PIPEDA compliance guide

Privacy Policy

Canada, PIPEDA

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

PIPEDA compliance guide

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that was enacted to protect the privacy rights of Canadians. PIPEDA achieves this goal by providing Canadians with rights with regard to their personal information, requiring certain websites to have a Privacy Policy and imposing heavy fines for failure to comply. In this Compliance Guide, we will discuss the following as it relates to PIPEDA:

  • Who this privacy law applies to;
  • How PIPEDA defines personal information;
  • The privacy rights provided by this law;
  • PIPEDA Privacy Policy requirements;
  • The penalties for failing to comply.

Who does PIPEDA apply to?

PIPEDA applies to private companies across Canada that collect, use or disclose personal information in the course of a commercial activity. In this case, commercial activity means any transaction, act, or conduct, or any regular course of conduct that is of a commercial character. PIPEDA also applies to all businesses that operate in Canada and handle personal information that crosses provincial or national borders, regardless of the territory in which the business is actually based.

PIPEDA can also apply to businesses that are based in Canada if there is a real and substantial connection either between the subject matter, the parties, or the territory of Canada. Companies that are located outside of Canada but have clients in Canada or that hold the personal information of Canadians may also need to comply with PIPEDA.

How does PIPEDA define personal information?

Privacy laws start applying once your website collects personal information, which means that the law’s definition of personal information may determine whether that law applies to you. PIPEDA defines personal information as data about an identifiable person or information (names, emails, phone numbers, addresses) that on its own or combined with other pieces of data, can identify someone as an individual. PIPEDA also states that the definition of personal information includes the following examples about an individual’s:

  • Race, national or ethnic origin;
  • Religion;
  • Age;
  • Marital statuts;
  • Medical, educational or employment history;
  • Financial information.

For more information on how to determine if you are collecting personal information under PIPEDA, read our blog post on the PIPEDA definition of personal information.

Privacy rights

PIPEDA aims to protect the personal information of Canadians by providing them with the following privacy rights:

  • The right to access the personal information that a business has collected about them;
  • The right to request that the business amend any of the information collected on that person;
  • The right to withdraw consent to the processing of their information;
  • The right to lodge a complaint regarding the processing of their personal information.

If PIPEDA applies to you, then you need to respect the above privacy rights and your website needs to have a compliant Privacy Policy.

Privacy Policy requirements

PIPEDA ensures that consumers can make educated decisions about their personal information by requiring certain websites to have a Privacy Policy. A PIPEDA compliant Privacy Policy must include the following disclosures:

  • The name or title, and the address of the person who is accountable for your privacy policies and practices and to whom complaints or inquiries can be forwarded;
  • The means of gaining access to the personal information you hold about Canadians;
  • A description of the personal information that you hold and the purposes for which you will use it;
  • A copy of any brochures or other information that explain your policies, standards or codes; and
  • What personal information you share with others, if any.
  • Where you obtain the personal information from;
  • How you protect the personal information;
  • Whether you intend to transfer personal information outside of Canada;
  • Categories of third parties with whom you share the personal information;

Failing to have a compliant Privacy Policy can lead to complaints from consumers and fines.

Penalties for non-compliance

Failure to comply with PIPEDA can lead to fines of up to $100,000 for each violation. This means that fines can add up very quickly, even if you have only a few dozen website visitors from Canada per month.

If it applies to you, this law requires you to have a compliant Privacy Policy that makes all of the required disclosures and to respect the privacy rights of Canadians. Use Termageddon’s Privacy Policy generator to help get your PIPEDA Privacy Policy.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy




How To's

Privacy Policy

Terms of Service

Subscribe for Updates