Guide to

PIPEDA – Personal Information Protection and Electronic Documents Act

What is the purpose of PIPEDA?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law that requires covered organizations to obtain an individual’s consent when they collect, use, or disclose that individual’s personal information. It gives individuals the right to access their personal information held by an organization and to challenge the accuracy of that information. It also prohibits organizations from using personal information for purposes other than the purpose it was initially collected for. If an organization is going to use personal information outside of the original purpose of collection, they must obtain consent again. Further, PIPEDA requires organizations to put appropriate safeguards in place to protect PII.

The law defines a “commercial activity” as “any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

Under PIPEDA, “personal information” includes “any factual or subjective information, recorded or not, about an identifiable individual”. This includes information in any form, such as:

  • Age, name, ID numbers, income, ethnic origin, or blood type
  • Opinions, evaluations, comments, social status, or disciplinary actions
  • Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
  • IP address
  • Cookie data
  • Device identifiers collected by mobile apps

PIPEDA does not apply to certain categories of information, including:

  • Personal information handled by federal government organizations listed under the Privacy Act
  • Provincial or territorial governments and their agents
  • Business contact information such as an employee’s name, title, business address, telephone number or email addresses that is collected, used, or disclosed solely for the purpose of communicating with that person in relation to their employment or profession
  • An individual’s collection, use, or disclosure of personal information strictly for personal purposes (e.g. personal greeting card list)
  • An organization’s collection, use, or disclosure of personal information solely for journalistic, artistic or literary purposes”

What Types of Businesses Are Subject to PIPEDA?

PIPEDA applies to private sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. All federally regulated organizations that conduct business in Canada are always subject to PIPEDA, including:

  • Airports, aircraft and airlines
  • Banks and authorized foreign banks
  • Inter-provincial or international transportation companies
  • Telecommunications companies
  • Offshore drilling operations
  • Radio and television broadcasters.

PIPEDA applies to all companies operating in Canada regardless of where the company is based. For instance, a US website operator that collects personal information of Canadian residents would be subject to PIPEDA.

PIPEDA’s Key requirements

Businesses covered by PIPEDA must follow 10 fair information principles to protect personal information, which include:

  • Accountability: Each entity needs to appoint someone who is responsible for PIPEDA compliance (known as a “Privacy officer”).
  • Identifying Purposes: Each entity must identify the purposes for which they are collecting personal information, before or at the time of collection.
  • Consent: Obtain consent for the collection, use, or disclosure of personal information.
  • Limiting Collection: Each entity may only collect personal information that is necessary for the identified purposes.
  • Accuracy: Personal information needs to be accurate, complete, and up-to-date.
  • Safeguards: Each entity needs to take appropriate security measures to protect personal information.
  • Openness: Each entity must provide a clear and detailed privacy policy to users.
  • Individual Access: Fulfill requests when individuals ask for their personal information or ask for corrections to their personal information.
  • Limiting Use, Disclosure, and Retention: Each entity may only use or share personal information for the purposes for which it was collected (unless the firm has consent or is legally obliged to use or share it for another purpose). Each entity must not store personal information for longer than necessary.
  • Challenging Compliance: Individuals have the right to challenge a firm’s compliance with PIPEDA by filing a complaint.

Businesses must also appoint an employee to be responsible for their organization’s PIPEDA compliance, protect all personal information held by their organization, including any personal information they transfer to a third party for processing, and develop and implement information security policies and practices.

PIPEDA Enforcement and Penalties of Non-Compliance

The Office of the Privacy Commissioner of Canada (OPC) conducts independent investigations into the personal information handling practices of businesses subject to PIPEDA. Complaints can be initiated by individuals or the Privacy Commissioner.

PIPEDA: Frequently Asked Questions

PIPEDA (Personal Information Protection and Electronic Documents Act) applies to private sector organizations across Canada that collect, use, or disclose personal information in the course of a commercial activity. More specifically, PIPEDA applies to:

  • Federally regulated organizations: These include banks, airlines, telecommunications companies, and other industries that fall under federal jurisdiction.
  • Interprovincial or international transactions: Any organization that engages in commercial activities across provincial or national borders must comply with PIPEDA, regardless of the province or country they operate in.
  • Organizations in provinces without their own privacy laws: In provinces like British Columbia, Alberta, and Quebec, which have their own privacy laws deemed substantially similar to PIPEDA, the provincial laws generally apply. However, PIPEDA applies to federal works, undertakings, and businesses within these provinces.
  • Non-profit and charity organizations: If these organizations engage in commercial activities (e.g., selling, bartering, or leasing donor lists), they must comply with PIPEDA.

PIPEDA does not generally apply to personal information handled by federal, provincial, or territorial governments, or to personal information collected, used, or disclosed by individuals for personal, domestic, or artistic purposes.

The General Data Protection Regulation (GDPR) and PIPEDA are both privacy laws that regulate how organizations handle personal data, but there are key differences between the two:

Jurisdiction

GDPR applies to organizations operating within the European Union (EU) or targeting EU residents, regardless of the organization’s location.

PIPEDA applies to private sector organizations in Canada that collect, use, or disclose personal information in commercial activities, with some exceptions for provinces with their own privacy laws.

Scope of personal data

GDPR broadly defines personal data to include any information related to an identified or identifiable natural person, including online identifiers, location data, and more.

PIPEDA defines personal information as data about an identifiable individual but does not explicitly include categories like online identifiers or biometric data, though such information may still be covered depending on the context.

With GDPR organizations must have a lawful basis for processing personal data, such as consent, contract necessity, legal obligation, vital interests, public interest, or legitimate interests.

PIPEDA emphasizes obtaining meaningful consent from individuals before collecting, using, or disclosing personal information, with few exceptions (e.g., legal investigations).

Data subject rights

GDPR grants individuals extensive rights, including the right to access, rectify, erase, restrict processing, and data portability, among others.

PIPEDA provides individuals with the right to access their personal information and challenge its accuracy, but does not include rights like the right to be forgotten or data portability.

Penalties

GDPR imposes fines of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance.PIPEDA currently imposes limited fines, but recent amendments (Bill C27) propose to significantly increase penalties for non-compliance, potentially up to CAD 25 million or 5% of global revenue.

As of now, penalties under PIPEDA are relatively limited. The Office of the Privacy Commissioner of Canada (OPC) does not have the authority to impose direct fines. However, under certain conditions, organizations can face:

  • Court-issued penalties: If an organization fails to comply with a Federal Court order related to a PIPEDA investigation, the court may impose fines up to CAD 100,000 per violation.
  • Reputational damage and civil liability: Organizations found to be in violation of PIPEDA may suffer reputational damage and could be subject to lawsuits by individuals affected by the privacy breach.

Recent amendments proposed under Bill C-27, also known as the Digital Charter Implementation Act, would significantly increase penalties for PIPEDA violations. If enacted, organizations could face administrative monetary penalties up to CAD 25 million or 5% of global annual revenue, whichever is higher, for serious breaches of the law. As of May 29, 2024, the bill is under consideration in the Canadian Parliament and had been referred to the Standing Committee on Industry and Technology.

PIPEDA does not explicitly require data processing agreements (DPAs) in the same way that GDPR does. However, organizations are responsible for ensuring that any third parties they engage with comply with PIPEDA’s principles. This includes:

  • Accountability: Organizations must remain accountable for the personal information they transfer to third parties for processing. They should ensure that third-party processors provide comparable levels of protection for personal information.
  • Contractual safeguards: While not mandatory, it is considered best practice for organizations to include contractual clauses or DPAs with third-party processors to ensure compliance with PIPEDA’s requirements. These agreements should outline the roles, responsibilities, and security measures to which the third-party processor must adhere.

PIPEDA is based on 10 Fair Information Principles, which form the foundation of how organizations should handle personal information:

  1. Accountability: Organizations must designate an individual or individuals to be responsible for ensuring compliance with PIPEDA’s principles.
  2. Identifying Purposes: Organizations must identify the purposes for which personal information is collected before or at the time of collection.
  3. Consent: The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except in specific circumstances defined by PIPEDA.
  4. Limiting Collection: The collection of personal information must be limited to what is necessary for the identified purposes. Information must be collected by fair and lawful means.
  5. Limiting Use, Disclosure, and Retention: Personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. It must be retained only as long as necessary to fulfill those purposes.
  6. Accuracy: Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
  7. Safeguards: Organizations must protect personal information by security safeguards appropriate to the sensitivity of the information.
  8. Openness: Organizations must make their policies and practices regarding the management of personal information readily available to individuals.
  9. Individual Access: Upon request, individuals must be informed of the existence, use, and disclosure of their personal information and be given access to that information. Individuals must be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging Compliance: Organizations must provide a mechanism for individuals to challenge compliance with the above principles. They must also investigate and respond to complaints.

PIPEDA maps to the following frameworks: 

Hyperproof makes PIPEDA compliance simple

  • Leverage an out-of-the-box PIPEDA framework template so you can get started quickly and easily
  • Map your privacy and data protection controls to multiple regulatory standards for a unified compliance approach
  • Minimize the time needed to achieve compliance with all essential regulations relevant to your organization
  • Enhance efficiency by seamlessly integrating with the project management tools your team already uses, like ServiceNow, Jira, and Asana
  • Reuse compliance evidence across different frameworks and controls, streamlining your documentation process
  • Quickly gather and document evidence to demonstrate your adherence to PIPEDA regulations
  • Pinpoint and prioritize your critical data protection workflows to ensure robust compliance and safeguard personal information
Get a Demo

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader