Over the past decade, we’ve seen more and more data privacy laws appear around the world, and it’s only the beginning. According to Gartner research, by the end of 2023, a projected 75 percent of the world's population would have their personal information covered under privacy legislation, up from only 25 percent now.
The GDPR is widely accepted as having changed the game in terms of data protection in Europe. But what about Canada's data privacy legislation? Today, we take a deep dive into Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and its impacts on businesses.
PIPEDA: A quick introduction
PIPEDA is a Canadian data privacy law that has been in force since April 13, 2000. It is a federal law, intended to set data protection standards in the private sector. Canada is currently working on legislation that would be similar to the GDPR, Bill C-11, also known as the Canadian Consumer Privacy Protection Act (CPPA). This bill is still being reviewed by Parliament.
Applying to all private-sector organizations that operate across Canada, PIPEDA impacts both how they collect personal information and how they then use or share it as part of their commercial activities.
A number of requirements need to be met by these organizations in order to comply with this Canadian federal law. Particularly, organizations are required to obtain the individual's consent to share their personal information. Much like in Europe with GDPR regulations, if an individual feels that it is necessary, they can request access to their personal information that is held by an organization and challenge its accuracy.
A breakdown of the personal information affected by PIPEDA
Regulated by the Privacy Commissioner, PIPEDA covers any data that is held on an identifiable individual. This can be both factual and subjective. Here is Didomi’s non-exhaustive list of the personal information that is affected:
Basic information such as name, age or date of birth,
Sex and gender,
Ethnic origin, religion,
Passport or identification number,
Physical description or visual images (such as photographs or video recordings),
Health data, from official medical records held by health services to blood type to health data coming from fitness monitoring devices,
Employment history including details from personnel files or any disciplinary actions received,
Socioeconomic status and financial details such as income or records for credits and loans,
Subjective data ranging from personal opinions and comments left online to service and product reviews or disputes and complaints to intentions (career move, purchase decisions).
On the other hand, PIPEDA does not apply in the context of identifiable information for a professional profile, such as the name, title or professional contact details of an employee.
What are the regulations on personal information protection?
Under PIPEDA, protecting individuals' personal information means that said data has to be stored using encryption and backups.
Additionally, it is mandatory for private sector organizations collecting personal information to obtain valid consent, and to refrain from collecting any personal information that is not considered strictly necessary.
For the consent to remain valid, the data can then solely be used for the purposes for which it was obtained initially. Otherwise, it would have to be collected again to comply with PIPEDA.
Finally, appropriate security steps such as physical measures, up-to-date technological tools and organizational controls must be implemented to protect personal information that has been collected.
PIPEDA: Who is required to comply?
Any private-sector entity operating in Canada that obtains, utilizes, or discloses personal information that crosses provincial or national borders in the course of their economic activities is required to comply with PIPEDA. This is the case for any private sector organization regardless of where they operate (province or territory), and even if a similar law already applies.
The Electronic Documents Act defines an ‘organization’ as an individual functioning in a commercial capacity, as well as organizations, business partnerships, and trade unions.
These entities may or may not be incorporated. According to the legislation, “commercial activity” refers to any transaction or business conduct, such as the selling, trading, or leasing of information.
What about Cookie Consent Requirements in this new Privacy Law?
At the moment, there is no specific regulation on cookies in Canada, they are therefore regulated by the Canada Anti Spam Legislation (CASL). The issue of consent collection remains complex but very important.
Originally put in place to regulate computer programs, the CASL prohibits the installation of cookies by one person on another person's computer without their expressed consent. The term "person" includes any individual, entity, corporation, organization or legal representative.
Specifically, CASL requires that consent be obtained in a specific and expressed manner:
the purpose and intent for which a person is consenting must be clear
the identity of the party for which consent is being collected must be clear
This regulation is similar to the GDPR, with the exception that it includes an exception that makes the interpretation of the law more difficult:
CASL emphasizes that an individual is considered to have expressly consented to cookies if his or her behavior implies that it is reasonable to believe that the individual has consented through his actions.
A "strict" interpretation of the law would thus be closer to a cookie consent notice similar to what we find under the GDPR. That is, explicit and informed consent.
Does PIPEDA apply throughout Canada?
PIPEDA is a federal statute that establishes data protection rules for any commercial activity.
As a federal law, it sets data protection standards in the private sector. However, Alberta, British Columbia, and Quebec have also passed private-sector privacy laws introducing additional requirements to the federal law:
In Alberta and British Columbia, these provincial laws are known as the Personal Information Protection Act (PIPA)
In Quebec, it’s referred to as “Bill 64”
Specifically for limiting the collection, use and disclosure of personal health data, Ontario, New Brunswick, Nova Scotia, Newfoundland and Labrador have adopted similar legislation
While both the PIPA and Bill 64 are substantially similar to the PIPEDA, the Canada PIPEDA privacy law is still relevant in these provinces.
What are the risks of PIPEDA non-compliance?
The Office of the Privacy Commissioner of Canada (OPC) is in charge of ensuring that companies follow privacy regulations within the country.
Any violation of the Personal Information Protection and Electronic Documents Act, whether deliberate or inadvertent, can be highly expensive. Per infraction, fines of up to $100,000 CAD might be imposed.
Failure to alert users of data gathering, to retain records of personal information data transfers, or to set explicit measures to protect persons' personal information are all examples of violations.
Our checklist to comply with PIPEDA
Ultimately, PIPEDA compliance is the responsibility of the appointed Data Protection Officer in every business. We know it might seem like a daunting task, even when using a Consent Management Platform (CMP), so we're putting together a simple checklist to help you get started.
Keep these 10 steps in mind to get started with your PIPEDA compliance:
In your company, appoint a Privacy Representative.
Create policies and procedures for protecting personal information.
Identify the reasons for which personal information is gathered.
Notify your users that data is being collected and for what purpose.
Request and obtain consent from users.
Limit the collection of personal information to that which is required for the objectives indicated by your organization.
Ensure that personal information is only kept for as long as it is required to meet those goals. Keep the data up to date.
Limit the use or disclosure of personal information to the objectives for which it was collected. Obtain consent again if you need to use the data for another purpose.
Ensure that the data you gather is easily available to your users. Grant individual access to this data.
Allow users to erase the information you've acquired about them.