Privacy law has become one of the areas of law that companies and businesses, especially those operating online, have recently had to adjust to. Many different countries have enacted privacy legislation which has given emphasis to the protection of the data and information of their residents, particularly when they are transacting online. The privacy laws can differ from one country to another which is why it is very important to be familiar with them if you are operating an online business that caters to people all over the world.
In Canada, the foremost privacy law for private-sector organizations is the Personal Information Protection and Electronic Documents Act (PIPEDA). For companies that do business in Canada, making sure your website complies with PIPEDA is imperative. In this post we will cover what you need to know about PIPEDA.
Table of Contents
Who is Covered Under PIPEDA?
PIPEDA applies to organizations in the private sector across Canada. Specifically, it applies to those private-sector entities which collect, use, or disclose personal information in the course of a commercial activity.
One important term that you need to be familiar with in order to determine if you are covered by PIPEDA is “commercial activity”. PIPEDA defines “commercial activity” as “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.” Basically, any entity engaged in offering or promoting products or services for profit would be included in those engaged in a “commercial activity”.
A very common question that is asked about the application of PIPEDA is whether non-Canadian entities are covered by the law. Well, much like the California Consumer Protection Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), PIPEDA applies to all entities which operate within Canada’s jurisdiction, even if they are based abroad. As such, any business that serves Canadian citizens would need to comply with PIPEDA, regardless of where that business may be located.
Is PIPEDA Applicable to the Whole of Canada?
PIPEDA applies to covered entities across Canada, but there are some exceptions. Some provinces in Canada have their own privacy laws that apply to private-sector organizations. These provinces include Alberta, British Columbia, and Quebec. The local privacy laws of these provinces are substantially similar to PIPEDA and, as such, covered entities operating in these areas are exempt from the provisions of PIPEDA so long as they comply with the local privacy law. Separately, in the provinces of Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia, healthcare providers are required to comply with provincial privacy laws which override some provisions of PIPEDA.
There are some exceptions to the application of these exemptions from PIPEDA, however. Regardless of which province it is located in, any private sector organization that handles personal information that crosses provincial or national borders needs to comply with the provisions of PIPEDA. PIPEDA likewise applies to all federally-regulated organizations, no matter which province in Canada they are located. These organizations include banks, airlines, national and international transportation companies, telecommunication companies, television and radio broadcasters, and offshore drilling operations, among others.
What is Personal Information Under PIPEDA?
Much like other privacy laws in different countries, one important concept that covered entities need to focus on is “personal information”. Under PIPEDA, personal information includes “any factual or subjective information, recorded or not, about an identifiable individual.”
This would include information or data in any form, such as the following:
- A person’s name, age, identification numbers, income, blood type or ethnic origin;
- A person’s social status, opinions, evaluations, comments, or disciplinary actions; and
- An employee’s files, credit records, medical records, and loan records, among others
The Ten Fair Information Principles Under PIPEDA
Covered entities are required by PIPEDA to follow the ten fair information principles to protect personal information which is stated in the law. Private-sector organizations must make sure to continuously comply with these principles.
Below is a brief discussion of each of the ten fair information principles under PIPEDA:
- Accountability: Under this principle, covered entities are responsible for the personal information or data that they control. Any private-sector organization covered by PIPEDA must appoint a person, sometimes referred to as a Privacy Officer, who is accountable for compliance with the law.
- Identifying Purposes: Covered entities must identify and document the purposes for collecting personal data or information. They must inform their customers about why the organization needs their personal information before or at the time that such information will be collected.
- Consent: Private-sector organizations are generally required to obtain meaningful consent for the collection, use, and disclosure of personal information.
- Limiting Collection: The covered entity must only collect the personal information needed in order to fulfill the stated purpose for which the data is being collected.
- Limiting Use, Disclosure, and Retention: The organization can only use or disclose personal data or information for the purposes for which it was collected, unless a user consents otherwise. The covered entity must likewise not store personal information for a period longer than necessary to achieve the stated purpose.
- Accuracy: Covered entities must keep the personal information they collect as accurate, complete, and up to date as necessary.
- Safeguards: Organizations must take appropriate security measures in order to protect the personal information they have collected.
- Openness: Entities must inform their customers and employees about the policies and practices for managing personal information.
- Individual Access: An entity’s users must have the right to access and correct their personal information.
- Challenging Compliance: Users must have the ability to challenge an entity’s compliance with PIPEDA by making a complaint.
What Constitutes Valid Consent Under PIPEDA?
Consent is one of the ten fair information principles under PIPEDA. Under this principle, private-sector organizations are generally required to obtain meaningful consent for the collection, use, and disclosure of personal information. But how exactly can consent be considered valid under this law?
Section 6.1 of PIPEDA goes on to define when consent is considered valid. It states that “the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose, and consequences of the collection, use or disclosure of the personal information to which they are consenting.”
Two Forms of Consent Under PIPEDA
There are two forms of consent under PIPEDA: Express Consent and Implied Consent. Express Consent is also known as “opt-in” consent and it is when an individual actively agrees to something. An example of this would be a user ticking a box with the label “I agree”.
Implied Consent or “opt-out” consent, on the other hand, is when a user is offered an opportunity to refuse and they do not do so. An example of this is when a user is presented with a pre-ticked box with the label “I agree” and they do not unselect it.
According to the Office of the Privacy Commissioner (OPC), a covered entity would need to obtain express consent in the following circumstances:
- In case of sensitive personal information
- The intended use for the personal information may fall outside of the user’s reasonable expectations
- In cases where there is a “meaningful residual risk of significant harm”
In cases other than those enumerated above, implied consent may be allowed.
Seven Guiding Principles for Meaningful Consent
The OPC has provided seven guiding principles that covered entities can follow in order to obtain meaningful consent from their users. They are as follows:
Emphasize key elements – Whenever a covered entity is requesting consent, they must provide emphasis on the following elements
- What personal information the entity is collecting
- Which parties the organization might share the personal information with
- The entity’s purposes for collecting, using, and disclosing the user’s personal information
- Risks of harm and other consequences that might occur as a result of collecting the information
- Allow individuals to control the level of detail they get and when – Individuals should be provided information in manageable and easily-accessible ways and they should have the ability to control how much additional detail they want to obtain, and when.
- Provide individuals with clear options to say ‘yes’ or ‘no’ – Provide the individual with simple choices that are clearly explained and made easily accessible.
- Be innovative and creative – Entities mush make use of technological solutions that would make it easier to give, decline, or withdraw consent. These would include the following:
- “Just-in-time” notices – Requesting consent at the most appropriate time only when such is needed.
- Interactive tools – Making use of videos, walkthroughs, infographics, and other visual aids in order to adequately explain the entity’s privacy settings and important concepts.
- Customized mobile interfaces – Optimizing privacy information to be effective in spite of the small screen size of mobile phones.
- Consider the consumer’s perspective – Entities must take into account the perspective of the consumer, thus the request for consent must be clear, understandable, and user-friendly.
- Be accountable: Stand ready to demonstrate compliance – Organizations must be able to demonstrate that they have an existing process in place to obtain consent from their users and that the process readily complies with the provisions of PIPEDA.
What are the Privacy Requirements Under PIPEDA?
Under the principle of openness, PIPEDA requires covered entities to be open about their privacy policies and practices. It enumerates five things that are expected to be made available by organizations in a generally understandable format. These five details are as follows:
- Contact information of the Privacy Officer or the person accountable for the privacy policies
- Information about exercising a user’s right of access
- Details of what personal information the entity discloses to other organizations, including its subsidiaries or any third parties, as well as the reason for such disclosure
- Details on the type of personal information being stored and an explanation of the purpose it is being used for
- An explanation of the entity’s policies, standards, or codes