The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the Personally Identifiable Information (PII) of Canadians by providing certain privacy rights to individuals. The PIPEDA rights for consumers include:
- The right to access the PII that an organization holds about them;
- The right to ask for the correction or completion of that PII;
- The right to withdraw consent to the processing of their PII; and
- The right to lodge a complaint about the processing of their PII with the authorities.
In this article, we will discuss the PIPEDA rights for consumers and how these rights affect your business and Privacy Policy.
Table of Contents
PIPEDA rights for consumers: access
The first privacy right provided by PIPEDA is the right of an individual to access the PII that you have collected about them. This right of access ensures the individual has a full understanding of what information they are exchanging for your goods or services, thereby allowing them to make an educated decision on value and risk. This right requires you to advise individuals of what PII you hold, the sources from which you have obtained the PII, how you use that PII, and who you share it with.
If an individual makes an access request, you must respond as quickly as possible. In this case, “as quickly as possible” means not more than 30 days since receiving the request, though that time period may be extended under certain circumstances. There should be no cost to the individual for obtaining access. However, minimal cost is acceptable if you notify the individual of the cost and obtain his or her confirmation prior to processing the request. If you refuse to grant access, you must inform the individual of this decision, explain why you are refusing to honor the request, and inform them of any recourse available to them.
Right to rectification
The second on the list of PIPEDA rights for consumers is the right to rectification. This right ensures that consumers can request that you correct or amend their PII in cases where the accuracy or completeness is deficient. In responding to a rectification request, you must follow the requirements outlined above. If you do make amendments to the PII that you hold, you must also send the revised information to any third parties that have access to that information, in cases where doing so is appropriate.
PIPEDA rights for consumers: withdrawing consent
Under the third PIPEDA fair information principle, organizations must obtain consent from the individual to collect, use or disclose their PII. While obtaining proper consent under PIPEDA comes with its own set of requirements, it is important to note that individuals can withdraw that consent at any time. If an individual has submitted a request to withdraw their consent, you should inform them of the consequences for doing so. Generally, you must honor such requests, although you may refuse to do so under certain legal or contractual exceptions.
Right to lodge a complaint
The final privacy right on the list of PIPEDA rights for consumers is the right to lodge a complaint about the processing of their PII with authorities. An individual must be aware that if they complain to your organization and are not satisfied with your response, they can file a complaint with the Office of the Privacy Commissioner of Canada who can then pursue the complaint.
How the PIPEDA privacy rights for consumers affects your Privacy Policy
One of the ways in which PIPEDA protects the above privacy rights of Canadians is by requiring websites to have a Privacy Policy that makes specific disclosures. In order to properly effectuate the rights above, your Privacy Policy must disclose the following information. Please note that PIPEDA requires multiple additional disclosures that are listed in this article.
- The name and contact information of the person responsible for your website’s privacy practices and policies;
- A list of the PIPEDA rights for consumers;
- How an individual can exercise those rights; and
- What information the individual will need to provide to verify their identity to exercise their rights.
Having a Privacy Policy that makes the proper disclosures is an excellent way to help effectuate the privacy rights above. Use Termageddon’s Privacy Policy generator to create your PIPEDA ready Privacy Policy today and avoid privacy-related fines.