Who does PIPEDA apply to?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the personal information of Canadians.  The law accomplishes this goal by providing certain privacy rights to Canadians, requiring websites to have a Privacy Policy that makes specific disclosures, and imposing restrictions on the collection, use, and disclosure of personal information. In this article, we will answer the question of who does PIPEDA apply to so that you are aware of the compliance requirements that your website needs to meet. 

Who does PIPEDA apply to: organizations across Canada

PIPEDA applies to private-sector organizations that collect, use and disclose personal information in the course of for-profit, commercial activities across Canada. In this case, “commercial activity” means any particular transaction, act or conduct or any regular course of business that is of a commercial character. Since an organization has to be for-profit for PIPEDA to apply, the law will generally not apply to not-for-profits, charity groups, political parties or associations. However, if your not-for-profit is engaging in commercial activity, the law could still apply, which means that you must perform an assessment of what activities your organization engages in to determine if this law applies. 

Who does PIPEDA apply to: federally regulated businesses

PIPEDA also applies to the following types of federally regulated businesses: 

  • Air transportation; 
  • Banks; 
  • Grain elevators, feed and seed mills, feed warehouses, and grain-seed cleaning plants; 
  • First Nations Band Councils; 
  • Most federal Crown corporations; 
  • Post services, marine shipping, ferries, tunnels, canals, bridges and pipelines that cross international or provincial borders; 
  • Radio and television broadcasting; 
  • Railways that cross provincial or international borders and some short-line railways; 
  • Road transportation services that cross international or provincial borders; 
  • Telecommunications, such as telephone, internet, telegraph, and cable systems; 
  • Uranium mining and processing and atomic energy; 
  • Any business that is vital, essential or integral to the operation of one of the above. 

If your business is one of the above types, PIPEDA applies to you and your website needs to have a PIPEDA compliant Privacy Policy. 

Where do you do business? 

Another aspect of who does PIPEDA apply to is where you conduct business. The privacy law will apply to you if you do business in: 

  • Manitoba; 
  • New Brunswick; 
  • Newfoundland and Labrador; 
  • Northwest Territories; 
  • Nova Scotia; 
  • Nunavut; 
  • Ontario; 
  • Prince Edward Island; 
  • Saskatechwan; 
  • Yukon. 

Unless the personal information crosses provincial or national borders, PIPEDA will not apply to you if you operate entirely within Alberta, British Columbia, or Quebec, as these provinces have their own privacy laws that you will need to follow that are substantially similar to PIPEDA. 

Do U.S. businesses need to comply with PIPEDA?

If you are doing business in the United States and have Canadian customers or if you are collecting the personal information of Canadians through your website, you may be wondering whether you need to comply with PIPEDA. Canadian courts have ruled that PIPEDA will apply to conduct that has a real and substantial connection to Canada, regardless of where you or your business is actually located. The following factors will be used to determine if there is a real and substantial connection: 

  • The location of the target audience of the website; 
  • The source of the content on your website; 
  • The location of the website operator; 
  • The location of the host server; 
  • Whether you market your products or services to Canadians; 
  • Whether you process the personal information of Canadians; and 
  • Whether any misuse or disclosure of personal information would have an impact on Canadians. 

While the presence of only one of these factors may not be sufficient to show a connection, it appears that courts will consider a multitude of these factors in making their determination. It is important to note that businesses outside of Canada have been held as responsible for complying with PIPEDA so, if you have customers in Canada, you may need to comply with this law. 

If your business is located in Canada or has the requisite connection to Canada, you need to ensure that you are complying with PIPEDA by following the fair information principles, having a compliant Privacy Policy, and respecting the privacy rights of Canadians. Use Termageddon’s Privacy Policy generator to help create your PIPEDA ready Privacy Policy and avoid fines for non-compliance.