The Personal Information Protection and Electronic Documents Act (PIPEDA) is a privacy law that protects the Personally Identifiable Information (PII) of Canadians. PIPEDA has strict restrictions on the collection, use, and disclosure of this PII, including requiring Privacy Policy disclosures, privacy rights for Canadians, and the requirement to follow the ten PIPEDA Fair Information Principles. Due to the high operational costs of implementing a privacy program, all organizations should check whether this privacy law applies to them prior to carrying out compliance tasks. PIPEDA generally applies to private-sector organizations across Canada that collect, use, and disclose PII in the course of commercial activity as well as organizations outside of Canada that collect the PII of Canadians.
In this article, we will discuss who is exempt from PIPEDA so that you can determine if you need to comply with this law.
Who is exempt from PIPEDA: collecting PII
PIPEDA applies to organizations that collect PII, so if you do not collect PII, then you may be exempt. Most modern websites collect PII, which is defined as any factual or subjective information, recorded or not, about an identifiable person. Examples of PII include:
- Name;
- Email;
- Phone number; and
- Physical address.
Websites usually collect PII through tools such as contact forms, eCommerce forms, newsletter sign up forms, account set up forms, advertising pixels, and analytics. Though it is unlikely, if you website does not collect PII, then you may be exempt from the requirements of PIPEDA.
Participating in non-commercial activities
The next answer to the question of who is exempt from PIPEDA is organizations that are not engaging in commercial activities. PIPEDA defines “commercial activity” as any particular transaction, act or conduct or regular course of conduct that is of a commercial character. This means that your organization may be exempt from PIPEDA if it is a not-for-profit, charity group, political party or association. These entities should note that if they participate in activities such as selling, bartering or leasing of donor or other lists, they may lose the protected status and still have to comply with PIPEDA.
Who is exempt from PIPEDA – other examples
The purpose of PIPEDA is to protect the PII of Canadians collected by companies that may exploit that PII for aggressive marketing or profit so it makes sense that certain activities are exempt from the reach of the law. The following is a list of instances of who is exempt from PIPEDA:
- PII held by federal government organizations listed under the Privacy Act;
- Provincial or territorial governments and their agents;
- Business contact information (e.g. an employee’s name, email, title, business address and phone number) that is collected, used or disclosed solely for the purpose of communicating with that person in relation to their employment or profession;
- An individual’s collection, use or disclosure of PII strictly for personal purposes; and
- An organization’s collection, use or disclosure of PII solely for journalistic, artistic or literary purposes.
Hopefully, this article has aided you in answering the question of who is exempt from PIPEDA. If you are still not sure if you need to comply with this privacy law, read our article on who does PIPEDA apply to. If PIPEDA does apply to you, you need to make sure that your website has a comprehensive Privacy Policy that contains all of the required disclosures. Use Termageddon’s Privacy Policy generator to help create your PIPEDA ready Privacy Policy and avoid privacy-related fines.