricted to what you might think of as somebody's personal life. For example, it could cover information relating to the person's activities and status as an employee or consumer.

"Handling" personal information covers collecting, disclosing or using the information. The data doesn't have to be recorded or stored.

Commercial Activity

PIPEDA's legislative text gives a more detailed definition of commercial activity, namely:

"Any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists."

A key point to remember here is that it's the activity for which you are using the information that must be "commercial," not the information itself.

What does and doesn't count as "commercial activity" is an evolving definition that's refined by decisions such as this one by the Assistant Privacy Commissioner:

Office of the Privacy Commissioner of Canada: PIPEDA investigations - Summary of Findings

It's easy to see that having a website to advertise your business clearly counts as a commercial activity.


PIPEDA does lay down several exemptions that mean the requirements don't apply even if you're handling personal information in the course of a commercial activity. The exemptions are very specific and can depend on who you are, what information you're handling, where you handle it, or why you do it.

Who You Are

  • Federal government organizations listed under the Privacy Act are exempt from PIPEDA.
  • Provincial and territorial governments are exempt from PIPEDA, as are their agents.
  • Not-for-profit groups, charity groups, political parties and political associations are generally exempt from PIPEDA. However, PIPEDA does apply where such organizations are carrying out a commercial activity that isn't "central to their mandate."
  • Hospitals, municipalities, schools and universities are usually exempt because of being covered by a provincial law instead.

What Information You're Handling

Business contact information is usually exempt from PIPEDA as long as you only use it for contacting the person in a professional capacity.

Where You're Handling Information

You may be exempt from PIPEDA if your province has its own privacy legislation. The Office of the Privacy Commissioner notes that this can apply generally in:

  • Alberta
  • British Columbia
  • Quebec

It can also apply specifically to personal health information in:

  • Labrador
  • New Brunswick
  • Newfoundland
  • Nova Scotia
  • Ontario

This exemption only applies to commercial activities that are solely within the relevant province. It doesn't apply to interprovincial or international transactions.

This exemption doesn't apply at all to federally regulated organizations, regardless of where the commercial activities happen.

Why You're Handling The Information

An individual is exempt from PIPEDA if they are collecting the personal information solely for personal purposes. The Office of The Privacy Commissioner gives the example of collecting addresses to send out personal greetings cards.

An organization is exempt from PIPEDA if they are collecting the personal information solely for "journalistic, artistic or literary purposes."

Requirements of PIPEDA

Requirements of PIPEDA

To comply with PIPEDA you must take several steps when handling the personal information.

The first step is to get the individual's consent before handling the information. This usually has to be explicit consent. You should only ever work on an "opt-out" basis if the information is already publicly available.

Here's how IntelliWHiTE uses checkboxes to get consent to send emails and product offers when collecting email addresses and names:

IntelliWHiTE Sign-up form with agree checkboxes for emails and Privacy Policy

The consent must be obtained to handle the information for a specific stated purpose. If you later decide to use the information for a different purpose you must get fresh consent.

In the example above, if IntelliWHiTE decided it wanted to use email addresses for anything other than "general emails and product offers" it would have to get fresh consent for that different purpose.

The second step is to let the individual see what personal information you hold about them if they ask. You must also correct the information if they show it is inaccurate.

Here's how Perth & Smiths Falls District Hospital explains how patients can request a correction to their information, as well as explaining the way in which the hospital deals with such requests:

PSFDH Privacy FAQ: Corrections to Personal Health Information clause excerpt

The third step is to adequately safeguard the information against being used for any purpose without consent, or falling into somebody else's hands. You should make sure individuals are aware of these safeguards.

Principles of PIPEDA

Principles of PIPEDA

While complying with PIPEDA can be a broad and complicated operation, it lays down 10 principles to follow. These are not simply guidelines or helpful tips: they are specifically detailed in the legislation itself and must be complied with.

They share a common theme that to properly comply with PIPEDA you need to act when or even before you first collect the information.

The principles, and some of the practical steps you can take to comply, are as follows.

1. Accountability

You should designate at least one person in your organization who is responsible for making sure you comply with PIPEDA. They should develop a clear Privacy Policy that covers the other nine principles. This person should be a senior figure with the authority and support to carry out tasks.

Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in and what information you need to disclose to your users.

2. Identifying Purposes

You should always decide and record the purpose for which you are collecting a particular piece of information. This helps make sure you:

  • Can tell individuals why you collected the information
  • Take necessary steps to avoid using it for another reason
  • Know when you are using it for another reason and thus need to get fresh consent

This clause in Sync's Privacy Policy gives clear examples of why the company collects particular types of personal information and different ways it could use it:

Sync Privacy Policy: Identifying Purposes clause

You must always get clear and informed consent from the individual before collecting information. You need to make sure the individual understands what giving consent means and that they don't feel pressured or tricked into giving it. You should document any situations where you decide you don't need to gain consent.

This form from Swim Ontario is a good example of including enough detail to be sure the individual has given informed consent:

Swim Ontario PIPEDA officials registration consent form

4. Limiting Collection

You should only ever collect information that's strictly necessary for the purposes for which the individual consented.

Review your data collection procedures to distinguish between information that you have to collect (for example, so you can provide a service) and information that you aren't required to collect (for example, to make your operations easier.)

5. Limiting Use, Disclosure, and Retention

You should develop policies and procedures to make sure you only use personal information for the purposes for which the individual consented.

You also need to have a policy for how long you hold on to information. Generally, this should be no longer than necessary to carry out the stated purpose.

However, if you use the information to make a decision about the individual, you must hold on to the information for long enough that the individual has a chance to review it.

6. Accuracy

You must keep personal information as "accurate, complete, and up-to-date" as is needed for the stated purpose. Exactly how you do this will depend on how you use the information.

One important point is to keep information up-to-date enough to minimize the risk of using outdated information to make a decision regarding the individual.

7. Safeguards

You must protect the information against unauthorized access, theft, copying or alteration, including when you are destroying records.

The level of security in these safeguards should be appropriate for the level of sensitivity of the information. Your safeguards can include physical access restrictions such as passwords, organizational measures such as only giving certain staff permission to access the information, and technological measures such as encryption.

8. Openness

You must make sure people are aware of how you collect, handle and store information about them. You should publish details of your policies and procedures relating to personal information in a Privacy Policy.

Include the name and contact information for the person you designated as responsible for complying with PIPEDA.

Other points to cover in your Privacy Policy include how individuals can request access to the personal information about them, and how you share personal information with other organizations, for example a subsidiary.

One approach, as used here by Gerber Life, is to base the policy notice you publish around the PIPEDA principles:

Gerber Life: PIPEDA-Canada Privacy Policy excerpt

9. Individual Access

If an individual makes a written request regarding their personal information, you must respond with details of whether you hold personal information about them, what that information is, how you've used it, and what third parties you've shared it with.

You must also let them say if the information is inaccurate or incomplete, and you must correct or update it if appropriate.

Usually you must give a full response within 30 days of the initial request.

10. Challenging Compliance

You must have procedures in place to receive, consider and respond to a complaint that you aren't complying with these principles.

You'll need to investigate the complaint and take necessary action if you find it's justified. This may include changing your policies or procedures.

You must tell the individual what, if any, action you've taken, as well as what measures they can take if they aren't satisfied with your response.

Breaches of PIPEDA

Breaches of PIPEDA

The range of possible outcomes after an alleged breach of PIPEDA is complicated. The general idea is to try to resolve it amicably early on but with the possibility of firmer consequences if needed.

This flowchart from the Office of The Privacy Commissioner summarizes the process.

Office of the Privacy Commissioner of Canada - PIPEDA enforcement flowchart

The "Addresses, closed at intake" outcome is where you and the complainant resolve the issue yourselves without any outside help.

Contrastingly, the "Early resolution" outcome is where you reach a resolution after mediation with the help of a dedicated officer from the Office of The Privacy Commissioner.

The "Investigation" stage can end with the Office of the Privacy Commissioner issuing a report of findings and recommendations. These recommendations are not legally binding orders in themselves.

However, if you don't follow the recommendations the case could go to a federal court, which can legally order that you do any or all of the following:

  • Change your practices to comply with PIPEDA
  • Publish a notice to say you've made these changes
  • Pay damages to the person who brought the complaint

PIPEDA lists three specific criminal offences, namely:

  • Intentionally destroying information after somebody makes a valid request to access it
  • Retaliating against an employee who has complained about a breach or refused to breach PIPEDA themselves
  • Obstructing officials investigating a complaint

Doing any of these could lead to criminal prosecution.


There's a lot of detail to consider with PIPEDA because handling personal information is such a broad area for any business. So let's recap the seven main things you need to know and do to avoid breaching the law.

  1. Understand whether and when PIPEDA affects you. If you are handling personal information in the course of commercial activities in Canada, PIPEDA normally applies.

    The main exceptions are for activity within a province that has its own laws on personal information, and for non-business groups carrying out their main purpose (such as charity work or political campaigning.)

  2. Understand the key requirements: you must get specific, informed consent from the individual to use information for a specific purpose, you must let them see and if necessary correct the information, and you must safeguard the information.
  3. Designate a senior person from your organization to take responsibility for PIPEDA compliance.
  4. Develop clear policies and procedures to make sure you follow the 10 principles of PIPEDA, bearing in mind these principles are part of the law rather than general guidelines. Have a Privacy Policy to disclose your policies and procedures.
  5. Keep records of the purpose for which you gather information, the consent you've gathered, the ways in which you use or share the information, and when you should dispose of it.
  6. Make sure individuals know how you handle information, how they can access and correct it, and how they can complain if they think you've breached PIPEDA. Make sure you have systems in place to deal with any of these requests or complaints.
  7. Never destroy information after a valid access request, retaliate against an employee's legitimate behavior in relation to PIPEDA, or obstruct any investigation into alleged breaches. These are all criminal offenses.