- Who this privacy law applies to;
- How PIPEDA defines personal information;
- The privacy rights provided by this law;
- The penalties for failing to comply.
Who does PIPEDA apply to?
PIPEDA applies to private companies across Canada that collect, use or disclose personal information in the course of a commercial activity. In this case, commercial activity means any transaction, act, or conduct, or any regular course of conduct that is of a commercial character. PIPEDA also applies to all businesses that operate in Canada and handle personal information that crosses provincial or national borders, regardless of the territory in which the business is actually based.
PIPEDA can also apply to businesses that are based in Canada if there is a real and substantial connection either between the subject matter, the parties, or the territory of Canada. Companies that are located outside of Canada but have clients in Canada or that hold the personal information of Canadians may also need to comply with PIPEDA.
How does PIPEDA define personal information?
Privacy laws start applying once your website collects personal information, which means that the law’s definition of personal information may determine whether that law applies to you. PIPEDA defines personal information as data bout an identifiable individual or information that on its own or combined with other pieces of data, can identify someone as an individual. PIPEDA states that the definition of personal information includes the following examples about an individual’s:
- Race, national or ethnic origin;
- Marital statuts;
- Medical, educational or employment history;
- Financial information.
For more information on how to determine if you are collecting personal information under PIPEDA, read our blog post on the PIPEDA definition of personal information.
PIPEDA aims to protect the personal information of Canadians by providing them with the following privacy rights:
- The right to access the personal information that a business has collected about them;
- The right to request that the business amend any of the information collected on that person;
- The right to withdraw consent to the processing of their information;
- The right to lodge a complaint regarding the processing of their personal information.
- The name or title, and the address of the person who is accountable for your privacy policies and practices and to whom complaints or inquiries can be forwarded;
- The means of gaining access to the personal information you hold about Canadians;
- A description of the personal information that you hold and the purposes for which you will use it;
- A copy of any brochures or other information that explain your policies, standards or codes; and
- What personal information you share with others, if any.
Penalties for non-compliance
Failure to comply with PIPEDA can lead to fines of up to $100,000 for each violation. This means that fines can add up very quickly, even if you have only a few dozen website visitors from Canada per month.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.