Who does PIPEDA apply to: organizations across Canada
PIPEDA applies to private-sector organizations that collect, use and disclose personal information in the course of for-profit, commercial activities across Canada. In this case, “commercial activity” means any particular transaction, act or conduct or any regular course of business that is of a commercial character. Since an organization has to be for-profit for PIPEDA to apply, the law will generally not apply to not-for-profits, charity groups, political parties or associations. However, if your not-for-profit is engaging in commercial activity, the law could still apply, which means that you must perform an assessment of what activities your organization engages in to determine if this law applies.
Who does PIPEDA apply to: federally regulated businesses
PIPEDA also applies to the following types of federally regulated businesses:
- Air transportation;
- Grain elevators, feed and seed mills, feed warehouses, and grain-seed cleaning plants;
- First Nations Band Councils;
- Most federal Crown corporations;
- Post services, marine shipping, ferries, tunnels, canals, bridges and pipelines that cross international or provincial borders;
- Radio and television broadcasting;
- Railways that cross provincial or international borders and some short-line railways;
- Road transportation services that cross international or provincial borders;
- Telecommunications, such as telephone, internet, telegraph, and cable systems;
- Uranium mining and processing and atomic energy;
- Any business that is vital, essential or integral to the operation of one of the above.
Where do you do business?
Another aspect of who does PIPEDA apply to is where you conduct business. The privacy law will apply to you if you do business in:
- New Brunswick;
- Newfoundland and Labrador;
- Northwest Territories;
- Nova Scotia;
- Prince Edward Island;
Unless the personal information crosses provincial or national borders, PIPEDA will not apply to you if you operate entirely within Alberta, British Columbia, or Quebec, as these provinces have their own privacy laws that you will need to follow that are substantially similar to PIPEDA.
Do U.S. businesses need to comply with PIPEDA?
If you are doing business in the United States and have Canadian customers or if you are collecting the personal information of Canadians through your website, you may be wondering whether you need to comply with PIPEDA. Canadian courts have ruled that PIPEDA will apply to conduct that has a real and substantial connection to Canada, regardless of where you or your business is actually located. The following factors will be used to determine if there is a real and substantial connection:
- The location of the target audience of the website;
- The source of the content on your website;
- The location of the website operator;
- The location of the host server;
- Whether you market your products or services to Canadians;
- Whether you process the personal information of Canadians; and
- Whether any misuse or disclosure of personal information would have an impact on Canadians.
While the presence of only one of these factors may not be sufficient to show a connection, it appears that courts will consider a multitude of these factors in making their determination. It is important to note that businesses outside of Canada have been held as responsible for complying with PIPEDA so, if you have customers in Canada, you may need to comply with this law.
Donata is the Co-founder and President of Termageddon, an auto-updating generator of website and application policies. She is a licensed attorney and Certified Information Privacy Professional. She also serves as the Vice-Chair of the American Bar Association’s ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals. In her free time, Donata enjoys beekeeping, hunting for morel mushrooms, and walks with her husband and two dogs.