The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the Personally Identifiable Information (PII) of Canadians by providing certain privacy rights to individuals. The PIPEDA rights for consumers include:
- The right to access the PII that an organization holds about them;
- The right to ask for the correction or completion of that PII;
- The right to withdraw consent to the processing of their PII; and
- The right to lodge a complaint about the processing of their PII with the authorities.
PIPEDA rights for consumers: access
The first privacy right provided by PIPEDA is the right of an individual to access the PII that you have collected about them. This right of access ensures the individual has a full understanding of what information they are exchanging for your goods or services, thereby allowing them to make an educated decision on value and risk. This right requires you to advise individuals of what PII you hold, the sources from which you have obtained the PII, how you use that PII, and who you share it with.
If an individual makes an access request, you must respond as quickly as possible. In this case, “as quickly as possible” means not more than 30 days since receiving the request, though that time period may be extended under certain circumstances. There should be no cost to the individual for obtaining access. However, minimal cost is acceptable if you notify the individual of the cost and obtain his or her confirmation prior to processing the request. If you refuse to grant access, you must inform the individual of this decision, explain why you are refusing to honor the request, and inform them of any recourse available to them.
Right to rectification
The second on the list of PIPEDA rights for consumers is the right to rectification. This right ensures that consumers can request that you correct or amend their PII in cases where the accuracy or completeness is deficient. In responding to a rectification request, you must follow the requirements outlined above. If you do make amendments to the PII that you hold, you must also send the revised information to any third parties that have access to that information, in cases where doing so is appropriate.
PIPEDA rights for consumers: withdrawing consent
Under the third PIPEDA fair information principle, organizations must obtain consent from the individual to collect, use or disclose their PII. While obtaining proper consent under PIPEDA comes with its own set of requirements, it is important to note that individuals can withdraw that consent at any time. If an individual has submitted a request to withdraw their consent, you should inform them of the consequences for doing so. Generally, you must honor such requests, although you may refuse to do so under certain legal or contractual exceptions.
Right to lodge a complaint
The final privacy rights on the list of PIPEDA rights for consumers is the right to lodge a complaint about the processing of their PII with authorities. An individual must be aware that if they complain to your organization and are not satisfied with your response, they can file a complaint with the Office of the Privacy Commissioner of Canada who can then pursue the complaint.
- The name and contact information of the person responsible for your website’s privacy practices and policies;
- A list of the PIPEDA rights for consumers;
- How an individual can exercise those rights; and
- What information the individual will need to provide to verify their identity to exercise their rights.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.