What is PIPEDA?
Complete guide to Canada's Personal Information Protection and Electronic Documents Act - the federal privacy law governing private-sector organizations.
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal privacy law for private-sector organizations. It came into force on January 1, 2001, and sets out the ground rules for how businesses must handle personal information in the course of commercial activity.
PIPEDA is based on the Canadian Standards Association's Model Code for the Protection of Personal Information and recognizes both the right of privacy of individuals and the need of organizations to collect, use, and disclose personal information for legitimate business purposes.
Key Fact
PIPEDA applies across Canada to private-sector organizations, except in provinces with substantially similar privacy legislation (Quebec, British Columbia, and Alberta have their own laws).
Who Does PIPEDA Apply To?
PIPEDA applies to private-sector organizations that collect, use, or disclose personal information in the course of commercial activities. This includes:
- Federal works, undertakings, and businesses - such as banks, airlines, telecommunications companies, and interprovincial transportation companies
- Organizations that sell, lease, or trade personal information across provincial or national borders
- Private-sector organizations in provinces without substantially similar legislation
Provincial Variations
Quebec (Bill 64), British Columbia (PIPA), and Alberta (PIPA) have their own substantially similar privacy laws that apply instead of PIPEDA for intra-provincial activities.
The 10 Fair Information Principles
PIPEDA is built on 10 Fair Information Principles that guide how organizations must handle personal information:
Accountability
Organizations are responsible for personal information under their control
Identifying Purposes
Organizations must identify why they collect personal information before or at the time of collection
Consent
Knowledge and consent of the individual are required for collection, use, or disclosure
Limiting Collection
Collection of personal information must be limited to what is necessary
Limiting Use, Disclosure & Retention
Personal information must not be used or disclosed for purposes other than those for which it was collected
Accuracy
Personal information must be as accurate, complete, and up-to-date as necessary
Note: This list shows 6 of the 10 principles. The complete list also includes: Safeguards, Openness, Individual Access, and Challenging Compliance.
Individual Rights Under PIPEDA
PIPEDA grants individuals specific rights regarding their personal information:
- Right to access their personal information held by an organization
- Right to challenge the accuracy and completeness of their information
- Right to have their information amended if it's inaccurate or incomplete
- Right to withdraw consent for data processing (with some exceptions)
- Right to file a complaint with the Privacy Commissioner if concerns aren't addressed
What is "Personal Information" Under PIPEDA?
PIPEDA defines personal information broadly as any factual or subjective information, recorded or not, about an identifiable individual. This includes:
Basic Identifiers
- • Name, age, ID numbers
- • Address, telephone number
- • Email address
- • IP addresses
Sensitive Information
- • Medical records
- • Financial information
- • Employment history
- • Credit records
Consent Requirements
PIPEDA requires organizations to obtain meaningful consent for the collection, use, or disclosure of personal information. Key requirements include:
1. Knowledge and Consent
Individuals must know what information is being collected, why it's being collected, and who will have access to it before giving consent.
2. Form of Consent
Consent can be express (explicitly given) or implied (through actions), depending on the sensitivity of the information and reasonable expectations.
3. Withdrawal of Consent
Individuals can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Exceptions and Exemptions
PIPEDA contains several exemptions where consent is not required:
Journalism & Artistic Exemption
Personal information collected, used, or disclosed solely for journalistic, artistic, or literary purposes
Employee Information
Limited exemptions for federal work, undertaking, or business in relation to employee information
Business Contact Information
Name, title, business address, and telephone number used solely for business communication
Data Breach Notification Requirements
Since November 1, 2018, PIPEDA includes mandatory breach reporting requirements:
Report to Privacy Commissioner
Organizations must report breaches of security safeguards involving personal information if it poses a real risk of significant harm.
Must be done as soon as feasible
Notify Affected Individuals
Organizations must also notify affected individuals if a breach poses a real risk of significant harm to them.
Must be done as soon as feasible
Penalties for Non-Compliance
PIPEDA violations can result in significant penalties:
General Violations
Up to $100,000 CAD
Per violation for failing to comply with PIPEDA requirements
Breach Notification Failures
Up to $100,000 CAD
For failing to report breaches or maintain breach records
PIPEDA vs GDPR: Key Differences
| Aspect | PIPEDA | GDPR |
|---|---|---|
| Jurisdiction | Canada (federal) | European Union |
| Consent Standard | Express or implied depending on context | Must be explicit for most processing |
| Maximum Fine | $100,000 CAD per violation | €20M or 4% of global revenue |
| Data Protection Officer | Not required | Required for certain organizations |
How to Comply with PIPEDA
Conduct a Privacy Audit
Identify what personal information you collect, how you use it, who you share it with, and where it's stored.
Create a Privacy Policy
Develop a clear privacy policy that explains your information practices in plain language.
Implement Consent Mechanisms
Establish procedures to obtain and document consent for collecting, using, and disclosing personal information.
Establish Security Safeguards
Implement appropriate security measures proportional to the sensitivity of the information.
Create Breach Response Plan
Develop procedures to detect, contain, and report data breaches as required by PIPEDA.
Generate Your PIPEDA-Compliant Privacy Policy
Create a professional privacy policy that meets all PIPEDA requirements in minutes
Related Articles
What is GDPR?
Learn about the European Union's General Data Protection Regulation and how it compares to PIPEDA.
What is CCPA?
Understand California's Consumer Privacy Act and its similarities to PIPEDA.