Global Privacy Laws: Canada PIPEDA/DPA

Overview

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a comprehensive data privacy law passed by Canada in 2000 to protect personal data, privacy, and promote consumer trust in ecommerce. It governs how organizations collect, store, process, and share the personal information of individuals within Canada, no matter where the organization is based if the data is used for commercial purposes. Organizations collecting personal data for journalistic, artistic, or literary purposes are exempt. There are exceptions to PIPEDA when an individual province has its own privacy legislation. However, Canadian provincial data privacy laws are substantially similar to PIPEDA. The Data Privacy Act (DPA) was the 2015 amendment that updated PIPEDA in 2015 to modernize it for the digital age.

Key Dates

• Signed into law: April 13, 2000
• Effective date: January 1, 2001

Thresholds

The PIPEDA applies to any organization, regardless of size or location, if it meets at least one of the following thresholds:

• Private-sector organizations operating within Canada that collect, use, or disclose personal information for commercial activities. Commercial activities are broadly defined as any transaction, act, or conduct of a “commercial character”
• Canadian federal “works, undertakings, or businesses” that operate across all provinces and territories in Canada. This may include private entities operating under federal jurisdiction, such as international transport companies, broadcasters, telecom companies, airlines, etc.
• All businesses that operate in Canada and handle personal information that crosses provincial or national borders in the course of commercial activities. This holds true regardless of the province or territory in which the organization is based, and it even applies to organizations located in provinces that have their own privacy legislation deemed substantially similar to PIPEDA

Obligations Under PIPEDA/DPA

• Data Collection
  • Data must be collected under fair and lawful means, with prohibitions on deceptive or illegal practices.
  • The purpose of data collection must be disclosed at or before the time of data collection
  • Meaningful consent must be collected from individuals for the collection, as well as the subsequent use and disclosure, of their personal information, providing clear and understandable information about these practices
  • Data collection minimization must be practiced, limiting data collection to the data necessary to enable the identified purposes
• Data Use
  • Organizations must use personal information only for the purposes for which it was collected
  • Organizations must document any new purposes for which personal information is intended to be used
• Disclosure of Personal Data to Third Parties
  • Disclosure to third parties require individual consent prior to sharing, exempting legal and security purposes
  • Third parties to which data will be disclosed must have comparable data protection and security standards as the transferring organization
• Data Retention and Disposal
  • Organizations must retain personal information only for as long as it is necessary to fulfill the purposes for which it was collected
  • Organizations must develop and implement effective guidelines and procedures for destruction, erasure, or anonymization of personal information once it is no longer needed
  • Organizations are also expected to regularly review and update their security safeguards
• Privacy Policies
  • Organizations must be transparent about their personal data practices by developing and implementing clear and readily accessible privacy policies
  • Policies should provide specific information about how the organization manages personal data, including the types of personal data it collects, the purposes for which it is collected, used, and disclosed, and the organization's practices regarding the protection
  • Policies should be written in plain language, avoiding complex legal or technical jargon. Organizations should make these policies readily available to individuals
• Access Requests and Challenges
  • Organizations have obligations to respond to individuals who request access to their personal information
  • Organizations must inform the individual whether they hold any personal data about them, and they must provide the individual with access to that information
  • Responses must be handled within a reasonable time frame, typically within 30 days
  • Organizations must provide a method for amending, correcting, or deleting personal data, with clear procedures established for handling challenges and complaints
• Breach Notification Requirements
  • Data breaches require mandatory notifications (as of November 1, 2018). Notifications must include: the circumstances of the breach, the type of data involved, and harm mitigation activities
  • Records of all data breaches must be kept for 24 months after discovery
  • The Office of the Privacy Commissioner of Canada must be notified, in addition to notifying individuals.

Individual Rights Under PIPEDA/DPA

• Right to be informed - individuals have the fundamental right to be informed about how their personal information is being handled by organizations. This includes the right to know the purposes and use for which an organization is collecting, using, or disclosing their data. individuals have the right to know who within the organization is responsible for ensuring the protection of their personal information
• Right to access - individuals have the right to access their personal data. Individuals are entitled to be informed about whether the organization holds any personal information about them, and if so, they have the right to be given access to that information
• Right to challenge - individuals have the right to challenge the accuracy and completeness of their data. Organizations are obligated to take reasonable steps to ensure the accuracy of the information and to update it
• Right to withdraw consent - individuals have the right to withdraw their consent to the collection, use, or disclosure of their personal data at any time. Organizations must inform individuals about the implications of consent withdrawal
• Right to complain to the Privacy Commissioner - individuals have the right to challenge an organization's compliance with PIPEDA, first with the accountable individual within the organization, then the Office of the Privacy Commissioner of Canada

Sensitive Data

Under PIPEDA, personal information is broadly defined as any factual or subjective information, recorded or not, about an identifiable individual. This includes information that can be used on its own or in combination with other information to identify a person. Although PIPEDA itself doesn't have a strict legal definition of sensitive personal information, the Office of the Privacy Commissioner of Canada (OPC) has provided guidance on this topic.

• Health data (including medical records, physical or mental health information)
• Financial data (including income, credit records, banking information)
• Ethnic and racial origins
• Political opinions
• Genetic data
• Biometric data
• An individual’s sex life or sexual orientation
• Religious or philosophical beliefs
• Detailed identification information like Social Insurance Number (SIN), date of birth, or answers to security questions
• Information that could significantly impact an individual's reputation, such as information related to human rights complaints, immigration hearings, or bankruptcy proceedings

Penalties

• Up to $100,000CAD for each violation incident, particularly those related to implementing proactive security safeguards, reporting data breaches that pose a real risk of significant harm, and maintaining records of data breaches
• PIPEDA also designates certain actions as criminal offences. These include situations where an organization purposefully destroys information after receiving a request to review that information, engages in retaliatory behavior against employees who attempt to follow PIPEDA guidelines, or obstructs the OPC in its investigations.

Configure Your Consent Banner for PIPEDA/DPA

Regions are used to customize the behavior and experience based on an individual user’s location. As an example, this allows you to provide different experiences to users based on regional differences (like PIPEDA in Canada vs. CCPA in California). When a user visits your site, we will automatically determine their location and will match them to the most granular region rule that you have setup in Concord. This can go down to the state/province level, which allows for different experiences for different laws.

Recommended Consent Settings

Based on the current laws, we recommend the following regional settings:

• Consent Mode: Express
• Blocking Mode: Strict
• **Google Consent Mode V2:** Basic
• Consent Duration: 12 months
• Enable Limit Sensitive Information: Off
• Enable Do Not Sell Consent: Off
• Enable Global Privacy Control: Off

Current PIPEDA requirements do not explicitly require Do Not Sell or Global Privacy Control, but you can enable these features if you choose to. This can be a good strategy if you want a single privacy-first configuration that you can use globally since other jurisdictions may require one or both.

For step-by-step instruction on how to configure your consent banner for different geographical regions within the Concord app, see our help document Configure Your Consent Banner for Different Geographical Regions.