PIPEDA Canada

Who is excluded from compliance with PIPEDA? 

There are several instances where PIPEDA Canada is not applicable, namely: 

1. for government institutions to which the Privacy Act applies;
2. for any individual that collects, uses or discloses for personal or domestic purposes only, meaning no other purpose except these; and
3. for any organization that collects, uses or discloses personal information for literary, journalistic or artistic purposes only.
   
   

How can I keep my organization compliant with PIPEDA? 

Under PIPEDA Canada, the information that is generally used for online monitoring and targeted advertising, such as a website visitor’s IP address, can be considered personal information. 

Website visitors have to be aware of and consent to the collection, use or disclosure of the personal information collected and opting out should be made available to them at the time of or even before collection. 

Unless you can inform your website visitors that you are collecting their personal information, and for what purposes, in an easy to understand language, and cannot offer them a way to consent to or opt out of the collection of their personal information, you should not use any tracking technology, even if it is for advertising purposes or website analytics only. 

The same applies if opting out of personal information collection results in your website being unusable. 

Because meaningful consent is required for the collection, use and disclosure of personal information, it may prove difficult to get consent from children, so you should avoid tracking children and websites aimed at children.

PIPEDA Canada outlines 10 principles that you need to follow in order to maintain compliance. These 10 PIPEDA principles are closely related among themselves and are as follows: 

PIPEDA Principle 1 — Accountability

You are responsible for the personal information you collect and such must designate one or more DPOs, as well as educate your staff regarding your company’s policies and practices. 

The identity of the DPO(s) has to be either made readily available, or provided upon request.

Last but not least, you are responsible for setting up procedures for receiving and answering complaints and enquiries. 

PIPEDA Principle 2 — Identifying Purposes

You are responsible for identifying the purposes of personal information collection either before or at the time of collection.

This has to be made explicit to your visitors and if the purpose of the information collected changes, you will need to ask for consent once more, unless the new purpose is mandated by law.

PIPEDA Principle 3 - Consent

You must ensure the knowledge and consent of your website’s visitors in order to be compliant when collecting, using or disclosing personal information, unless consent is impossible to obtain or irrelevant, for example in legal, medical or security situations.

This principle requires both knowledge and consent of the targeted individuals and use of your product can in no way be restricted/conditioned depending on the consent given or withdrawn.

The form in which consent is obtained can vary, and consent can be withdrawn at any time at which point you must inform the individual(s) in question of the implications of their withdrawn consent. 

PIPEDA Principle 4 — Limiting Collection

The amount as well as the types of personal information you collect has to be limited to that which is necessary for the purposes already outlined. 

Information must be collected by fair and lawful means, without deception.

PIPEDA Principle 5 —Limiting Use, Disclosure, and Retention

You cannot use or disclose the personal information you have collected for any other purpose than those for which the information was collected, unless you first obtain the consent of the owner of the information, or unless required by law to do so. 

Once the personal information has served the intended purpose it has to be destroyed, erased or made anonymous. 

You are responsible for developing guidelines and implementing procedures for the retention and ultimately erasure, destruction or anonymization of the personal information collected, once it no longer serves the intended purpose.

Retention periods may be subject to legislative requirements or can be established by your organization. 

PIPEDA Principle 6 — Accuracy

The personal information that you collect has to be at all times accurate, up to date and complete, as is necessary to serve the intended purpose for which it was collected. 

You have to take into account the interests of the individual whose personal information you collected, as well as the use of the information itself in order to determine the extent to which it is accurate, up to date and complete.

Updating personal information should not be a routine practice unless you need to do so to fulfill the purpose for which the information was collected.

PIPEDA Principle 7 — Safeguards

In order to ensure the protection of the personal information that you collect, you must have safeguards in place that match the degree to which the personal information is sensitive.

Your safeguards will also depend on the amount, distribution, format or method of storage of the information and can include physical measures, organizational measures or technological measures. 

Safeguards apply also in the disposal or destruction of personal information that is no longer accurate.

PIPEDA Principle 8 — Openness

You have to provide your website visitors with detailed information on your policies and practices that outline how you manage their personal information.

The information has to be made readily available and in a format that is easy to understand and it has to include details such as the contact details of your DPO, the means through which you collect their information, as well as what type of information you collect and for what purpose, and last but not least, what information you share with related organizations, such as subsidiaries. 

PIPEDA Principle 9 — Individual Access

Your website visitors must have access at any given time to their personal information that you hold on your website. If they ask, you have to inform them of the existence, use and/or disclosure of their information, and they have to be able to challenge the accuracy of the information you hold about them. 

A few key points: 

• There are certain cases where providing access to information may not be possible but these exceptions should be limited and very specific.
• A clear reason has to be given to your visitors for your not being able to provide access.
• Exceptions include information that contains references to other individuals, information that would result in a high cost for yourself, information protected by commercial proprietary reasons, security or legal reasons, and information that is protected by solicitor-client privilege. 
• Your visitors may be asked to provide sufficient information to gain access to the personal information you hold, before gaining access.
• When referring to any third parties that have received personal information of your visitors, you have to be as specific as possible and where this is not possible, a list of organizations to which you may have disclosed information about the visitor should be provided instead. 
• You have to reply to every request for access in a timely manner and at minimal or no cost for the person that sent the request. The time frame given is 30 days since receiving the request. 
• When the personal information you hold is proven to be inaccurate by the owner of the information, you have to amend it accordingly, whether this means correction, addition or deletion of data, and, where appropriate, you have to transmit the updated information to third parties that have access to it.
• When a challenge of accuracy is not resolved to the satisfaction of the visitor that sent the request, you have to record this and, where appropriate, you have to transmit the updated information to third parties that have access to it.

PIPEDA Principle 10 — Challenging Compliance

Your website visitors have to be able to challenge compliance with any of the above principles at any given time by contacting your DPO. 

In this respect, you have to have procedures in place for receiving and responding to complaints or inquiries about your privacy policy as well as how you handle personal information, and these have to be easily accessible and simple to use.

Once you’ve received a complaint or inquiry, you have to inform the sender of the existence of relevant procedures, you have to investigate every complaint and, if found to be justified, you have to take appropriate action including, if necessary, updating your policies and practices for handling personal information.

In addition to following the 10 principles that stand at the base of PIPEDA, your website should clearly state how you plan to do this. 

Keeping your website visitors informed about the collection of their personal information, as well as how you plan to use, share or protect this, will ensure that you stay ahead of any potential issues and also that your website visitors will feel safe to come back to you.

At Clym, we can help you do this via our cookie banner which will let your website visitors know that your website uses cookies, it will give them access to your privacy policies, and will allow for the opt-out option, should they wish to choose this.  

The OPC requires organizations to report to them as well as to inform the affected individual(s), following any breach of security safeguards. 

The details for this are outlined on their page, at the relevant section, which can be accessed here. 

You are encouraged to file your report using the PDF form available, but you also have the option to submit this in any other format you deem fit for purpose, and to use the OPC’s secure breach reporting portal.

What data access rights does PIPEDA Canada grant? 

Unlike other data privacy laws, PIPEDA details a general right of access for individuals as outlined by the 10 principles. However, it also allows for 3 data subject access rights, namely:

• Right to access
• Right to know 
• Right to correct 

How to address data subject access requests under PIPEDA?

Upon receiving a data subject access request, you have to take the following steps: 

• Inform the requester whether you have the information about them that they are asking for;
• Inform them how it has been used and provide a list of the third parties to which it was disclosed;
• Give them access to the information in an easily accessible format and either at now cost or at a minimal cost;
• Correct or amend information that is proven to be inaccurate and, where needed, inform third parties of the updated information;
• Respect the 30 day deadline for answering each request and, if needed, confirm to them that you require an additional 30 days extension to come back to them with an answer.
  
  

Enforcement and penalties

The OPC is in charge of overseeing compliance with PIPEDA and in the event of a breach it can cost you up to $100,000 per violation.

GDPR vs. PIPEDA Canada

Although they both govern data privacy and give your visitors more control over their personal information, the two have a few main differences between them:

1. GDPR applies to any business that collects and uses the personal information of individuals residing in the EEA (European Economic Area), whereas PIPEDA applies only to private-sector organizations that process personal information for commercial purposes.
2. As far as jurisdiction is concerned, GDPR applies across all EEA as well as non-EEA businesses that interact with EEA residents; PIPEDA is restricted to certain Canadian provinces and only to some foreign organizations who, according to the OPC, have a substantial connection to Canada. 
3. When speaking about consent, GDPR requires active consent from individuals with regard to the collection and processing of their personal information, while PIPEDA allows for either explicit or implicit consent, depending on how sensitive the personal information collected is.
   
   

Data Subject Rights - GDPR vs. PIPEDA 

FAQs about the PIPEDA